Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update zeroize dependency version please. #708

Closed
keyaedisa opened this issue Sep 27, 2024 · 1 comment
Closed

Update zeroize dependency version please. #708

keyaedisa opened this issue Sep 27, 2024 · 1 comment

Comments

@keyaedisa
Copy link

I'm trying create a discord bot that can explore and interact with the Solana chain. Each piece on their own works just fine (the discord bot and solana project that is), but when I try to put them together it's dependency errors that I believe to have tracked down to this package. The issue seems to be that curve25519-dalek has zeroize v1 set as its dependency version. The current latest is 1.8.1. I experimented with versions and it seems 1.6.0 is the minimum I would need to have compatibility project wide. I understand that the Solana project needs to update on their end as well considering the current version of dalek.

DISCLAIMER: I understand that it may not be as simple as updating zeroize version in the Cargo.toml and hope nothings breaks. Even still I figured I'd ask.

Attached below is a cargo build output.

warning: unused manifest key: patches
Updating crates.io index
error: failed to select a version for zeroize.
... required by package curve25519-dalek v3.2.1
... which satisfies dependency curve25519-dalek = "^3.2.1" of package solana-program v2.0.10
... which satisfies dependency solana-program = "=2.0.10" of package solana-sdk v2.0.10
... which satisfies dependency solana-sdk = "^2.0.10" of package wesex v0.0.1 (/home/ki/Documents/wesex)
versions that meet the requirements >=1, <1.4 are: 1.3.0, 1.2.0, 1.1.1, 1.1.0, 1.0.0

all possible versions conflict with previously selected packages.

previously selected package zeroize v1.6.0
... which satisfies dependency zeroize = "^1.6.0" of package rustls v0.22.0
... which satisfies dependency rustls = "^0.22.0" of package tokio-tungstenite v0.21.0
... which satisfies dependency tokio-tungstenite = "^0.21.0" of package serenity v0.12.2
... which satisfies dependency serenity = "^0.12.2" of package wesex v0.0.1 (/home/ki/Documents/wesex)

failed to select a version for zeroize which could resolve this conflict

@tarcieri
Copy link
Contributor

We have already updated the zeroize version, but in the curve25519-dalek v4.x series.

The v3.x series is unmaintained and contains unfixable security vulnerabilities that necessitated breaking changes.

The curve25519-dalek version Solana uses has been updated to v4.x and is expected to be released in v2.1: anza-xyz/agave#2252

@tarcieri tarcieri closed this as not planned Won't fix, can't repro, duplicate, stale Sep 27, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants