fix: update aws-sdk-sts to resolve rustls-webpki vulnerabilities#10155
Open
fix: update aws-sdk-sts to resolve rustls-webpki vulnerabilities#10155
Conversation
Co-Authored-By: Oz <oz-agent@warp.dev>
Contributor
![oz-for-oss[bot]](https://avatars.githubusercontent.com/in/3450139?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Overview
This PR narrows aws-sdk-sts to the modern HTTPS client/runtime features to remove the legacy rustls 0.21 backend, and updates the SSE event drain loop to use the non-deprecated receiver API.
Concerns
- No blocking concerns found in the available annotated diff. Note:
Cargo.lockwas marked patch unavailable, so this review could not independently inspect the lockfile removal details from the supplied diff.
Verdict
Found: 0 critical, 0 important, 0 suggestions
Approve
Comment /oz-review on this pull request to retrigger a review (up to 3 times on the same pull request).
Powered by Oz
danielpeng2
approved these changes
May 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves three open Dependabot alerts for
rustls-webpki(v0.101.7) by removing the legacyrustls 0.21TLS backend from the dependency tree:What changed
Root cause:
aws-sdk-sts = "1"with default features enables the legacyrustlsfeature onaws-smithy-runtime, which pulls inaws-smithy-http-client/legacy-rustls-ring→rustls 0.21.12→rustls-webpki 0.101.7. The modern TLS backend (default-https-client) was already enabled separately.Fix:
aws-sdk-ststodefault-features = falsewith onlydefault-https-clientandrt-tokiofeatures, removing the legacy TLS backend entirelyCargo.lock—rustls 0.21.12,rustls-webpki 0.101.7,hyper-rustls 0.24.2, andtokio-rustls 0.24.1are no longer presentfuturesdeprecation (try_next()→try_recv()onUnboundedReceiver) that caused CI to fail on a prior attempt (PR fix: update aws-sdk-sts to resolve rustls-webpki vulnerabilities #9918)Dependabot context: Dependabot reported
security_update_not_possiblebecauserustls-webpki 0.101.7was the latest version resolvable within therustls 0.21constraint. The fix is to remove therustls 0.21dependency chain entirely.Verification
rustls-webpki 0.101.7no longer appears inCargo.lockrustls 0.21.12no longer appears inCargo.lockConversation: https://staging.warp.dev/conversation/65c09fed-26d4-4851-9c44-4a4b4a08f61e
Run: https://oz.staging.warp.dev/runs/019df8de-4414-7d7e-91fe-566ec591e2d4
This PR was generated with Oz.