Skip to content

Upgrade libp2p TLS and DNS stack to clear remaining RustSec advisories #1690

Description

@hmzakhalid

Audit reference: R01

What can go wrong

After upgrading to libp2p 0.56.0, cargo audit still reports two advisories in hickory-proto 0.25.2: RUSTSEC-2026-0118 and RUSTSEC-2026-0119. The old ring 0.16 and rustls-webpki 0.101 advisory chain is gone.

When it happens

Hickory is pulled in by libp2p-dns 0.44. The advisories concern DNSSEC NSEC3 closest-encloser processing and quadratic DNS message encoding. The current build does not enable Hickory's DNSSEC feature, which limits exposure to the first path, but both records correctly remain visible in the locked graph.

What changed

The branch upgrades libp2p from 0.54.1 to 0.56.0, adapts its API changes, and validates QUIC, gossip, DHT, reconnect behavior, and mixed 0.54/0.56 peers. It does not force Hickory 0.26 into a dependency that requires the incompatible 0.25 line.

Why the change works

The upgrade safely removes three old transport advisories, but it cannot honestly close this issue: RUSTSEC-2026-0119 is fixed only in Hickory 0.26.1+, and released libp2p 0.56 still pins the 0.25 family. Closure should wait for a stable compatible libp2p release or an upstream backport, followed by the same interoperability and soak tests.

Checks

e3-net tests and strict Clippy pass, a four-node mixed-version QUIC/gossip/DHT drill passes, the full workspace suite passes, and the remaining audit result is exactly the two Hickory advisories above.

Metadata

Metadata

Assignees

No one assigned

    Labels

    blockedAn issue that is blocked by something.ciphernodeRelated to the ciphernode packagesecurityRelevant to security

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions