refactor(grpc): remove unused PostgreSQL storage backend (-4 security advisories)#16
Open
hiq-lab wants to merge 1 commit into
Open
refactor(grpc): remove unused PostgreSQL storage backend (-4 security advisories)#16hiq-lab wants to merge 1 commit into
hiq-lab wants to merge 1 commit into
Conversation
The 'postgres' feature flag in arvak-grpc has been opt-in since introduction and is enabled nowhere in the workspace. The compiled result: tokio-postgres is in Cargo.lock for reproducibility but 'cargo tree --invert tokio-postgres' confirms it is never actually built. Despite never being built, the locked transitive chain contributes 4 of the 11 advisories that have been failing CI's Security Audit job on main since 2026-06-13: - RUSTSEC-2026-0097 rand 0.10.0 unsound with custom logger - RUSTSEC-2026-0178 tokio-postgres DataRow panic (DoS) - RUSTSEC-2026-0179 postgres-protocol unbounded SCRAM iter (DoS) - RUSTSEC-2026-0180 postgres-protocol hstore decode panic (DoS) We're paying real audit cost for dead code. Remove it. Changes: - Delete crates/arvak-grpc/src/storage/postgres.rs (534 LOC). - Drop the 'postgres' feature and 'tokio-postgres' optional dep from Cargo.toml. - Remove all #[cfg(feature = "postgres")] sites (lib.rs, storage/mod.rs) and any(feature = "sqlite", feature = "postgres") → feature = "sqlite". - Drop the From<tokio_postgres::Error> for Error impl. - Drop "postgres" from the validator in config.rs. - README, config.example.yaml, .env.example — strip the postgres mentions in the storage-backend documentation. SQLite remains as the persistent-storage option (feature-gated). If a PostgreSQL backend is needed later it can be reintroduced cleanly with a current tokio-postgres release. Verified: - cargo fmt --all clean. - cargo check --workspace --exclude arvak-python green. - cargo check -p arvak-grpc --all-features green. - cargo test -p arvak-grpc --lib: 36 passed, 0 failed. - Local cargo audit: 11 → 8 vulnerabilities, 5 → 4 warnings. - Cargo.lock shrunk by 344 lines. Remaining audit findings (out of scope for this PR): - pyo3 0.28.2 × 2 (RUSTSEC-2026-0176, -0177) — patched in 0.28.3+, needs verification that a fixed release exists. - rustls-webpki 0.101.7 + 0.103.10 × 3 each — pulled in transitively via aws-smithy → aws-sdk-* → arvak-adapter-braket. Fix path is bumping aws-sdk crates to versions with patched rustls-webpki.
This was referenced Jun 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Removes the unused PostgreSQL storage backend from
arvak-grpc. Neteffect on the CI Security Audit: 11 → 8 vulnerabilities (− 4 of
the postgres-chain advisories) without changing any production behaviour,
because the feature was enabled nowhere.
Why now
The Security Audit job on
mainhas been failing since 2026-06-13 on11 RUSTSEC advisories. Audit of the dependency tree showed that 4 of
them — the entire PostgreSQL chain — come from code that is never
built:
The
postgresfeature inarvak-grpchas been opt-in sinceintroduction.
grep -r 'features.*postgres' --include='*.toml'acrossthe whole workspace returned zero matches outside the feature's own
declaration.
cargo tree --invert tokio-postgresreports"did not match any packages" — confirming nothing builds against it.
Despite that, optional deps stay in
Cargo.lockfor reproducibility,and
cargo auditreads the lock file.We were paying audit cost for dead code.
What changes
crates/arvak-grpc/src/storage/postgres.rs(534 LOC).postgresfeature andtokio-postgresoptional dep fromCargo.toml.#[cfg(feature = "postgres")]sites inlib.rs,storage/mod.rs, anderror.rs."postgres"from the storage-backend validator inconfig.rs.config.example.yaml, and.env.example.MemoryStorage(default) andSqliteStorage(feature-gated) remain.If a PostgreSQL backend is ever needed, a fresh implementation against
a current
tokio-postgresrelease is the right path.Out of scope
pyo3 ≥ 0.28.3 — needs version verification before bumping.
per version). Pulled in transitively via aws-smithy → aws-sdk-* →
arvak-adapter-braket. Fix path is bumping aws-sdk crates.
Both worth a separate PR each so each fix has clean blame.
Test plan
cargo fmt --allcleancargo check --workspace --exclude arvak-pythongreencargo check -p arvak-grpc --all-featuresgreencargo test -p arvak-grpc --lib: 36 passed, 0 failedcargo audit: 11 → 8 vulnerabilities, 5 → 4 warningsCargo.lockshrunk by 344 lines (whole postgres + transitivechain gone)
🤖 Generated with Claude Code