chore: consume irmars from crates.io and bump reqwest to 0.12#192
Merged
Conversation
The upstream tweedegolf/irma crate has been dormant since 2021 and never published a reqwest-0.12 release, leaving postguard pinned to reqwest 0.11 and pulling in the unmaintained rustls-pemfile 1.0.4. Switch every pg-* crate from the abandoned irma 0.2.1 to the encryption4all fork published as irmars 0.2.2. Use the Cargo package-rename trick so existing use irma::... call sites stay unchanged. irmars 0.2.2 ships with reqwest 0.12 and thiserror 2, which lets pg-pkg and pg-cli bump to reqwest 0.12 in the same step. Clears RUSTSEC-2025-0134 (rustls-pemfile unmaintained) from the cargo-audit allowlist. RUSTSEC-2026-0058 (tokio-io unmaintained) still surfaces through tower-http and sqlx-* via futures-util's compat shim, so its allowlist entry is retained with an updated comment explaining the remaining transitive path. Supersedes #188 (which used a vendored irma source as a workaround). Closes #186.
![dobby-coder[bot]](https://avatars.githubusercontent.com/in/3365457?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Reviewed locally. LGTM.
Verified
- Workspace builds clean (
cargo build --workspace). - pg-core (
--features test,rust,stream) and pg-pkg (--all-features) tests pass — 30 in pg-pkg, doc-tests in pg-core. - crates.io
irmars0.2.2 is owned by encryption4all and points atencryption4all/irmars— legit fork. - Cargo.lock now resolves
irmars 0.2.2withreqwest ^0.12andthiserror ^2.0, dropping the 0.11.x chain.rustls-pemfile 1.0.4and thebase64 0.21duplicate are gone;hyper 1.x,h2 0.4,http 1.4,http-body 1.0are in. .cargo/audit.tomlcorrectly dropsRUSTSEC-2025-0134(no longer reachable post-reqwest-0.12) and rewrites theRUSTSEC-2026-0058comment to reflect the new transitive path throughtower-http+sqlx-*futures-utilcompat. Accurate.- Cargo
package = "irmars"rename keepsuse irma::...call sites untouched — confirmed no source changes needed.
Notes (non-blocking)
- pg-cli adds
default-tlsto reqwest's feature list (was just["json"]on 0.11). Reasonable since reqwest 0.12 split TLS feature flags differently and HTTPS wouldn't work without it. - This cleanly supersedes PR #188 — same end state, ~1300 fewer LOC, no vendored crate to maintain. Worth closing #188 manually after merge as the description notes.
CI is fully green on the formatting + test matrices; only Build (amd64) still pending at review time. Approving.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Switches every pg-* crate from the abandoned upstream
irma 0.2.1(tweedegolf/irmars, dormant since 2021) to the encryption4all fork published on crates.io asirmars 0.2.2. Uses the Cargo `package = "irmars"` rename so existing `use irma::...` call sites are unchanged.`irmars 0.2.2` already depends on `reqwest ^0.12` and `thiserror ^2.0`, so this single dep flip also completes the reqwest 0.12 migration that #186 tracks.
Relation to existing work
irma 0.2.1source copy at./irma/and patched itsreqwestdep locally — a workaround for the absence of a published reqwest-0.12 release. With the encryption4all fork now on crates.io, the vendored copy is no longer needed; the result is the same dependency graph with ~1300 fewer lines of code in this repo.Changes
pg-core/Cargo.tomlirma = "0.2.1"->irma = { package = "irmars", version = "0.2.2" }pg-cli/Cargo.tomlirmarename as above;reqwest = "0.11.14"->"0.12"(keptdefault-features = falsewithjson+default-tls)pg-pkg/Cargo.tomlirmarename as above;reqwest = "0.11.10"->"0.12".cargo/audit.tomlRUSTSEC-2025-0134(rustls-pemfile) entry removed.RUSTSEC-2026-0058(tokio-io) retained with an updated comment — see Caveat.Cargo.lockCaveat: tokio-io advisory partially cleared
The reqwest 0.11 path is gone, but
RUSTSEC-2026-0058(tokio-io 0.1.13) still surfaces throughfutures-util'scompatfeature pulled in bytower-http(areqwest 0.12transitive) and bysqlx-*. postguard does not call the compat shim directly; the allowlist entry is retained with a revised comment. Clearing it needs atower-http/sqlxupstream fix.Verification
cargo build --workspace— clean.cargo test --manifest-path pg-core/Cargo.toml --features test,rust,stream— passed.cargo test --manifest-path pg-cli/Cargo.toml --all-features— 7 passed.cargo test --manifest-path pg-pkg/Cargo.toml --all-features— 30 passed.cargo test --manifest-path pg-ffi/Cargo.toml --all-features— 1 passed.cargo build --profile edge --bin pg-pkg— clean (matches Docker CI invocation).irmaorreqwest, so no change there.Reviewer quickstart
Once this merges
Please close PR #188 ("chore: migrate off reqwest 0.11 to clear unmaintained transitives") as superseded — GitHub doesn't auto-close PRs from a
Supersedesreference, only issues.