Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Security Concerns Due to Unmaintained Dependencies #3

Closed
MakeShiftArtist opened this issue Sep 4, 2023 · 2 comments
Closed

Security Concerns Due to Unmaintained Dependencies #3

MakeShiftArtist opened this issue Sep 4, 2023 · 2 comments

Comments

@MakeShiftArtist
Copy link
Contributor

Description

The "wamp-parser-rs" repository relies on the "websocket" crate, which in turn depends on an outdated and unmaintained version (v0.10) of the "hyper" crate. As of now, "hyper" has moved on to v1.0.0-rc.4, and the "websocket" crate remains on an old version.

Additionally, it's worth noting that the "websocket-rs" project, which provides the "websocket" crate, is also unmaintained, adding to the security concerns.

Impact

Using outdated and unmaintained dependencies poses significant security risks. Such dependencies may have unresolved vulnerabilities or lack essential updates and patches to address security issues.

Proposed Solution

Switch to an Alternative WebSocket Implementation: A preferred and effective solution is to migrate to a different WebSocket implementation, such as tokio-tungstenite. Tokio-tungstenite is an actively maintained WebSocket library designed to seamlessly integrate with the Tokio asynchronous runtime. By transitioning to this well-maintained library, you can ensure the long-term security and maintainability of the project while minimizing the effort required to address dependency-related issues.

Advantages of this Solution:

  • Utilizing a WebSocket library that is actively maintained.
  • Compatibility with modern Rust async/await patterns and Tokio.
  • Reduced long-term maintenance overhead.

Considerations:

  • Carefully plan the migration to ensure that existing code using the "websocket" crate is updated to use "tokio-tungstenite" as smoothly as possible.
  • Update project documentation and dependencies to reflect the switch to "tokio-tungstenite."

This solution prioritizes adopting a well-maintained WebSocket library to enhance the project's security and sustainability while avoiding the complexities of forking and maintaining an outdated crate.

For more context, please refer to the comment on the original issue highlighting the concerns related to the old dependency and the unmaintained status of the "websocket" crate.
@ibotva
Copy link
Owner

ibotva commented Sep 6, 2023

Websocket libraries can be entirely removed from this repo. Websocket functionality is being moved to the other library. Websocket library was available for message conversion from JSON String to Websocket message.

@ibotva
Copy link
Owner

ibotva commented Sep 6, 2023
edited
Loading

websocket crate and a few other crates were removed completely from the repo. We will not be using tungnstenite in this library, in favor of ezsockets in the Client side library found here.

@ibotva ibotva closed this as completed Sep 6, 2023
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@MakeShiftArtist @ibotva