why no backport of security fix to 1.22?

[mystenmark]

There was a recent security vulnerability GHSA-7rrj-xr53-82p7 which has been fixed in 1.23.1, 1.20.3, and 1.18.4.

Does anyone know why there is no fix for 1.22? Normally I would just upgrade to the very latest, but due to the build-breaking removal of the winapi feature this is not easy. (I do not require winapi, but I have transitive dependencies that do - until they are all upgraded to 1.23.1 or higher, I can't upgrade to 1.22.)

[carllerche]

This tracks our LTS policy documented here: https://github.com/tokio-rs/tokio/#bug-patching-policy. If you need to stay on an older version, I recommend using 1.20.x

[mystenmark]

If I put up a PR patching the fix to 1.22 would it be rejected?

[bmwill]

IIUC winapi isn't a public dependency of tokio, despite this, and due to winapi being an optional dependency, cargo implicitly defines a winapi features and lets you enable the feature when depending on tokio. This interacted poorly with an older version of cargo-hakari (a tool used to manage third-party dependencies in workspaces) where it would specify these private dependencies in some instances. I'm working on updating to a newer version of cargo-hakari in order to avoid this issue.

[Darksonn]

And crates on crates.io are specifying winapi as a required feature ...? Any examples?

[bmwill]

No, not that I'm aware of.

[Darksonn]

If the issue is in your own workplace, then just remove the explicit mention of winapi from your Cargo.toml and upgrade to the newest release.

[bmwill]

Yes, sorry, I realized my initial response probably wasn't clear. We realized that the issue was on our end and we've since fixed it in our workspace. I don't believe there is anything actionable for tokio to do here. Thank you for your assistance and your work on tokio!