Upgrade to the latest `cookie` release - this removes the dependency on a version of `time` that was affected by RUSTSEC-2020-0071. `actix-web` still depends on a vulnerable version of `chrono` via `rcgen`, but `rcgen` is only used as a dev dependency therefore this does not affect end users.

This is a breaking change, because `cookie`'s types are exposed in the public API of `actix-web`.
2021-12-29 10:31:50 +01:00 · 2021-12-29 10:31:50 +01:00 · 18615ff591
parent 9779010a5a
commit 18615ff591
2 changed files with 2 additions and 2 deletions
--- a/Cargo.toml
+++ b/Cargo.toml
@ -84,7 +84,7 @@ actix-web-codegen = "0.5.0-beta.6"
 ahash = "0.7"
 bytes = "1"
 cfg-if = "1"
-cookie = { version = "0.15", features = ["percent-encode"], optional = true }
+cookie = { version = "0.16", features = ["percent-encode"], optional = true }
 derive_more = "0.99.5"
 encoding_rs = "0.8"
 futures-core = { version = "0.3.7", default-features = false }
--- a/awc/Cargo.toml
+++ b/awc/Cargo.toml
@ -85,7 +85,7 @@ serde_json = "1.0"
 serde_urlencoded = "0.7"
 tokio = { version = "1.8.4", features = ["sync"] }

-cookie = { version = "0.15", features = ["percent-encode"], optional = true }
+cookie = { version = "0.16", features = ["percent-encode"], optional = true }

 tls-openssl = { package = "openssl", version = "0.10.9", optional = true }
 tls-rustls = { package = "rustls", version = "0.20.0", optional = true, features = ["dangerous_configuration"] }