Update Key Rotation web-vault v2024.3.x (#4446 )

Key rotation was changed since 2024.1.x. Multiple other items were added to be rotated like password-reset and emergency-access data to be part of just one POST instead of having multiple. See: https://github.com/dani-garcia/bw_web_builds/pull/157
Update crates and some Clippy fixes (#4475 )
16 changed files with 534 additions and 226 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
--- a/Cargo.toml
+++ b/Cargo.toml
@ -67,11 +67,11 @@ dashmap = "5.5.3"

 # Async futures
 futures = "0.3.30"
-tokio = { version = "1.36.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal"] }
+tokio = { version = "1.37.0", features = ["rt-multi-thread", "fs", "io-util", "parking_lot", "time", "signal"] }

 # A generic serialization/deserialization framework
 serde = { version = "1.0.197", features = ["derive"] }
-serde_json = "1.0.114"
+serde_json = "1.0.115"

 # A safe, extensible ORM and Query builder
 diesel = { version = "2.1.5", features = ["chrono", "r2d2", "numeric"] }
@ -89,8 +89,8 @@ ring = "0.17.8"
 uuid = { version = "1.8.0", features = ["v4"] }

 # Date and time libraries
-chrono = { version = "0.4.35", features = ["clock", "serde"], default-features = false }
-chrono-tz = "0.8.6"
+chrono = { version = "0.4.37", features = ["clock", "serde"], default-features = false }
+chrono-tz = "0.9.0"
 time = "0.3.34"

 # Job scheduler
@ -115,27 +115,27 @@ webauthn-rs = "0.3.2"
 url = "2.5.0"

 # Email libraries
-lettre = { version = "0.11.4", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
+lettre = { version = "0.11.6", features = ["smtp-transport", "sendmail-transport", "builder", "serde", "tokio1-native-tls", "hostname", "tracing", "tokio1"], default-features = false }
 percent-encoding = "2.3.1" # URL encoding library used for URL's in the emails
 email_address = "0.2.4"

 # HTML Template library
-handlebars = { version = "5.1.0", features = ["dir_source"] }
+handlebars = { version = "5.1.2", features = ["dir_source"] }

 # HTTP client (Used for favicons, version check, DUO and HIBP API)
-reqwest = { version = "0.11.27", features = ["default-tls", "native-tls-alpn", "stream", "json", "gzip", "brotli", "socks", "cookies", "hickory-dns"], default-features = false}
+reqwest = { version = "0.12.3", features = ["native-tls-alpn", "stream", "json", "gzip", "brotli", "socks", "cookies", "hickory-dns"] }

 # Favicon extraction libraries
 html5gum = "0.5.7"
-regex = { version = "1.10.3", features = ["std", "perf", "unicode-perl"], default-features = false }
+regex = { version = "1.10.4", features = ["std", "perf", "unicode-perl"], default-features = false }
 data-url = "0.3.1"
-bytes = "1.5.0"
+bytes = "1.6.0"

 # Cache function results (Used for version check and favicon fetching)
 cached = { version = "0.49.2", features = ["async"] }

 # Used for custom short lived cookie jar during favicon extraction
-cookie = "0.18.0"
+cookie = "0.18.1"
 cookie_store = "0.21.0"

 # Used by U2F, JWT and PostgreSQL
@ -154,7 +154,7 @@ semver = "1.0.22"
 # Allow overriding the default memory allocator
 # Mainly used for the musl builds, since the default musl malloc is very slow
 mimalloc = { version = "0.1.39", features = ["secure"], default-features = false, optional = true }
-which = "6.0.0"
+which = "6.0.1"

 # Argon2 library with support for the PHC format
 argon2 = "0.5.3"
@ -205,14 +205,14 @@ unsafe_code = "forbid"
 non_ascii_idents = "forbid"

