Skip to content

sec: rustls-webpki 0.101.7 vulnerability — requires reqwest 0.11 → 0.12 upgrade #592

Open
Open
sec: rustls-webpki 0.101.7 vulnerability — requires reqwest 0.11 → 0.12 upgrade#592
@TimeToBuildBob

Description

@TimeToBuildBob
TimeToBuildBob
opened on Apr 24, 2026

Summary

Dependabot flagged a security vulnerability in rustls-webpki 0.101.7 (run #1336470574) but cannot auto-fix it.

Dependency Chain

aw-server-rust → reqwest 0.11.27 → hyper-rustls → rustls 0.21.12 → rustls-webpki 0.101.7

The lowest non-vulnerable version of rustls-webpki is 0.103.13, but the project's current reqwest 0.11.x pins rustls 0.21.x which only allows rustls-webpki 0.101.x. Dependabot correctly reports security_update_not_possible with no conflicting dependencies listed (the constraint is the rustls version itself, not a peer conflict).

What's needed to fix

  1. Upgrade reqwest from 0.11 → 0.12 — this is the key change; reqwest 0.12 uses rustls 0.22/0.23 which uses rustls-webpki 0.103.x
  2. Fix API changes — reqwest 0.12 has some breaking changes (mostly around async executor and body types)
  3. Update rustls and tokio-rustls transitively via the reqwest upgrade

This is a non-trivial but contained upgrade. The reqwest 0.11 → 0.12 migration guide covers most of the breaking changes.

Related

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions