topaLE
/
vaultwarden
mirror of https://github.com/dani-garcia/vaultwarden
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2946 Commits
3 Branches
77 Tags
20 MiB
 
 
 
 
 
 
Tree: e3d1e4aa04
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'e3d1e4aa04'
${ noResults }
vaultwarden/issues/EXP-REQWEST-WEBAUTHN-2025-1...

2.4 KiB
Raw Blame History

Experiment: reqwest(native-tls) & webauthn-rs bump (2025-11-10)

Summary

Two non-destructive experiments were executed in a copied workspace to evaluate remediation paths for the top license clusters.

  1. reqwest/native-tls experiment
  • Script: docker/audit/exp/reqwest_native_exp.sh
  • Action: attempted to prefer native-tls for reqwest by editing Cargo.toml, running cargo update -p reqwest, and running cargo-deny (licenses) in a workspace copy.
  • Result: cargo-deny reduced license errors to a single error: ar_archive_writer v0.2.0 (license: Apache-2.0 WITH LLVM-exception) via lettre -> psm -> stacker -> chumsky -> vaultwarden path. The webpki-roots (CDLA-Permissive-2.0) failure was removed in this experiment.
  • Artifacts: docker/audit/output/deny_reqwest_native.err (diagnostic), docker/audit/output/deny_reqwest_native.json (may be empty), docker/audit/output/req_exp.done (marker).
  1. webauthn-rs bump experiment
  • Script: docker/audit/exp/patch_and_run.sh
  • Action: in a workspace copy, attempted to bump webauthn-rs to 0.6 and ran cargo update -p webauthn-rs and cargo-deny (licenses).
  • Result: MPL-2.0 failures related to the webauthn-rs family were removed by the non-destructive bump attempt (in the copied workspace experiment). The remaining single license rejection (same as above) persisted.
  • Artifacts: docker/audit/output/deny_licenses.err, docker/audit/output/deny_licenses.json (may be empty), docker/audit/output/exp.done.

Conclusion & recommended next step

  • Both experiments significantly reduced the license noise: from the previously reported set down to one remaining rejection: ar_archive_writer v0.2.0 (Apache-2.0 WITH LLVM-exception).
  • Recommended immediate actions:
    1. Decide whether to temporarily allow Apache-2.0 WITH LLVM-exception in deny.toml (timeboxed) to unblock CI, OR
    2. Investigate the lettre/psm chain to find alternative crates or versions that avoid ar_archive_writer.
  • If you approve, I can open a follow-up branch that applies the minimal change (either temporary allowlist addition or a patch bump) and run CI to verify cargo-deny cleanly passes.

Notes

  • All changes in these experiments were done in copied workspaces inside the audit container and did not modify the main branch's Cargo.toml or lockfile.
  • Full experiment artifacts are saved under docker/audit/output/ in the repository workspace.