fix(rust): disable aws-sdk-dsql default features to drop legacy rustls 0.21#516
Merged
anwesham-lab merged 1 commit intoJul 14, 2026
Conversation
…stls 0.21 aws-sdk-dsql's default features include `rustls`, which activates aws-smithy-runtime/tls-rustls and pulls hyper-rustls 0.24 / rustls 0.21 into the dep graph (legacy stack, vulnerable to GHSA-82j2-j2ch-gfr8). The connector only uses aws_sdk_dsql::auth_token (request signing); the SDK HTTP client and TLS features are never touched at runtime, so default-features = false is safe and removes the legacy stack entirely. Refs: smithy-lang/smithy-rs#4651
Contributor
Author
|
@amaksimo , would you accept this PR? |
Contributor
Author
|
@praba2210 , would you be able to take a look at this? |
|
Can we have this PR looked at please? @amaksimo maybe? |
|
Any chance we could get this reviewed? |
anwesham-lab
approved these changes
Jul 14, 2026
Member
|
Looking into what's going wrong with the checks, but should be good to merge and I'll get it in today |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
aws-sdk-dsql's default features includerustls, which activatesaws-smithy-runtime/tls-rustlsand pulls the legacy stack —hyper-rustls 0.24andrustls 0.21— into the dep graph. The olderrustls-webpki 0.101.7it transitively depends on is the subject of GHSA-82j2-j2ch-gfr8.Discussion: smithy-lang/smithy-rs#4651. The smithy-rs maintainers' recommended mitigation for downstream crates is
default-features = falseon AWS SDK crates and only enabling what's actually needed.This connector imports only
aws_sdk_dsql::auth_token(AuthTokenGenerator,Config) for request signing — seesrc/token.rsandsrc/pool.rs. The SDK HTTP client and TLS features are never touched at runtime, so disabling defaults is safe and surgical.After this change,
cargo tree --all-featuresno longer listsrustls 0.21,rustls-webpki 0.101,hyper-rustls 0.24, ortokio-rustls 0.24.Test plan
cargo build --all-features— clean buildcargo test --all-features --lib— all 67 unit tests passcargo tree --all-features | grep -E "rustls 0\.21|rustls-webpki 0\.101|hyper-rustls 0\.24"— no matches