 # Deny
-future_incompatible = "deny"
+future_incompatible = { level = "deny", priority = -1 }
 noop_method_call = "deny"
 pointer_structural_match = "deny"
-rust_2018_idioms = "deny"
-rust_2021_compatibility = "deny"
+rust_2018_idioms = { level = "deny", priority = -1 }
+rust_2021_compatibility = { level = "deny", priority = -1 }
 trivial_casts = "deny"
 trivial_numeric_casts = "deny"
-unused = "deny"
+unused = { level = "deny", priority = -1 }
 unused_import_braces = "deny"
 unused_lifetimes = "deny"
 deprecated_in_future = "deny"
--- a/docker/DockerSettings.yaml
+++ b/docker/DockerSettings.yaml
@ -1,6 +1,6 @@
 ---
-vault_version: "v2024.1.2b"
-vault_image_digest: "sha256:798c0c893b6d16728878ff280b49da08863334d1f8dd88895580dc3dba622f08"
+vault_version: "v2024.3.1"
+vault_image_digest: "sha256:689b1e706f29e1858a5c7e0ec82e40fac793322e5e0ac9102ab09c2620207cd5"
 # Cross Compile Docker Helper Scripts v1.3.0
 # We use the linux/amd64 platform shell scripts since there is no difference between the different platform scripts
 xx_image_digest: "sha256:c9609ace652bbe51dd4ce90e0af9d48a4590f1214246da5bc70e46f6dd586edc"
--- a/docker/Dockerfile.alpine
+++ b/docker/Dockerfile.alpine
@ -18,15 +18,15 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2024.1.2b
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2024.1.2b
-#     [docker.io/vaultwarden/web-vault@sha256:798c0c893b6d16728878ff280b49da08863334d1f8dd88895580dc3dba622f08]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2024.3.1
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2024.3.1
+#     [docker.io/vaultwarden/web-vault@sha256:689b1e706f29e1858a5c7e0ec82e40fac793322e5e0ac9102ab09c2620207cd5]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:798c0c893b6d16728878ff280b49da08863334d1f8dd88895580dc3dba622f08
-#     [docker.io/vaultwarden/web-vault:v2024.1.2b]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:689b1e706f29e1858a5c7e0ec82e40fac793322e5e0ac9102ab09c2620207cd5
+#     [docker.io/vaultwarden/web-vault:v2024.3.1]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:798c0c893b6d16728878ff280b49da08863334d1f8dd88895580dc3dba622f08 as vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:689b1e706f29e1858a5c7e0ec82e40fac793322e5e0ac9102ab09c2620207cd5 as vault

 ########################## ALPINE BUILD IMAGES ##########################
 ## NOTE: The Alpine Base Images do not support other platforms then linux/amd64
--- a/docker/Dockerfile.debian
+++ b/docker/Dockerfile.debian
@ -18,15 +18,15 @@
 # - From https://hub.docker.com/r/vaultwarden/web-vault/tags,
 #   click the tag name to view the digest of the image it currently points to.
 # - From the command line:
-#     $ docker pull docker.io/vaultwarden/web-vault:v2024.1.2b
-#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2024.1.2b
-#     [docker.io/vaultwarden/web-vault@sha256:798c0c893b6d16728878ff280b49da08863334d1f8dd88895580dc3dba622f08]
+#     $ docker pull docker.io/vaultwarden/web-vault:v2024.3.1
+#     $ docker image inspect --format "{{.RepoDigests}}" docker.io/vaultwarden/web-vault:v2024.3.1
+#     [docker.io/vaultwarden/web-vault@sha256:689b1e706f29e1858a5c7e0ec82e40fac793322e5e0ac9102ab09c2620207cd5]
 #
 # - Conversely, to get the tag name from the digest:
-#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:798c0c893b6d16728878ff280b49da08863334d1f8dd88895580dc3dba622f08
-#     [docker.io/vaultwarden/web-vault:v2024.1.2b]
+#     $ docker image inspect --format "{{.RepoTags}}" docker.io/vaultwarden/web-vault@sha256:689b1e706f29e1858a5c7e0ec82e40fac793322e5e0ac9102ab09c2620207cd5
+#     [docker.io/vaultwarden/web-vault:v2024.3.1]
 #
-FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:798c0c893b6d16728878ff280b49da08863334d1f8dd88895580dc3dba622f08 as vault
+FROM --platform=linux/amd64 docker.io/vaultwarden/web-vault@sha256:689b1e706f29e1858a5c7e0ec82e40fac793322e5e0ac9102ab09c2620207cd5 as vault

 ########################## Cross Compile Docker Helper Scripts ##########################
 ## We use the linux/amd64 no matter which Build Platform, since these are all bash scripts
--- a/src/api/admin.rs
+++ b/src/api/admin.rs
@ -701,10 +701,7 @@ async fn diagnostics(_token: AdminToken, ip_header: IpHeader, mut conn: DbConn)
    let (latest_release, latest_commit, latest_web_build) =
        get_release_info(has_http_access, running_within_container).await;

