Upgrade deps to remove cargo deny exceptions

[tylerhawkes]

Upgrade dependencies to remove cargo-deny advisory exceptions

• Bumps multiple workspace dependencies including tokio to 1.50.0, alloy to 1.8, hyper to 1.9, http to 1.4, and wasm-bindgen to 0.2.116, and updates openmls-related git revisions.
• Removes two RUSTSEC advisory ignores from deny.toml for libcrux-ed25519 0.0.6 and libcrux-poly1305 0.0.4, which are resolved by the upgraded deps.
• Drops the reqwest-rustls-tls feature from alloy across xmtp_id and workspace-hack, replacing it with a direct reqwest dependency using rustls-no-provider.
• Adds CA certificates to the validation service Docker images (both Dockerfile and Nix musl builds) to support TLS verification at runtime.

^{Macroscope summarized d3be4bf.}

[tylerhawkes]

• Upgrade deps to remove cargo deny exceptions #3379 👈 (View in Graphite)
• main

---

How to use the Graphite Merge Queue

Add the label mergequeue to this PR to add it to the merge queue.

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

[claude]

Claude finished @tylerhawkes's task —— View job

---

Code Review - April 1, 2026 18:38 UTC

Critical Issue: Missing TLS Certificate Provider Configuration

The validation service crash reported by @insipx is directly caused by the TLS configuration changes in this PR. The issue is:

Root Cause: The workspace now uses reqwest with the rustls-no-provider feature (Cargo.toml:113), which explicitly disables automatic TLS provider initialization. This means applications must manually initialize a crypto provider, but the validation service doesn't do this.

The Problem:

• rustls-no-provider requires explicit provider initialization via rustls::crypto::ring::default_provider().install_default() or similar
• The local Dockerfile adds ca-certificates (dev/validation_service/local.Dockerfile:2), which is necessary but insufficient
• The Nix Docker image adds pkgs.cacert (nix/musl-docker.nix:33,42), also necessary but insufficient
• Neither addresses the missing crypto provider initialization in the application code

Required Fix:
The mls_validation_service application needs to initialize a crypto provider at startup. Add this to the beginning of main() in the validation service:

rustls::crypto::ring::default_provider()
    .install_default()
    .expect("Failed to install rustls crypto provider");

Or consider whether rustls-no-provider is the right choice. The alternative is to use the rustls-tls feature which auto-initializes the provider.

Additional Observations

Security Advisory Resolution: ✅ Successfully removes two cargo deny exceptions (RUSTSEC-2026-0075, RUSTSEC-2026-0073) by updating the openmls fork to a newer commit that includes libcrux fixes (deny.toml:7-11).

Dependency Updates: The broad dependency updates (alloy 1.3→1.8, tokio 1.47→1.50, uuid 1.12→1.23, etc.) appear well-coordinated. However:

• Major alloy version jump (1.3→1.8) could introduce behavioral changes - verify test coverage is adequate
• The removal of reqwest-rustls-tls feature from xmtp_id and xmtp_debug (crates/xmtp_id/Cargo.toml:21, apps/xmtp_debug/Cargo.toml:17) is consistent with the workspace-level switch to rustls-no-provider, but exposes the crypto provider initialization issue

Recommended Actions:

1. Fix the crypto provider initialization in mls_validation_service (blocking)
2. Search the codebase for other services/binaries that may need the same fix
3. Consider adding a test that validates TLS connections work in the validation service
4. Document the rationale for choosing rustls-no-provider over auto-initializing alternatives

---

[neekolas]

Nice!

[macroscopeapp]

Approvability

Verdict: Approved

Straightforward dependency upgrade PR that bumps multiple crate versions and removes security advisory exceptions by updating to fixed versions of libcrux packages. All changes are mechanical version bumps with no new runtime logic, and the author owns all modified files.

