fix(deps): update rust crate tonic to 0.12.0 [security] - autoclosed

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
tonic	dependencies	minor	0.11.0 -> 0.12.0

GitHub Vulnerability Alerts

CVE-2024-47609

Impact

note: this only affects v0.12.0 - v0.12.2

When using tonic::transport::Server there is a remote DoS attack that can cause the server to exit cleanly on accepting a tcp/tls stream. This can be triggered via causing the accept call to error out with errors there were not covered correctly causing the accept loop to exit.

More information can be found here

Patches

Upgrading to tonic 0.12.3 and above contains the fix.

Workarounds

A custom accept loop is a possible workaround.

---

Release Notes

hyperium/tonic (tonic)

v0.12.3

Compare Source

Features

• server: Added support for grpc max_connection_age (#​1865)
• build: Add #[deprecated] to deprecated client methods (#​1879)
• build: plumb skip_debug through prost Builder and add test (#​1900)

Bug Fixes

• build: Revert "fix tonic-build cargo build script outputs (#​1821)" which accidentally increases MSRV (#​1898)
• server: ignore more error kinds in incoming socket stream (#​1885)
• transport: do not shutdown server on broken connections (#​1948)

v0.12.2

Compare Source

Features

• Move TimeoutExpired out of transport (#​1826)
• Move ConnectError type from transport (#​1828)
• channel: allow setting max_header_list_size (#​1835)
• router: Add RoutesBuilder constructor (#​1855)
• tls: Rename tls-roots feature with tls-native-roots (#​1860)
• router: Rename Routes::into_router with into_axum_router (#​1862)
• router: Implement from axum::Router for Routes (#​1863)
• channel: Re-enable TLS based on Cargo features in generated clients (#​1866)
• server: allow setting max_header_list_size (#​1870)
• build: Expose formatted service name (#​1684)
• reflection: add back support for v1alpha reflection protocol (#​1888)

Bug Fixes

• router: Add missing unimplemented fallback to RoutesBuilder (#​1864)
• server: Prevent server from exiting on ECONNABORTED (#​1874)
• web: fix panic in trailer parsing on multiple trailers (#​1880)
• web: fix empty trailer parsing causing infinite parser loop (#​1883)

v0.12.1

Compare Source

Bug Fixes

• Reduce tokio-stream feature (#​1795)

v0.12.0

Compare Source

This breaking release updates tonic to the hyper 1.0 ecosystem and also updates
to prost v0.13.0.

Features

• build: Custom codecs for generated code (#​1599) (18a2b30)
• channel: Make channel feature additive (#​1574) (b947e1a)
• codec: Make error when not utf8 value in compression encoding (#​1768) (f8e1f87)
• Implement http_body::Body::size_hint for custom body (#​1713) (9728c01)
• Make boxed function public (#​1754) (2cc868f)
• Relax GrpcMethod lifetime (#​1598) (68bf17d)
• tls: Add ability to add multiple ca certificates (#​1724) (3457f92)
• tls: Use rustls_pki_types::CertificateDer to describe DER encoded certificate (#​1707) (96a8cbc)
• tls: Remove tls roots implicit configuration (#​1731) (de73617)
• transport: Make service router independent from transport (#​1572) (da48235)
• transport: Make transport server and channel independent (#​1630) (654289f)
• transport: Rename reexported axum body (#​1752) (5d7bfc2)
• Use http::Extensions directly (#​1710) (ed95d27)

Bug Fixes

• tonic: flush accumulated ready messages when status received (#​1756) (d312dcc), closes #​1423

BREAKING CHANGES

• tonic and crates updated to hyper 1.0 (#​1670)
• tonic and crates updated to prost 0.13 (#​1779)
• tonic_reflection::server is updated to use the generated
  tonic_reflection::pb::v1 code.
• Make compression encoding configuration more malleable (#​1757)
• Removed implicit configuration of client TLS roots setup (#​1731)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update artifacts related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --package [email protected] --precise 0.12.3
    Updating crates.io index
error: failed to select a version for the requirement `tonic = "^0.11"`
candidate versions found which didn't match: 0.12.3
location searched: crates.io index
required by package `opentelemetry-otlp v0.16.0`
    ... which satisfies dependency `opentelemetry-otlp = "^0.16.0"` (locked to 0.16.0) of package `tailcall-upstream-grpc v0.1.0 (/tmp/renovate/repos/github/tailcallhq/tailcall/tailcall-upstream-grpc)`

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path tailcall-upstream-grpc/Cargo.toml --package [email protected] --precise 0.12.3
    Updating crates.io index
error: failed to select a version for the requirement `tonic = "^0.11"`
candidate versions found which didn't match: 0.12.3
location searched: crates.io index
required by package `opentelemetry-otlp v0.16.0`
    ... which satisfies dependency `opentelemetry-otlp = "^0.16.0"` (locked to 0.16.0) of package `tailcall-upstream-grpc v0.1.0 (/tmp/renovate/repos/github/tailcallhq/tailcall/tailcall-upstream-grpc)`