Skip to content

Commit 2bd1a2b

Browse files
committed
fix: upgrade hickory-resolver to 0.26 for RUSTSEC advisories
# Summary `cargo audit` flagged two denial-of-service advisories in `hickory-proto 0.25.2`, pulled in transitively through `hickory-resolver`, failing the security audit. Upgrading `hickory-resolver` to 0.26 resolves `hickory-proto` to 0.26.1 and clears both advisories. The upgrade also requires adapting to 0.26 API changes and restoring the DNS lookup order that 0.26 silently changed. # Details - Bump `hickory-resolver` from 0.25 to 0.26. This brings `hickory-proto` 0.26.1, fixing RUSTSEC-2026-0119 (patched >= 0.26.1) and avoiding RUSTSEC-2026-0118 (unaffected >= 0.26.0-beta.1, since the affected `DnssecDnsHandle` moved to the new `hickory-net` crate in 0.26). - Adapt the Tokio DNS resolver to the 0.26 API: `ResolverBuilder::build` is now fallible, so its error is mapped into `io::Error`; and `LookupIp` no longer implements `IntoIterator`, so iteration uses `iter()`, which yields `IpAddr`. - Pin the lookup strategy to `Ipv4thenIpv6`. hickory 0.26 changed the default to `Ipv6AndIpv4` (AAAA before A), so `localhost` resolved to `::1` first; because the servers bind to IPv4 `127.0.0.1`, cluster-join connections were refused and integration tests failed. Pinning restores the pre-0.26 IPv4-first order.
1 parent d80d3cf commit 2bd1a2b

2 files changed

Lines changed: 11 additions & 3 deletions

File tree

Cargo.toml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,7 +73,7 @@ fs_extra = "1.3.0"
7373
futures = "0.3.24"
7474
futures-async-stream = "0.2.7"
7575
futures-util = "0.3.24"
76-
hickory-resolver = "0.25"
76+
hickory-resolver = "0.26"
7777
hostname = "0.3.1"
7878
itertools = "0.13.0"
7979
log = { version = "0.4.27", features = ["serde", "kv_serde", "kv_unstable_std"] }

crates/common/runtime-api/src/tokio_impl.rs

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -21,6 +21,7 @@ use std::thread::JoinHandle as ThreadJoinHandle;
2121
use std::time::Duration;
2222

2323
use hickory_resolver::TokioResolver;
24+
use hickory_resolver::config::LookupIpStrategy;
2425
use tokio::runtime::Handle;
2526
use tokio::sync::oneshot;
2627
use tokio::task::JoinHandle;
@@ -40,7 +41,14 @@ use crate::TrackingData;
4041
/// Global DNS resolver instance for TokioRuntime.
4142
static DNS_RESOLVER: LazyLock<io::Result<TokioResolver>> =
4243
LazyLock::new(|| match TokioResolver::builder_tokio() {
43-
Ok(builder) => Ok(builder.build()),
44+
Ok(mut builder) => {
45+
// hickory 0.26 changed the default lookup strategy to `Ipv6AndIpv4`
46+
// (AAAA before A). Pin the pre-0.26 `Ipv4thenIpv6` order so that
47+
// `localhost` resolves to 127.0.0.1 first, matching IPv4-bound
48+
// listeners.
49+
builder.options_mut().ip_strategy = LookupIpStrategy::Ipv4thenIpv6;
50+
builder.build().map_err(io::Error::other)
51+
}
4452
Err(e) => Err(io::Error::other(e)),
4553
});
4654

@@ -252,7 +260,7 @@ impl SpawnApi for TokioRuntime {
252260
.lookup_ip(&hostname)
253261
.await
254262
.map_err(|e| io::Error::other(e.to_string()))?;
255-
Ok(lookup.into_iter().collect())
263+
Ok(lookup.iter().collect())
256264
})
257265
}
258266

0 commit comments

Comments
 (0)