Currently two different versions of rustls are pulled in, the older version is vulnerable now: GHSA-82j2-j2ch-gfr8
The dependency is listed here for example, although the newer version is already there as well:
Inverted dependency tree:
➜ cargo tree --invert rustls-webpki@0.101.7
rustls-webpki v0.101.7
└── rustls v0.21.12
├── aws-smithy-http-client v1.1.12
│ └── aws-smithy-runtime v1.11.1
│ ├── aws-config v1.8.16
│ │ └── private-crate
│ ├── aws-runtime v1.7.3
│ │ ├── aws-config v1.8.16 (*)
│ │ ├── aws-sdk-rds v1.132.0
│ │ │ └── private-crate
│ │ ├── aws-sdk-secretsmanager v1.104.0
│ │ │ └── private-crate
│ │ ├── aws-sdk-sso v1.98.0
│ │ │ └── aws-config v1.8.16 (*)
│ │ ├── aws-sdk-ssooidc v1.100.0
│ │ │ └── aws-config v1.8.16 (*)
│ │ └── aws-sdk-sts v1.103.0
│ │ └── aws-config v1.8.16 (*)
│ ├── aws-sdk-rds v1.132.0 (*)
│ ├── aws-sdk-secretsmanager v1.104.0 (*)
│ ├── aws-sdk-sso v1.98.0 (*)
│ ├── aws-sdk-ssooidc v1.100.0 (*)
│ └── aws-sdk-sts v1.103.0 (*)
├── hyper-rustls v0.24.2
│ └── aws-smithy-http-client v1.1.12 (*)
└── tokio-rustls v0.24.1
└── hyper-rustls v0.24.2 (*)
Currently two different versions of rustls are pulled in, the older version is vulnerable now: GHSA-82j2-j2ch-gfr8
The dependency is listed here for example, although the newer version is already there as well:
smithy-rs/aws/sdk/Cargo.lock
Line 1322 in 259d444
Inverted dependency tree: