Skip to content

Update dependencies:#7820

Merged
erikd merged 3 commits into
masterfrom
erikd/updates
Jun 24, 2026
Merged

Update dependencies:#7820
erikd merged 3 commits into
masterfrom
erikd/updates

Conversation

@erikd

@erikd erikd commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Specifically rely on aeson >= 2.3.0.0 to avoid a DoS vulnerability in earlier versions:

  https://haskell.github.io/security-advisories/advisory/HSEC-2026-0007.html

Pre-submit checklist:

  • Branch
    • Tests are provided (if possible)
    • Commit sequence broadly makes sense
    • Key commits have useful messages
    • Changelog fragments have been written (if appropriate)
    • Relevant tickets are mentioned in commit messages
    • Formatting, PNG optimization, etc. are updated
  • PR
    • (For external contributions) Corresponding issue exists and is linked in the description
    • Targeting master unless this is a cherry-pick backport
    • Self-reviewed the diff
    • Useful pull request description
    • Reviewer requested

@erikd erikd added the No Changelog Required Add this to skip the Changelog Check label Jun 17, 2026
@erikd erikd force-pushed the erikd/updates branch 2 times, most recently from ddedd20 to de3b7b5 Compare June 18, 2026 05:02
@Unisay Unisay assigned Unisay and unassigned Unisay Jun 18, 2026
@Unisay Unisay self-requested a review June 18, 2026 07:17
@erikd erikd marked this pull request as draft June 18, 2026 09:56
@erikd

erikd commented Jun 18, 2026

Copy link
Copy Markdown
Contributor Author

More fixes needed

@erikd erikd changed the title Update dependencues: Update dependencies: Jun 18, 2026
Unisay
Unisay requested changes Jun 18, 2026
View reviewed changes

@Unisay Unisay left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the quick turnaround. The build side is solid: the plan resolves and Hydra is green on Linux and Darwin against aeson 2.3.0.0, so CI is off the vulnerable aeson.

One thing to sort out before merge. The aeson >= 2.3.0.0 constraint lives only in cabal.project, which isn't shipped to CHaP/Hackage. The libraries that depend on aeson still admit vulnerable versions: plutus-tx has aeson >=2.2, and plutus-core / plutus-ledger-api have no bound at all, so anyone building those from CHaP can still resolve aeson < 2.3.0.0. For the fix to reach downstream consumers per HSEC-2026-0007, the >= 2.3.0.0 lower bound should also go into the build-depends of the published aeson-using packages: plutus-tx, plutus-core and plutus-ledger-api are the ones consumed downstream, with plutus-conformance, cardano-constitution and plutus-benchmark worth doing for consistency.

Two smaller things I hit while checking the solver.

The four aeson allow-newer lines this PR adds (aeson-pretty, deriving-aeson, microstache, monoidal-containers against aeson) are already redundant against the new index-state. I removed each and re-solved cabal build all --dry-run under GHC 9.6 and 9.12: the plan resolves without them, and aeson still pins to 2.3.0.0 via the constraint. The resolved versions already admit aeson 2.3, so the four lines can go.

The new QuickCheck >=2.18 bound is applied unevenly. withNumTests only exists from QuickCheck 2.18, but several components that call it don't carry the bound: untyped-plutus-core-testlib, plutus-ir-test, plutus-ledger-api-testlib and plutus-ledger-api-plugin-test. It builds in-project because cabal pins one QuickCheck for the whole solve, but a standalone build of either public testlib could resolve an older QuickCheck and fail. Adding QuickCheck >=2.18 there, especially the two testlibs, makes the bounds match usage.

Nits: the title has a typo ("dependencues"), and the doc/docusaurus path change is unrelated to the bump if you'd rather keep this PR focused.

Specifics are in the inline comments.

Comment thread cabal.project Outdated
Comment thread cabal.project Outdated
Comment thread plutus-core/plutus-core.cabal Outdated
@erikd erikd force-pushed the erikd/updates branch 3 times, most recently from a74aed6 to d6e0924 Compare June 19, 2026 05:00
lehins
lehins reviewed Jun 19, 2026
View reviewed changes
Comment thread plutus-conformance/plutus-conformance.cabal Outdated
@erikd erikd force-pushed the erikd/updates branch 7 times, most recently from 02cf89f to 293cf76 Compare June 23, 2026 03:10
@erikd erikd marked this pull request as ready for review June 23, 2026 06:02
@erikd erikd force-pushed the erikd/updates branch 2 times, most recently from 7b148fe to 430e467 Compare June 24, 2026 04:44
@erikd erikd requested a review from Unisay June 24, 2026 07:38
erikd added 2 commits June 24, 2026 18:48
@erikd
Bump dependencies
f1c7d61 
* Increase lower bound on aeson >= 2.3 to avoid a DoS vulnerability in
  earlier versions:
    https://haskell.github.io/security-advisories/advisory/HSEC-2026-0007.html
* Make it compatible with QuickCheck == 2.18.* and earlier.
@erikd
Nix updates
ed9cf37
Unisay
Unisay approved these changes Jun 24, 2026
View reviewed changes

@Unisay Unisay left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks!

@erikd erikd merged commit 965fef1 into master Jun 24, 2026
8 checks passed
@erikd erikd deleted the erikd/updates branch June 24, 2026 21:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@lehins lehins lehins left review comments

@Unisay Unisay Unisay approved these changes

Assignees

No one assigned

Labels

No Changelog Required Add this to skip the Changelog Check

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@erikd @Unisay @lehins