Commit: 2f26d91 · Finding: DEP-05 / TD-01 (merged)
Problem
cargo tree -d shows parallel RustCrypto stacks:
digest 0.10.7 + 0.11.0-rc.10block-buffer 0.10.3 + 0.11.0crypto-common 0.1.6 + 0.2.1sha2 0.10.x + 0.11.xchacha20 0.9.1 + 0.10.0curve25519-dalek 4.1.3 + 5.0.0-pre.1ed25519-dalek split likely via iroh-base
willow-crypto / willow-state use the stable 0.10.x stack (sha2, hmac, hkdf, curve25519-dalek 4), while willow-network transitively pulls the 0.11-rc stack through iroh 0.97.0 and ed25519-dalek 3.0.0-pre.1.
Impact: doubles binary size for these crates, doubles build time, doubles the audit surface for any future RustCrypto advisory. RC crates in a production dependency tree is a yellow flag.
Fix
Either (a) pin iroh to a stable release that tracks the 0.10 stack, or (b) migrate willow-crypto/willow-identity/willow-state onto the 0.11-rc stack once it's final. Track in a single upgrade plan so all crates flip together.
Obvious? No — depends on iroh release timing.
Commit:
2f26d91· Finding:DEP-05/TD-01(merged)Problem
cargo tree -dshows parallel RustCrypto stacks:digest 0.10.7+0.11.0-rc.10block-buffer 0.10.3+0.11.0crypto-common 0.1.6+0.2.1sha2 0.10.x+0.11.xchacha20 0.9.1+0.10.0curve25519-dalek 4.1.3+5.0.0-pre.1ed25519-daleksplit likely via iroh-basewillow-crypto/willow-stateuse the stable 0.10.x stack (sha2,hmac,hkdf,curve25519-dalek 4), whilewillow-networktransitively pulls the 0.11-rc stack throughiroh 0.97.0anded25519-dalek 3.0.0-pre.1.Impact: doubles binary size for these crates, doubles build time, doubles the audit surface for any future RustCrypto advisory. RC crates in a production dependency tree is a yellow flag.
Fix
Either (a) pin
irohto a stable release that tracks the 0.10 stack, or (b) migratewillow-crypto/willow-identity/willow-stateonto the 0.11-rc stack once it's final. Track in a single upgrade plan so all crates flip together.Obvious? No — depends on iroh release timing.