Cargo audit fixes#615
Conversation
Vendored from polkadot-sdk for subsequent modification to remove libp2p dependency. This commit contains the original source to make changes auditable via git diff.
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes using default effort and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit dedba10. Configure here.
|
v12 pls audit |
ReviewVerdict: Approve — non-blocking comments below. The security win is real, the API surface is fully preserved, and CI is green across the board. What was checked
Main observation (worth a soak test)The read half of the WebSocket is never polled. Minor / non-blocking
|
n13
left a comment
There was a problem hiding this comment.
LGTM
This would only impact telemetry right? Networking changes can be a little tricky as we have seen with the DNS problems that were in litep2p (not even litep2p but the hickory package which was updated and ended up worse than the original)
- drain the WebSocket read half in Node::poll_ready so tungstenite answers server Pings and server Close frames are detected without waiting for a write failure - loop over Ping/Pong frames in Stream::poll_next instead of returning Pending with an immediate wake - fail multiaddr parsing on unexpected components instead of silently dropping path segments - drop the vestigial initialize_transport() Co-authored-by: Cursor <cursoragent@cursor.com>

Fix Security Vulnerabilities: Remove libp2p from sc-telemetry
Summary
This PR addresses security vulnerabilities identified by
cargo auditby removing the libp2p dependency from sc-telemetry and bumping quinn to fix a related CVE.Changes
1. Bump quinn 0.11.9 → 0.11.11
2. Vendor and rewrite sc-telemetry to remove libp2p dependency
client/telemetry/with a complete rewrite using pure tokio + tungsteniteSecurity Impact
Fixed in this PR:
Removed attack surface:
Remaining Vulnerabilities (out of scope)
The following vulnerabilities remain and will be addressed in a future PR:
The wasmtime CVEs require a coordinated polkadot-sdk version bump (sc-executor 0.47.0 → 0.49.0) which affects multiple interdependent crates.
Testing
cargo checkpassescargo auditconfirms libp2p CVEs no longer appearFiles Changed
Cargo.toml- quinn version bump, sc-telemetry patchCargo.lock- Dependency updates (~800Note
Medium Risk
Telemetry networking was reimplemented and vendored; behavior should match upstream but WebSocket/TLS edge cases and reconnect semantics warrant validation in integration tests.
Overview
Addresses cargo audit findings by removing libp2p from the telemetry path and patching RUSTSEC-2026-0185 in quinn.
quinnis bumped from 0.11.9 to 0.11.11 in the workspace;Cargo.lockalso updates quinn-proto and deduplicates several HTTP/TLS crates.sc-telemetryis added underclient/telemetry/and patched in[patch.crates-io]so the node uses the in-tree crate instead of crates.io. The implementation keeps the same public API (TelemetryWorker, handles,telemetry!macro) but sends data over WebSockets viatokio-tungsteniteinstead of libp2p. Endpoints acceptws/wssURLs and still support legacy multiaddr-style strings via conversion inendpoints.rs. Per-server connections auto-reconnect with backoff innode.rs.Cargo.lockdrops the large libp2p subtree (and related networking stacks) that previously came in through upstream telemetry, shrinking the dependency graph for that subsystem.Reviewed by Cursor Bugbot for commit dedba10. Configure here.