-    let ip_header_name = match &ip_header.0 {
-        Some(h) => h,
-        _ => "",
-    };
+    let ip_header_name = &ip_header.0.unwrap_or_default();

    let diagnostics_json = json!({
        "dns_resolved": dns_resolved,
@ -717,8 +714,8 @@ async fn diagnostics(_token: AdminToken, ip_header: IpHeader, mut conn: DbConn)
        "running_within_container": running_within_container,
        "container_base_image": if running_within_container { container_base_image() } else { "Not applicable" },
        "has_http_access": has_http_access,
-        "ip_header_exists": &ip_header.0.is_some(),
-        "ip_header_match": ip_header_name == CONFIG.ip_header(),
+        "ip_header_exists": !ip_header_name.is_empty(),
+        "ip_header_match": ip_header_name.eq(&CONFIG.ip_header()),
        "ip_header_name": ip_header_name,
        "ip_header_config": &CONFIG.ip_header(),
        "uses_proxy": uses_proxy,
--- a/src/api/core/accounts.rs
+++ b/src/api/core/accounts.rs
@ -438,24 +438,46 @@ async fn post_kdf(data: JsonUpcase<ChangeKdfData>, headers: Headers, mut conn: D
 #[derive(Deserialize)]
 #[allow(non_snake_case)]
 struct UpdateFolderData {
-    Id: String,
+    // There is a bug in 2024.3.x which adds a `null` item.
+    // To bypass this we allow a Option here, but skip it during the updates
+    // See: https://github.com/bitwarden/clients/issues/8453
+    Id: Option<String>,
    Name: String,
 }

+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct UpdateEmergencyAccessData {
+    Id: String,
+    KeyEncrypted: String,
+}
+
+#[derive(Deserialize)]
+#[allow(non_snake_case)]
+struct UpdateResetPasswordData {
+    OrganizationId: String,
+    ResetPasswordKey: String,
+}
+
 use super::ciphers::CipherData;
+use super::sends::{update_send_from_data, SendData};

 #[derive(Deserialize)]
 #[allow(non_snake_case)]
 struct KeyData {
    Ciphers: Vec<CipherData>,
    Folders: Vec<UpdateFolderData>,
+    Sends: Vec<SendData>,
+    EmergencyAccessKeys: Vec<UpdateEmergencyAccessData>,
+    ResetPasswordKeys: Vec<UpdateResetPasswordData>,
    Key: String,
-    PrivateKey: String,
    MasterPasswordHash: String,
+    PrivateKey: String,
 }

 #[post("/accounts/key", data = "<data>")]
 async fn post_rotatekey(data: JsonUpcase<KeyData>, headers: Headers, mut conn: DbConn, nt: Notify<'_>) -> EmptyResult {
+    // TODO: See if we can wrap everything within a SQL Transaction. If something fails it should revert everything.
    let data: KeyData = data.into_inner().data;

    if !headers.user.check_valid_password(&data.MasterPasswordHash) {
@ -472,37 +494,83 @@ async fn post_rotatekey(data: JsonUpcase<KeyData>, headers: Headers, mut conn: D

    // Update folder data
    for folder_data in data.Folders {
-        let mut saved_folder = match Folder::find_by_uuid(&folder_data.Id, &mut conn).await {
-            Some(folder) => folder,
-            None => err!("Folder doesn't exist"),
+        // Skip `null` folder id entries.
+        // See: https://github.com/bitwarden/clients/issues/8453
+        if let Some(folder_id) = folder_data.Id {
+            let mut saved_folder = match Folder::find_by_uuid(&folder_id, &mut conn).await {
+                Some(folder) => folder,
+                None => err!("Folder doesn't exist"),
+            };
+
+            if &saved_folder.user_uuid != user_uuid {
+                err!("The folder is not owned by the user")
+            }
+
+            saved_folder.name = folder_data.Name;
+            saved_folder.save(&mut conn).await?
+        }
+    }
+
+    // Update emergency access data
+    for emergency_access_data in data.EmergencyAccessKeys {
+        let mut saved_emergency_access = match EmergencyAccess::find_by_uuid(&emergency_access_data.Id, &mut conn).await
+        {
+            Some(emergency_access) => emergency_access,
+            None => err!("Emergency access doesn't exist"),
        };

-        if &saved_folder.user_uuid != user_uuid {
-            err!("The folder is not owned by the user")
+        if &saved_emergency_access.grantor_uuid != user_uuid {
+            err!("The emergency access is not owned by the user")
        }

