Skip to content

migrate hyper to reqwest #11

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

migrate hyper to reqwest #11

wants to merge 2 commits into from

Conversation

rursprung
Copy link

@rursprung rursprung commented Apr 3, 2025
edited
Loading

please see the individual commit messages for further details.

i realise that this is similar to #8 from @jakobbraun, however this PR completely removes hyper and it does not add an async version of the API. i think removing the outdated hyper dependency (and the vulnerabilities coming from it) is the most pressing issue.

note that this is a breaking change for consumers, so you might want to use that chance to just ditch the blocking API (currently the only one available) and replace it with an async API (most of the rust ecosystem - at the very least anything doing I/O - seems to have gone down that route, and for good reasons). i've raised #12 for this.
nevertheless i think that merging & releasing this PR would be a good first step, you can then just remove the blocking:: from the reqwest module name and add the necessary async/await keywords. having a last non-async release without the outdated hyper dependency would allow clients which are not (yet) async to at least get rid of the security warnings coming from the outdated hyper dependency, giving them a two-step migration path (first get rid of insecure dependencies and then switch to async).

fixes #9

This was referenced Apr 3, 2025
Open
Open
Open
@rursprung
Copy link
Author

@adnanademovic: it'd be great if you could review, merge & release this and then bump rosrust to the new release as that'd resolve security alerts (reported e.g. by dependabot) on rosrust & its downstream consumers.

this is also a good reason to not combine that release with switching to async: rosrust as the main (only?) consumer of this crate isn't async either (and it doesn't make sense to invest the time to make it async anymore seeing that ROS 1 will be EOL very soon)

rursprung added 2 commits May 15, 2025 10:29
@rursprung
replace hyper v0.10 with reqwest
2aa028e 
`hyper` v0.10 is extremely outdated, the current release is v1.6. this
old version pulls in vulnerable dependencies (incl. `hyper` v0.10
itself).

rather than upgrading to `hyper` v1.6 i opted to replace it with
`reqwest` since this crate here is not `async` and `hyper` v1 is
completely `async`. due to the very limited amount of features needed
from `hyper` (just executing HTTP POST requests) it can instead be
replaced with the much simpler `reqwest` crate. while it hasn't hit v1.0
yet it is very widely used (nearly 200 million downloads on crates.io).

this is a breaking change for consumers since the URLs can now just be
passed as strings rather than having to call `.parse()?` on the string.

note that this is similar to, but not the same as, adnanademovic#8.

fixes adnanademovic#9
@rursprung
update to rust edition 2024
eac04e6 
code changes done using `cargo fix --edition`
@rursprung rursprung force-pushed the migrate-hyper-to-reqwest branch from 215825c to eac04e6 Compare May 15, 2025 08:30
rursprung added a commit to rursprung/rosrust that referenced this pull request May 15, 2025
@rursprung
update to xml-rpc 0.2.0
b216fe0 
this updates to the latest `xml-rpc` version. note that at the moment
this does not yet build since it hasn't been released yet.
this requires adnanademovic/xml-rpc-rs#11 to be merged & released first.

for the time being you can use this by using `[patch.crates-io]` in your
`Cargo.toml` and overwrite both `rosrust` and `xml-rpc`.

this update is needed to resolve various security vulnerabilities coming
from outdated versions of `hyper` which are being pulled in via
`xml-rpc`. with this, `cargo-audit` is happy again.
@rursprung rursprung mentioned this pull request May 15, 2025
Open
@rursprung
Copy link
Author

i noticed a problem with this several layers further up: when used within an async context (as e.g. in this ros-core-rs example) then this crashes in debug builds due to this check and i now realised that the reqwest docs even state:

Conversely, the functionality in reqwest::blocking must not be executed within an async runtime, or it will panic when attempting to block. [..]
If the immediate context is only synchronous, but a transitive caller is async, consider changing that caller to use tokio::task::spawn_blocking around the calls that need to block.

the suggestion works, but it does mean that users of rosrust must wrap calls to it from async code in tokio::task::spawn_blocking (which, one might argue, they might've already had to do since it's sync code).

thus, a call like this:

rosrust::loop_init("talker_listener", 1000);

becomes:

    tokio::task::spawn_blocking(|| {
        rosrust::loop_init("talker_listener", 1000);
    })
    .await?;

in the linked ros-core-rs example the same has to be done for rosrust::shutdown - everything else is already being executed in a blocking context (it already uses tokio::task::spawn_blocking for the talker & listener).

i do believe that this is still the correct thing to do (hyper v1 is also async, so either way you'll run into this)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

update to hyper v1
1 participant
@rursprung