-
Notifications
You must be signed in to change notification settings - Fork 249
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): bump openssl from 0.10.56 to 0.10.60 #4505
Conversation
Bumps [openssl](https://github.com/sfackler/rust-openssl) from 0.10.56 to 0.10.60. - [Release notes](https://github.com/sfackler/rust-openssl/releases) - [Commits](sfackler/rust-openssl@openssl-v0.10.56...openssl-v0.10.60) --- updated-dependencies: - dependency-name: openssl dependency-type: indirect ... Signed-off-by: dependabot[bot] <[email protected]>
CodSpeed Performance ReportMerging #4505 will not alter performanceComparing Summary
|
Triggered the integration release to run ecosystem-tests. |
Client tests: prisma/prisma#22195 Ecosystem-tests: https://github.com/prisma/ecosystem-tests/actions/runs/7063062620. All relevant ones (like the "docker" group and cloud databases) are passing, there are two unrelated failures (one seems to be a long filename issue on windows on the first glance, another one is driver-adapters-wasm so irrelevant here). |
The Windows-related failure in ecosystems is super weird, never seen that before. Just rerunning also did not just fix it (As did it for the DA test). |
version = "111.27.0+1.1.1v" | ||
version = "300.1.6+3.1.4" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This, for me, means we switch from OpenSSL 1.1.1v to 3.1.4.
Do we understand the implications fully? Asking before we merge this.
https://github.com/alexcrichton/openssl-src-rs
This crate follows the latest minor and patch versions for each maintained major version, according to the OpenSSL release strategy. It has no specific support for LTS versions.
The crate versions follow the X.Y.Z+B pattern:
The major version X is the upstream OpenSSL API/ABI compatibility version: 300 for 3.Y.Z The minor Y and patch Z versions are incremented when making changes to the crate, either OpenSSL update or internal changes. B contains the full upstream OpenSSL version, like 1.1.1k or 3.0.7. Note that this field is actually ignored in comparisons and only there for documentation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I explained before in slack but duplicating here for visibility:
There are no implications for our build targets that use dynamically linked OpenSSL as the version of vendored OpenSSL in openssl-sys
crate is irrelevant there. For targets that use vendored OpenSSL (linux-static
, *-openssl-1.0.x
), it will upgrade the statically linked OpenSSL from 1.1 to 3, which is desired because 1.1 is EOL. This shouldn't have observable effects for our users.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why doing this in this unrelated PR though?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not unrelated, it's a transitive dependency that got updated. The PR updated openssl
from 0.10.56
to 0.10.60
, newer version of openssl
requires newer version of openssl-sys
, so it got updated from 0.9.91
to 0.9.96
, and newer version of openssl-sys
requires newer version of openssl-src
, so it got updated from 111.27.0+1.1.1v
to 300.1.6+3.1.4
.
Since the underlying version of OpenSSL is an implementation detail and does not change the API and behavior of the higher-level Rust wrapper in any breaking way, this is permitted by semver: a patch update of a library can update a major version of its dependency if it's an implementation detail.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, like Jan noted, this test is always failing, no matter how many times we retry it
https://github.com/prisma/ecosystem-tests/actions/runs/7063062620/job/19278872864#step:8:103
+ pnpm prisma db push --force-reset
Prisma schema loaded from prisma\schema.prisma
Datasource "db": PostgreSQL database "migrate_db-seed-commonjs-pkg_windows-latest_library", schema "public" at "e2e-tests-postgres.cdoyhcosd7km.us-east-1.rds.amazonaws.com:5432"
Error: Schema engine exited. Error: Command failed with ENOENT: D:\a\ecosystem-tests\ecosystem-tests\migrate\db-seed-commonjs-pkg\node_modules\.pnpm\@prisma+engines@5.7.0-integration-engines-5-7-0-25-dependabot-cargo-openssl-0-10-60-9a053826a_czfxmwiqsnvqjr47krjrp2wvha\node_modules\@prisma\engines\schema-engine-windows.exe cli --datasource <REDACTED> can-connect-to-database
spawn D:\a\ecosystem-tests\ecosystem-tests\migrate\db-seed-commonjs-pkg\node_modules\.pnpm\@prisma+engines@5.7.0-integration-engines-5-7-0-25-dependabot-cargo-openssl-0-10-60-9a053826a_czfxmwiqsnvqjr47krjrp2wvha\node_modules\@prisma\engines\schema-engine-windows.exe ENOENT
Good catch, yes, let's nor merge this for the moment, until the failure test situation is figured out. |
It is a filename issue, here's the same failure for a no-op change with an identical branch name (prisma/prisma#22306):
(https://github.com/prisma/ecosystem-tests/actions/runs/7129332373/job/19413251713) |
I'm going to go ahead and merge, please ping asap me if you notice any problems! |
Thanks! |
Bumps openssl from 0.10.56 to 0.10.60.
Release notes
Sourced from openssl's releases.
... (truncated)
Commits
8f4b97a
Merge pull request #2104 from alex/bump-for-releasedf66283
Release openssl v0.10.60 and openssl-sys v0.9.961a09dc8
Merge pull request #2102 from sfackler/ex-leakb0a1da5
Merge branch 'master' into ex-leakf456b60
Merge pull request #2099 from alex/deprecate-store-ref-objectsa8413b8
Merge pull request #2100 from alex/symm-update-uncheckeda92c237
clippye839496
Don't leak when overwriting ex data602d38d
Addedupdate_unchecked
tosymm::Crypter
cf9681a
fixes #2096 -- deprecateX509StoreRef::objects
, it is unsoundDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebase
will rebase this PR@dependabot recreate
will recreate this PR, overwriting any edits that have been made to it@dependabot merge
will merge this PR after your CI passes on it@dependabot squash and merge
will squash and merge this PR after your CI passes on it@dependabot cancel merge
will cancel a previously requested merge and block automerging@dependabot reopen
will reopen this PR if it is closed@dependabot close
will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditions
will show all of the ignore conditions of the specified dependency@dependabot ignore this major version
will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor version
will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependency
will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.