Skip to content

fix: update vulnerable Hickory DNS dependencies#786

Merged
kvinwang merged 1 commit into
masterfrom
fix/dependabot-357-hickory-proto
Jul 16, 2026
Merged

fix: update vulnerable Hickory DNS dependencies#786
kvinwang merged 1 commit into
masterfrom
fix/dependabot-357-hickory-proto

Conversation

@kvinwang

Copy link
Copy Markdown
Collaborator

Summary

  • update dcap-qvl to the released 0.5.2 and reqwest to 0.13.4
  • keep the asynchronous hickory-dns resolver and consolidate Hickory on 0.26.1
  • adapt the Hickory resolver, reqwest TLS, and dcap-qvl collateral client APIs
  • remove vulnerable hickory-proto 0.25.2 from Cargo.lock

This addresses Dependabot alert #357 (GHSA-3v94-mw7p-v465).

Validation

  • cargo fmt --check --all
  • cargo clippy -- -D warnings -D clippy::expect_used -D clippy::unwrap_used --allow unused_variables
  • cargo check --workspace --all-targets
  • ./run-tests.sh
  • verified the lockfile contains only hickory-net, hickory-proto, and hickory-resolver 0.26.1

Copilot AI review requested due to automatic review settings July 16, 2026 06:52

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates Rust dependencies to remediate the Hickory DNS advisory (GHSA-3v94-mw7p-v465) by consolidating Hickory crates on 0.26.1, bumping reqwest to 0.13.4, and upgrading dcap-qvl to 0.5.2, with corresponding API adaptations across the codebase.

Changes:

  • Upgrade reqwest to 0.13.4 and adjust TLS/root-certs configuration code for the new API.
  • Consolidate hickory-resolver usage on 0.26.1 and update resolver call sites to new types/APIs.
  • Upgrade dcap-qvl to 0.5.2 and migrate collateral fetching/verification to CollateralClient.

Reviewed changes

Copilot reviewed 10 out of 11 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
dstack/tdx-attest/examples/test_tdx.rs Switches quote verification to dcap-qvl CollateralClient API.
dstack/ra-rpc/src/client.rs Updates reqwest TLS/root-cert configuration to reqwest 0.13 APIs.
dstack/ra-rpc/Cargo.toml Updates reqwest feature flags for the new reqwest version.
dstack/nsm-qvl/Cargo.toml Updates reqwest feature flags for the new reqwest version.
dstack/gateway/src/proxy/tls_passthough.rs Migrates DNS TXT resolution to Hickory 0.26.1 resolver/lookup APIs and preserves caching behavior.
dstack/dstack-util/src/host_api.rs Migrates quote collateral fetch/verify to CollateralClient and normalizes PCCS URL handling.
dstack/dstack-attest/src/attestation.rs Centralizes PCCS/collateral client creation and migrates TDX verification calls to CollateralClient.
dstack/ct_monitor/Cargo.toml Updates reqwest feature flags for the new reqwest version.
dstack/certbot/src/acme_client.rs Migrates ACME DNS TXT self-check to Hickory 0.26.1 resolver/lookup APIs.
dstack/Cargo.toml Bumps workspace versions for reqwest, dcap-qvl, and hickory-resolver (and reqwest feature set).
dstack/Cargo.lock Removes vulnerable Hickory versions and locks updated dependency graph (including new transitive crates).

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread dstack/ra-rpc/src/client.rs
@kvinwang
kvinwang merged commit 17f6148 into master Jul 16, 2026
16 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants