Update Rust crate axum to 0.5.17 - autoclosed #5

kjuulh · 2022-10-26T08:42:13+02:00

kjuulh commented

2022-10-26 08:42:13 +02:00

This PR contains the following updates:

Package	Type	Update	Change
axum	dependencies	patch	`0.5.13` -> `0.5.17`
axum	dependencies	patch	`0.5.1` -> `0.5.17`

Release Notes

tokio-rs/axum

`v0.5.17`

Compare Source

fixed: Annotate panicking functions with #[track_caller] so the error
message points to where the user added the invalid router, rather than
somewhere internally in axum (#1248)
fixed: Make Multipart extractor work with RequestBodyLimit middleware (#1379)
added: Add DefaultBodyLimit::max for changing the default body limit (#1397)
added: Various documentation improvements

`v0.5.16`

Compare Source

Security

breaking: Added default limit to how much data Bytes::from_request will
consume. Previously it would attempt to consume the entire request body
without checking its length. This meant if a malicious peer sent an large (or
infinite) request body your server might run out of memory and crash.

The default limit is at 2 MB and can be disabled by adding the new
DefaultBodyLimit::disable() middleware. See its documentation for more
details.

This also applies to these extractors which used Bytes::from_request
internally:
- Form
- Json
- String
Thanks to Shachar Menashe for reporting this vulnerability.

(#1346)

`v0.5.15`

Compare Source

Note: This is a re-release of 0.5.14 that fixes an accidental breaking change.

fixed: Don't expose internal type names in QueryRejection response. (#1171)
fixed: Improve performance of JSON serialization (#1178)
fixed: Improve build times by generating less IR (#1192)

`v0.5.14`

Compare Source

Yanked, as it contained an accidental breaking change.

Configuration

📅 Schedule: At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Renovate Bot.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [axum](https://github.com/tokio-rs/axum) | dependencies | patch | `0.5.13` -> `0.5.17` | | [axum](https://github.com/tokio-rs/axum) | dependencies | patch | `0.5.1` -> `0.5.17` | --- ### Release Notes <details> <summary>tokio-rs/axum</summary> ### [`v0.5.17`](https://github.com/tokio-rs/axum/releases/tag/axum-v0.5.17) [Compare Source](https://github.com/tokio-rs/axum/compare/axum-v0.5.16...axum-v0.5.17) - **fixed:** Annotate panicking functions with `#[track_caller]` so the error message points to where the user added the invalid router, rather than somewhere internally in axum ([#1248]) - **fixed:** Make `Multipart` extractor work with `RequestBodyLimit` middleware ([#1379]) - **added:** Add `DefaultBodyLimit::max` for changing the default body limit ([#1397]) - **added:** Various documentation improvements [#1248]: https://github.com/tokio-rs/axum/pull/1248 [#1379]: https://github.com/tokio-rs/axum/pull/1379 [#1397]: https://github.com/tokio-rs/axum/pull/1397 ### [`v0.5.16`](https://github.com/tokio-rs/axum/releases/tag/axum-v0.5.16) [Compare Source](https://github.com/tokio-rs/axum/compare/axum-v0.5.15...axum-v0.5.16) #### Security - **breaking:** Added default limit to how much data `Bytes::from_request` will consume. Previously it would attempt to consume the entire request body without checking its length. This meant if a malicious peer sent an large (or infinite) request body your server might run out of memory and crash. The default limit is at 2 MB and can be disabled by adding the new `DefaultBodyLimit::disable()` middleware. See its documentation for more details. This also applies to these extractors which used `Bytes::from_request` internally: - `Form` - `Json` - `String` Thanks to Shachar Menashe for reporting this vulnerability. ([#1346]) [#1346]: https://github.com/tokio-rs/axum/pull/1346 ### [`v0.5.15`](https://github.com/tokio-rs/axum/releases/tag/axum-v0.5.15) [Compare Source](https://github.com/tokio-rs/axum/compare/axum-v0.5.14...axum-v0.5.15) Note: This is a re-release of 0.5.14 that fixes an accidental breaking change. - **fixed:** Don't expose internal type names in `QueryRejection` response. ([#1171]) - **fixed:** Improve performance of JSON serialization ([#1178]) - **fixed:** Improve build times by generating less IR ([#1192]) [#1171]: https://github.com/tokio-rs/axum/pull/1171 [#1178]: https://github.com/tokio-rs/axum/pull/1178 [#1192]: https://github.com/tokio-rs/axum/pull/1192 ### [`v0.5.14`](https://github.com/tokio-rs/axum/releases/tag/axum-v0.5.14) [Compare Source](https://github.com/tokio-rs/axum/compare/axum-v0.5.13...axum-v0.5.14) Yanked, as it contained an accidental breaking change. </details> --- ### Configuration 📅 **Schedule**: At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about these updates again. --- - [ ] If you want to rebase/retry this PR, click this checkbox. --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

kjuulh added 1 commit 2022-10-26 08:42:13 +02:00

Update Rust crate axum to 0.5.17 c6af835c80

kjuulh changed title from ~~Update Rust crate axum to 0.5.17~~ to Update Rust crate axum to 0.5.17 - autoclosed

2022-10-26 18:06:35 +02:00

kjuulh closed this pull request

2022-10-26 18:06:35 +02:00

Pull request closed

This pull request cannot be reopened because the branch was deleted.

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: kjuulh/como#5