-        saved_folder.name = folder_data.Name;
-        saved_folder.save(&mut conn).await?
+        saved_emergency_access.key_encrypted = Some(emergency_access_data.KeyEncrypted);
+        saved_emergency_access.save(&mut conn).await?
+    }
+
+    // Update reset password data
+    for reset_password_data in data.ResetPasswordKeys {
+        let mut user_org =
+            match UserOrganization::find_by_user_and_org(user_uuid, &reset_password_data.OrganizationId, &mut conn)
+                .await
+            {
+                Some(reset_password) => reset_password,
+                None => err!("Reset password doesn't exist"),
+            };
+
+        user_org.reset_password_key = Some(reset_password_data.ResetPasswordKey);
+        user_org.save(&mut conn).await?
+    }
+
+    // Update send data
+    for send_data in data.Sends {
+        let mut send = match Send::find_by_uuid(send_data.Id.as_ref().unwrap(), &mut conn).await {
+            Some(send) => send,
+            None => err!("Send doesn't exist"),
+        };
+
+        update_send_from_data(&mut send, send_data, &headers, &mut conn, &nt, UpdateType::None).await?;
    }

    // Update cipher data
    use super::ciphers::update_cipher_from_data;

    for cipher_data in data.Ciphers {
-        let mut saved_cipher = match Cipher::find_by_uuid(cipher_data.Id.as_ref().unwrap(), &mut conn).await {
-            Some(cipher) => cipher,
-            None => err!("Cipher doesn't exist"),
-        };
+        if cipher_data.OrganizationId.is_none() {
+            let mut saved_cipher = match Cipher::find_by_uuid(cipher_data.Id.as_ref().unwrap(), &mut conn).await {
+                Some(cipher) => cipher,
+                None => err!("Cipher doesn't exist"),
+            };

-        if saved_cipher.user_uuid.as_ref().unwrap() != user_uuid {
-            err!("The cipher is not owned by the user")
-        }
+            if saved_cipher.user_uuid.as_ref().unwrap() != user_uuid {
+                err!("The cipher is not owned by the user")
+            }

-        // Prevent triggering cipher updates via WebSockets by settings UpdateType::None
-        // The user sessions are invalidated because all the ciphers were re-encrypted and thus triggering an update could cause issues.
-        // We force the users to logout after the user has been saved to try and prevent these issues.
-        update_cipher_from_data(&mut saved_cipher, cipher_data, &headers, false, &mut conn, &nt, UpdateType::None)
-            .await?
+            // Prevent triggering cipher updates via WebSockets by settings UpdateType::None
+            // The user sessions are invalidated because all the ciphers were re-encrypted and thus triggering an update could cause issues.
+            // We force the users to logout after the user has been saved to try and prevent these issues.
+            update_cipher_from_data(&mut saved_cipher, cipher_data, &headers, false, &mut conn, &nt, UpdateType::None)
+                .await?
+        }
    }

    // Update user data
--- a/src/api/core/ciphers.rs
+++ b/src/api/core/ciphers.rs
@ -205,7 +205,7 @@ pub struct CipherData {
    // Folder id is not included in import
    FolderId: Option<String>,
    // TODO: Some of these might appear all the time, no need for Option
-    OrganizationId: Option<String>,
+    pub OrganizationId: Option<String>,

    Key: Option<String>,

--- a/src/api/core/mod.rs
+++ b/src/api/core/mod.rs
@ -191,14 +191,17 @@ fn version() -> Json<&'static str> {
 #[get("/config")]
 fn config() -> Json<Value> {
    let domain = crate::CONFIG.domain();
-    let feature_states = parse_experimental_client_feature_flags(&crate::CONFIG.experimental_client_feature_flags());
+    let mut feature_states =
+        parse_experimental_client_feature_flags(&crate::CONFIG.experimental_client_feature_flags());
+    // Force the new key rotation feature
+    feature_states.insert("key-rotation-improvements".to_string(), true);
    Json(json!({
        // Note: The clients use this version to handle backwards compatibility concerns
        // This means they expect a version that closely matches the Bitwarden server version
        // We should make sure that we keep this updated when we support the new server features
        // Version history:
        // - Individual cipher key encryption: 2023.9.1
-        "version": "2023.9.1",
+        "version": "2024.2.0",
        "gitHash": option_env!("GIT_REV"),
        "server": {
          "name": "Vaultwarden",
--- a/src/api/core/organizations.rs
+++ b/src/api/core/organizations.rs
@ -2247,7 +2247,7 @@ impl GroupRequest {
    }

    pub fn update_group(&self, mut group: Group) -> Group {
-        group.name = self.Name.clone();
+        group.name.clone_from(&self.Name);
        group.access_all = self.AccessAll.unwrap_or(false);
        // Group Updates do not support changing the external_id
        // These input fields are in a disabled state, and can only be updated/added via ldap_import
--- a/src/api/core/sends.rs
+++ b/src/api/core/sends.rs
@ -49,7 +49,7 @@ pub async fn purge_sends(pool: DbPool) {

