fix(ci): fix CVE in github-slug-action (#174)

2023-04-13 12:43:05 +02:00 · 2023-04-13 12:43:05 +02:00 · 64347b05ff
parent e3a63b6fbc
commit 64347b05ff
5 changed files with 681 additions and 345 deletions
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@ -39,7 +39,7 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Inject slug/short variables
-        uses: rlespinasse/github-slug-action@v4
+        uses: rlespinasse/github-slug-action@v4.4.1
      - name: Login to GitHub Container Registry
        uses: docker/login-action@v2
        with:
@ -101,7 +101,7 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@v3
      - name: Inject slug/short variables
-        uses: rlespinasse/github-slug-action@v4
+        uses: rlespinasse/github-slug-action@v4.4.1
      - name: Login to internal Container Registry
        uses: docker/login-action@v2.1.0
        with:
--- a/Cargo.lock
+++ b/Cargo.lock
@ -176,16 +176,16 @@ dependencies = [

 [[package]]
 name = "axum-tracing-opentelemetry"
-version = "0.9.0"
+version = "0.10.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4a43f5b506fc945900d08e541de14b5b9c82860637702ae082888b0fc2654d86"
+checksum = "164b95427e83b79583c7699a72b4a6b485a12bbdef5b5c054ee5ff2296d82f52"
 dependencies = [
 "axum",
 "futures",
 "http",
 "opentelemetry",
 "tower",
- "tower-http",
+ "tower-http 0.3.5",
 "tracing",
 "tracing-opentelemetry",
 ]
@ -2424,7 +2424,7 @@ dependencies = [
 "thiserror",
 "tokenizers",
 "tokio",
- "tower-http",
+ "tower-http 0.4.0",
 "tracing",
 "tracing-opentelemetry",
 "tracing-subscriber",
@ -2688,6 +2688,24 @@ dependencies = [
 "tracing",
 ]

+[[package]]
+name = "tower-http"
+version = "0.4.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5d1d42a9b3f3ec46ba828e8d376aec14592ea199f70a06a548587ecd1c4ab658"
+dependencies = [
+ "bitflags",
+ "bytes",
+ "futures-core",
+ "futures-util",
+ "http",
+ "http-body",
+ "http-range-header",
+ "pin-project-lite",
+ "tower-layer",
+ "tower-service",
+]
+
 [[package]]
 name = "tower-layer"
 version = "0.3.2"
--- a/router/Cargo.toml
+++ b/router/Cargo.toml
@ -15,7 +15,7 @@ path = "src/main.rs"
 [dependencies]
 async-stream = "0.3.3"
 axum = { version = "0.6.4", features = ["json"] }
-axum-tracing-opentelemetry = "0.9.0"
+axum-tracing-opentelemetry = "0.10.0"
 text-generation-client = { path = "client" }
 clap = { version = "4.1.4", features = ["derive", "env"] }
 flume = "0.10.14"
@ -32,7 +32,7 @@ serde_json = "1.0.93"
 thiserror = "1.0.38"
 tokenizers = "0.13.3"
 tokio = { version = "1.25.0", features = ["rt", "rt-multi-thread", "parking_lot", "signal", "sync"] }
-tower-http = { version = "0.3.5", features = ["cors"] }
+tower-http = { version = "0.4.0", features = ["cors"] }
 tracing = "0.1.37"
 tracing-opentelemetry = "0.18.0"
 tracing-subscriber = { version = "0.3.16", features = ["json", "env-filter"] }
--- a/server/poetry.lock
+++ b/server/poetry.lock
--- a/server/pyproject.toml
+++ b/server/pyproject.toml
@ -31,7 +31,7 @@ bnb = ["bitsandbytes"]

 [tool.poetry.group.dev.dependencies]
 grpcio-tools = "^1.51.1"
-pytest = "^7.2.0"
+pytest = "^7.3.0"

 [build-system]
 requires = ["poetry-core>=1.0.0"]