Conversation
Move jsonwebtoken to a workspace dependency. Upgrade to 10 series, to pick up CVE fix in 10.3.0. Use aws-lc backend, as aws-lc is already an existing transitive dependency.
Bump Rust toolchain from 1.86.0 to 1.88.0 to allow updating `time` crate. Update Cargo.lock (`bytes` 1.11.0→1.11.1, `time` 0.3.36→0.3.47) and poetry.lock (`pypdf`→6.7.1, `pillow`→12.1.1, `nbconvert`→7.17.0, `weasyprint`→68.1) to resolve 9 of 10 open Dependabot alerts. The remaining `jsonwebtoken` alert (CVE-2026-25537) cannot be fixed yet as it requires a major version bump (9.x→10.3.0) blocked by upstream `reqsign`/`opendal` (tracked in apache/opendal-reqsign#689). Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
…316) Bump Rust toolchain from 1.86.0 to 1.88.0 to allow updating `time` crate. Update Cargo.lock (`bytes` 1.11.0→1.11.1, `time` 0.3.36→0.3.47) and poetry.lock (`pypdf`→6.7.1, `pillow`→12.1.1, `nbconvert`→7.17.0, `weasyprint`→68.1) to resolve 9 of 10 open Dependabot alerts. The remaining `jsonwebtoken` alert (CVE-2026-25537) cannot be fixed yet as it requires a major version bump (9.x→10.3.0) blocked by upstream `reqsign`/`opendal` (tracked in apache/opendal-reqsign#689). Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
| hmac = "0.12" | ||
| http = "1" | ||
| jiff = "0.2" | ||
| jsonwebtoken = { version = "10", features = ["aws_lc_rs"] } |
There was a problem hiding this comment.
Will this always enable aws_lc_rs? Our downstream users, such as opendal, want to allow users to choose their own cryptography implementation.
There was a problem hiding this comment.
there is no choice of cryptography implementations; and other dependencies of opendal-reqsign already require aws_lc_rs. Thus this is no change in dependencies.
There was a problem hiding this comment.
Note this dependency has no affect on rustls backend in use.
There was a problem hiding this comment.
and other dependencies of opendal-reqsign already require aws_lc_rs
Yes. This is mainly pulled in from reqwest 0.13's default-tls.
We may have a follow-up to investigate whether we can make it optional (switchable between aws-lc-rs and ring).
I personally don't like aws-lc-rs too much since it pulls in cmake and other build hazards. But it's the trend, and I don't find too many motivations to build a replacement now.
Also see: - apache/opendal-reqsign#689 Export: 8015ba7
3 participants
Move jsonwebtoken to a workspace dependency.
Upgrade to 10 series, to pick up CVE fix in 10.3.0.
Use aws-lc backend, as aws-lc is already an existing transitive
dependency.