Is your feature request related to a problem? Please describe.
We are using dalek dependency version 2 in our Cargo.toml.
However, older version is being used as part of the solana-sdk dependency. This older version causes known RUSTSEC issues, which have been silenced in the deny.toml: RUSTSEC-2024-0344 and RUSTSEC-2022-0093. They can also be inspected with the following commands:
cargo tree -i ed25519-dalek@1.0.1
# or
git grep ed25519-dalek
# shows version 1.0.1 only in Cargo.lock
Same commands can be also applied for curve25519-dalek.
Describe the solution you'd like
Fix it so that RUSTSEC-2024-0344 and RUSTSEC-2022-0093 are no longer issues in our repo.
Describe alternatives you've considered
Based on the docs on crates.io for solana-sdk, it is shown that ed25519-dalek and curve25519-dalek are under optional dependencies.
After initial investigation, where inside Cargo.toml, it has been set to:
solana-sdk = { version = "~2.1", optional = false}
ed25519-dalek and curve25519-dalek were still present
Is your feature request related to a problem? Please describe.
We are using
dalekdependency version2in ourCargo.toml.However, older version is being used as part of the
solana-sdkdependency. This older version causes known RUSTSEC issues, which have been silenced in thedeny.toml: RUSTSEC-2024-0344 and RUSTSEC-2022-0093. They can also be inspected with the following commands:Same commands can be also applied for
curve25519-dalek.Describe the solution you'd like
Fix it so that RUSTSEC-2024-0344 and RUSTSEC-2022-0093 are no longer issues in our repo.
Describe alternatives you've considered
Based on the docs on crates.io for
solana-sdk, it is shown thated25519-dalekandcurve25519-dalekare underoptionaldependencies.After initial investigation, where inside
Cargo.toml, it has been set to:solana-sdk = { version = "~2.1", optional = false}ed25519-dalekandcurve25519-dalekwere still present