^{You can customize Macroscope's approvability policy. Learn more.}

[insipx]

the validation service failing to build is specific to this PR, from locally running just backend up and inspecting validation service logs with docker logs libxmtp-validation-1 I see this:

~/code/xmtp/workspaces/libxmtp/main jj/keep/d141c1ca9333f610aa35e6ac4520cab9a22d9994
❯ just backend up
evaluation warning: crane will use a placeholder value since `name` cannot be found in /nix/store/5fxzsl687i3q0waz7xxzxn4jy1ybqcg2-Cargo.toml
                    to silence this warning consider one of the following:
                    - setting `pname = "...";` in the derivation arguments explicitly
                    - setting `package.name = "..."` or `package.metadata.crane.name` = "..." or `workspace.metadata.crane.name` = "..." in the root Cargo.toml
                    - explicitly looking up the values from a different Cargo.toml via
                      `craneLib.crateNameFromCargoToml { cargoToml = ./path/to/Cargo.toml; }`

                    To find the source of this warning, rerun nix with:
                    `NIX_ABORT_ON_WARN=1 nix --option pure-eval false --show-trace ...`
[+] pull 13/13
 ✔ anvil                                          Skipped No image to be pulled                                                                                         0.0s
 ✔ Image ghcr.io/xmtp/mls-validation-service:main Skipped                                                                                                               0.0s
 ✔ Image ghcr.io/xmtp/message-history-server:main Pulled                                                                                                                0.2s
 ✔ Image postgres:16                              Pulled                                                                                                                0.4s
 ✔ Image ghcr.io/xmtp/xmtpd:v1.2.0                Pulled                                                                                                                0.3s
 ✔ Image envoyproxy/envoy:v1.35.0                 Pulled                                                                                                                0.4s
 ✔ Image ghcr.io/xmtp/node-go:main                Pulled                                                                                                                0.3s
 ✔ Image redis:7-alpine                           Pulled                                                                                                                0.4s
 ✔ Image ghcr.io/xmtp/xmtpd-gateway:v1.2.0        Pulled                                                                                                                0.3s
 ✔ Image postgres:13                              Pulled                                                                                                                0.4s
 ✔ Image ghcr.io/xmtp/xmtpd-cli:v1.2.0            Pulled                                                                                                                0.3s
 ✔ Image ghcr.io/xmtp/contracts:v2026.02.10-1     Pulled                                                                                                                0.3s
 ✔ Image ghcr.io/shopify/toxiproxy:2.12.0         Pulled                                                                                                                0.3s
detected nix validation image, skipping build
[+] Building 0.7s (11/11) FINISHED
 => [internal] load local bake definitions                                                                                                                             0.0s
 => => reading from stdin 620B                                                                                                                                         0.0s
 => [internal] load build definition from anvil.Dockerfile                                                                                                             0.0s
 => => transferring dockerfile: 170B                                                                                                                                   0.0s
 => resolve image config for docker-image://docker.io/docker/dockerfile:1.4                                                                                            0.2s
 => CACHED docker-image://docker.io/docker/dockerfile:1.4@sha256:9ba7531bd80fb0a858632727cf7a112fbfd19b17e94c4e84ced81e24ef1a0dbc                                      0.0s
 => [internal] load .dockerignore                                                                                                                                      0.0s
 => => transferring context: 2B                                                                                                                                        0.0s
 => [internal] load metadata for ghcr.io/foundry-rs/foundry:latest                                                                                                     0.2s
 => [auth] foundry-rs/foundry:pull token for ghcr.io                                                                                                                   0.0s
 => [1/2] FROM ghcr.io/foundry-rs/foundry@sha256:9e591221051112fe0bb530abcaba67f43f01ebbd12a94a8632d570d5e065a8bf                                                      0.0s
 => CACHED [2/2] WORKDIR /anvil                                                                                                                                        0.0s
 => exporting to image                                                                                                                                                 0.0s
 => => exporting layers                                                                                                                                                0.0s
 => => writing image sha256:7eb46db3e9e50541f82ffee7d4944efbca1542fdc1ba71112200c12c86a2eb11                                                                           0.0s
 => => naming to docker.io/library/libxmtp-anvil                                                                                                                       0.0s
 => resolving provenance for metadata file                                                                                                                             0.0s
[+] build 1/1
 ✔ Image libxmtp-anvil Built                                                                                                                                            0.7s
12d2fd38b320: Loading layer [==================================================>]  11.45MB/11.45MB
f003e077fcff: Loading layer [==================================================>]  10.24kB/10.24kB
The image ghcr.io/xmtp/mls-validation-service:main already exists, renaming the old one with ID sha256:bf4bbf2093d13eef9276027814d305a16bba0aa5aff9ebb1b72d847cad5c9451 to empty string
Loaded image: ghcr.io/xmtp/mls-validation-service:main
Loaded image: ghcr.io/xmtp/mls-validation-service:main
[+] up 14/15
 ✔ Container libxmtp-db-1                   Healthy                                                                                                                                                                                                                                                                                                 2.5s
 ✔ Container libxmtp-mlsdb-1                Healthy                                                                                                                                                                                                                                                                                                 2.5s
 ✔ Container libxmtp-replicationdb-1        Healthy                                                                                                                                                                                                                                                                                                 2.5s
 ✔ Container libxmtp-node-1                 Healthy                                                                                                                                                                                                                                                                                                 2.5s
 ✔ Container libxmtp-redis-1                Healthy                                                                                                                                                                                                                                                                                                 2.5s
 ✔ Container libxmtp-node-web-1             Healthy                                                                                                                                                                                                                                                                                                 2.5s
 ✔ Container libxmtp-anvil-1                Healthy                                                                                                                                                                                                                                                                                                 2.5s
 ✔ Container libxmtp-history-server-1       Healthy                                                                                                                                                                                                                                                                                                 2.5s
 ⠧ Container libxmtp-validation-1           Waiting                                                                                                                                                                                                                                                                                                 2.5s
 ✔ Container libxmtp-chain-1                Healthy                                                                                                                                                                                                                                                                                                 2.5s
 ✔ Container libxmtp-xmtpd-1                Healthy                                                                                                                                                                                                                                                                                                 2.5s
 ✔ Container libxmtp-toxiproxy-1            Healthy                                                                                                                                                                                                                                                                                                 2.5s
 ✔ Container libxmtp-gateway-1              Healthy                                                                                                                                                                                                                                                                                                 2.5s
 ✔ Container libxmtp-register-node-native-1 Exited                                                                                                                                                                                                                                                                                                  2.1s
 ✔ Container libxmtp-enable-node-native-1   Exited                                                                                                                                                                                                                                                                                                  1.5s
container libxmtp-validation-1 exited (139)
error: Recipe `_backend-up` failed with exit code 1
error: Recipe `backend` failed with exit code 1

~/code/xmtp/workspaces/libxmtp/main jj/keep/d141c1ca9333f610aa35e6ac4520cab9a22d9994 10s
❯ docker logs libxmtp-validation-1
2026-04-01T00:24:12.482642Z  INFO mls_validation_service: Version: 1.10.0-VERGEN_IDEMPOTENT_OUTPUT
2026-04-01T00:24:12.482656Z  INFO mls_validation_service: Starting validation service on port 50051
2026-04-01T00:24:12.482658Z  INFO mls_validation_service: Starting health check on port 50052
2026-04-01T00:24:12.482660Z  INFO mls_validation_service: Cache size: 10000
2026-04-01T00:24:12.482677Z  INFO mls_validation_service: Chain Urls: None

thread 'main' (1) panicked at /nix/store/eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee-vendor-cargo-deps/c19b7c6f923b580ac259164a89f2577984ad5ab09ee9d583b888f934adbbe8d0/reqwest-0.13.2/src/async_impl/client.rs:2478:38:
Client::new(): reqwest::Error { kind: Builder, source: General("No CA certificates were loaded from the system") }
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

this pr also changes reqwest/tls deps so something expects CA cert but is not getting them

Dismissing prior approval to re-evaluate 52d5fb1

Dismissing prior approval to re-evaluate d3be4bf