Skip to content

chore(deps): remove old rustls and webpki dependencies#25201

Open
graphcareful wants to merge 4 commits intovectordotdev:masterfrom
graphcareful:rob/remove-old-rustls-webpki
Open

chore(deps): remove old rustls and webpki dependencies#25201
graphcareful wants to merge 4 commits intovectordotdev:masterfrom
graphcareful:rob/remove-old-rustls-webpki

Conversation

@graphcareful
Copy link
Copy Markdown
Contributor

@graphcareful graphcareful commented Apr 15, 2026
edited
Loading

Summary

Remove the aws-smithy-runtime dev-dependency (tls-rustls feature) that was pulling in legacy rustls 0.21, hyper-rustls 0.24, and rustls-webpki 0.101. This consolidates the dependency tree to use only the newer rustls versions.

The 0.101 version of rustls-webpki was returning errors in cargo deny check

error[vulnerability]: Name constraints were accepted for certificates asserting a wildcard name
    ┌─ /instance_storage/workspace/vector/Cargo.lock:783:1
    │
783 │ rustls-webpki 0.103.10 registry+https://github.com/rust-lang/crates.io-index
    │ ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ security vulnerability detected
    │
    ├ ID: RUSTSEC-2026-0099

Change Type

  • Bug fix
  • New feature
  • Dependencies
  • Non-functional (chore, refactoring, docs)
  • Performance

Is this a breaking change?

  • Yes
  • No

Does this PR include user facing changes?

  • Yes. Please add a changelog fragment based on our guidelines.
  • No. A maintainer will apply the no-changelog label to this PR.

Notes

  • Please read our Vector contributor resources.
  • Do not hesitate to use @vectordotdev/vector to reach out to us regarding this PR.
  • Some CI checks run only after we manually approve them.
    • We recommend adding a pre-push hook, please see this template.
    • Alternatively, we recommend running the following locally before pushing to the remote branch:
      • make fmt
      • make check-clippy (if there are failures it's possible some of them can be fixed with make clippy-fix)
      • make test
  • After a review is requested, please avoid force pushes to help us review incrementally.
    • Feel free to push as many commits as you want. They will be squashed into one before merging.
    • For example, you can run git merge origin master and git push.
  • If this PR introduces changes Vector dependencies (modifies Cargo.lock), please
    run make build-licenses to regenerate the license inventory and commit the changes (if any). More details on the dd-rust-license-tool.

@graphcareful
chore(deps): remove old rustls and webpki dependencies
09bca9b 
Remove the `aws-smithy-runtime` dev-dependency (tls-rustls feature)
that was pulling in legacy rustls 0.21, hyper-rustls 0.24, and
rustls-webpki 0.101. This consolidates the dependency tree to use
only the newer rustls versions.
@graphcareful graphcareful requested a review from a team as a code owner April 15, 2026 17:29
@graphcareful graphcareful added the no-changelog Changes in this PR do not need user-facing explanations in the release changelog label Apr 15, 2026
@thomasqueirozb thomasqueirozb added this pull request to the merge queue Apr 15, 2026
@github-merge-queue github-merge-queue bot removed this pull request from the merge queue due to failed status checks Apr 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pront pront pront approved these changes

@petere-datadog petere-datadog Awaiting requested review from petere-datadog

Assignees

No one assigned

Labels

no-changelog Changes in this PR do not need user-facing explanations in the release changelog

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@graphcareful @pront @thomasqueirozb