Skip to content

sec: rustls-webpki 0.101.7 vulnerability — requires reqwest 0.11 → 0.12 upgrade #592

Open
Open
sec: rustls-webpki 0.101.7 vulnerability — requires reqwest 0.11 → 0.12 upgrade#592
@TimeToBuildBob

Description

@TimeToBuildBob
TimeToBuildBob
opened on Apr 24, 2026

Summary

Dependabot flagged a security vulnerability in rustls-webpki 0.101.7 (run #1336470574) but cannot auto-fix it.

Dependency Chain

aw-server-rust → reqwest 0.11.27 → hyper-rustls → rustls 0.21.12 → rustls-webpki 0.101.7

The lowest non-vulnerable version of rustls-webpki is 0.103.13, but the project's current reqwest 0.11.x pins rustls 0.21.x which only allows rustls-webpki 0.101.x. Dependabot correctly reports security_update_not_possible with no conflicting dependencies listed (the constraint is the rustls version itself, not a peer conflict).

What's needed to fix

  1. Upgrade reqwest from 0.11 → 0.12 — this is the key change; reqwest 0.12 uses rustls 0.22/0.23 which uses rustls-webpki 0.103.x
  2. Fix API changes — reqwest 0.12 has some breaking changes (mostly around async executor and body types)
  3. Update rustls and tokio-rustls transitively via the reqwest upgrade

This is a non-trivial but contained upgrade. The reqwest 0.11 → 0.12 migration guide covers most of the breaking changes.

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions