fix security audit (#344)

jlizen · web-flow · commit 5a355cf7198f · 2026-05-02T00:40:37.000Z
* fix(deps): bump rustls-webpki to 0.103.13 for RUSTSEC-2026-0104

* chore(audit): ignore RUSTSEC-2026-0104 on legacy rustls 0.21 chain

* chore(deps): disable rustls default feature on aws-sdk-{s3,dynamodb}
diff --git a/.cargo/audit.toml b/.cargo/audit.toml
@@ -1,21 +1,13 @@
-# Ignored advisories for rustls-webpki name constraint bugs.
-#
-# Both are low-severity: exploitable only after signature verification
-# passes, and require certificate misissuance. The vulnerable crate
-# (rustls-webpki 0.101.7) is pulled in transitively by
-# aws-sdk-s3-transfer-manager and s3s-aws, which unconditionally enable
-# the legacy rustls feature on aws-sdk-s3. We cannot remove it without
-# upstream changes.
-#
-# Upstream issues:
-#   https://github.com/awslabs/aws-s3-transfer-manager-rs/issues/138
-#   https://github.com/s3s-project/s3s/issues/571
-#
-# Remove these ignores once the upstream crates stop pulling in the
-# legacy rustls 0.21 dependency chain.
+# Advisories against rustls-webpki 0.101.7, pulled in transitively by
+# aws-sdk-s3-transfer-manager and s3s-aws (legacy rustls 0.21 chain).
+# No patch exists in 0.101.x; not reachable in our usage (TLS client
+# only, no CRL parsing). Remove once the upstream fixes below ship:
+#   aws-s3-transfer-manager-rs: PR #141
+#   s3s: merged to main, awaiting s3s-aws 0.14 release
 
 [advisories]
 ignore = [
     "RUSTSEC-2026-0098", # rustls-webpki: URI name constraints incorrectly accepted
     "RUSTSEC-2026-0099", # rustls-webpki: name constraints accepted for wildcard certs
+    "RUSTSEC-2026-0104", # rustls-webpki: reachable panic in CRL parsing (we do not parse CRLs)
 ]
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/dial9-tokio-telemetry/Cargo.toml b/dial9-tokio-telemetry/Cargo.toml
@@ -68,7 +68,7 @@ tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 s3s = "0.13.0"
 s3s-fs = "0.13.0"
 s3s-aws = "0.13.0"
-aws-sdk-s3 = "1"
+aws-sdk-s3 = { version = "1", default-features = false, features = ["behavior-version-latest", "default-https-client", "http-1x", "rt-tokio", "sigv4a"] }
 aws-config = { version = "1", features = ["behavior-version-latest"] }
 async-trait = "0.1.89"
 uuid = { version = "1", features = ["v4"] }
diff --git a/dial9-viewer/Cargo.toml b/dial9-viewer/Cargo.toml
@@ -38,7 +38,7 @@ tower-http = { version = "0.6", features = ["fs"] }
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 aws-config = { version = "1", features = ["behavior-version-latest"] }
-aws-sdk-s3 = { version = "1", features = ["behavior-version-latest"] }
+aws-sdk-s3 = { version = "1", default-features = false, features = ["behavior-version-latest", "default-https-client", "http-1x", "rt-tokio", "sigv4a"] }
 anyhow = "1"
 s3s = { version = "0.13.0", optional = true }
 s3s-fs = { version = "0.13.0", optional = true }
diff --git a/examples/metrics-service/Cargo.toml b/examples/metrics-service/Cargo.toml
@@ -17,7 +17,7 @@ futures-util = "0.3"
 tracing = "0.1"
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }
 aws-config = "1"
-aws-sdk-dynamodb = "1"
+aws-sdk-dynamodb = { version = "1", default-features = false, features = ["behavior-version-latest", "default-https-client", "rt-tokio"] }
 serde = { version = "1", features = ["derive"] }
 serde_json = "1"
 dial9-tokio-telemetry = { path = "../../dial9-tokio-telemetry", features = ["worker-s3", "tracing-layer"] }