 #[derive(Deserialize)]
 #[allow(non_snake_case)]
-struct SendData {
+pub struct SendData {
    Type: i32,
    Key: String,
    Password: Option<String>,
@ -65,6 +65,9 @@ struct SendData {
    Text: Option<Value>,
    File: Option<Value>,
    FileLength: Option<NumberOrString>,
+
+    // Used for key rotations
+    pub Id: Option<String>,
 }

 /// Enforces the `Disable Send` policy. A non-owner/admin user belonging to
@ -549,6 +552,19 @@ async fn put_send(
        None => err!("Send not found"),
    };

+    update_send_from_data(&mut send, data, &headers, &mut conn, &nt, UpdateType::SyncSendUpdate).await?;
+
+    Ok(Json(send.to_json()))
+}
+
+pub async fn update_send_from_data(
+    send: &mut Send,
+    data: SendData,
+    headers: &Headers,
+    conn: &mut DbConn,
+    nt: &Notify<'_>,
+    ut: UpdateType,
+) -> EmptyResult {
    if send.user_uuid.as_ref() != Some(&headers.user.uuid) {
        err!("Send is not owned by user")
    }
@ -557,6 +573,12 @@ async fn put_send(
        err!("Sends can't change type")
    }

+    if data.DeletionDate > Utc::now() + TimeDelta::try_days(31).unwrap() {
+        err!(
+            "You cannot have a Send with a deletion date that far into the future. Adjust the Deletion Date to a value less than 31 days from now and try again."
+        );
+    }
+
    // When updating a file Send, we receive nulls in the File field, as it's immutable,
    // so we only need to update the data field in the Text case
    if data.Type == SendType::Text as i32 {
@ -569,11 +591,6 @@ async fn put_send(
        send.data = data_str;
    }

-    if data.DeletionDate > Utc::now() + TimeDelta::try_days(31).unwrap() {
-        err!(
-            "You cannot have a Send with a deletion date that far into the future. Adjust the Deletion Date to a value less than 31 days from now and try again."
-        );
-    }
    send.name = data.Name;
    send.akey = data.Key;
    send.deletion_date = data.DeletionDate.naive_utc();
@ -591,17 +608,11 @@ async fn put_send(
        send.set_password(Some(&password));
    }

-    send.save(&mut conn).await?;
-    nt.send_send_update(
-        UpdateType::SyncSendUpdate,
-        &send,
-        &send.update_users_revision(&mut conn).await,
-        &headers.device.uuid,
-        &mut conn,
-    )
-    .await;
-
-    Ok(Json(send.to_json()))
+    send.save(conn).await?;
+    if ut != UpdateType::None {
+        nt.send_send_update(ut, send, &send.update_users_revision(conn).await, &headers.device.uuid, conn).await;
+    }
+    Ok(())
 }

 #[delete("/sends/<id>")]
--- a/src/api/notifications.rs
+++ b/src/api/notifications.rs
@ -289,7 +289,7 @@ fn serialize(val: Value) -> Vec<u8> {

 fn serialize_date(date: NaiveDateTime) -> Value {
    let seconds: i64 = date.and_utc().timestamp();
-    let nanos: i64 = date.timestamp_subsec_nanos().into();
+    let nanos: i64 = date.and_utc().timestamp_subsec_nanos().into();
    let timestamp = nanos << 34 | seconds;

    let bs = timestamp.to_be_bytes();
--- a/src/auth.rs
+++ b/src/auth.rs
@ -4,7 +4,7 @@ use chrono::{TimeDelta, Utc};
 use num_traits::FromPrimitive;
 use once_cell::sync::{Lazy, OnceCell};

-use jsonwebtoken::{self, errors::ErrorKind, Algorithm, DecodingKey, EncodingKey, Header};
+use jsonwebtoken::{errors::ErrorKind, Algorithm, DecodingKey, EncodingKey, Header};
 use openssl::rsa::Rsa;
 use serde::de::DeserializeOwned;
 use serde::ser::Serialize;
@ -391,10 +391,8 @@ impl<'r> FromRequest<'r> for Host {

            let host = if let Some(host) = headers.get_one("X-Forwarded-Host") {
                host
-            } else if let Some(host) = headers.get_one("Host") {
-                host
            } else {
-                ""
+                headers.get_one("Host").unwrap_or_default()
            };

            format!("{protocol}://{host}")
--- a/src/db/models/cipher.rs
+++ b/src/db/models/cipher.rs
@ -431,7 +431,7 @@ impl Cipher {
        }
        if let Some(ref org_uuid) = self.organization_uuid {
            if let Some(cipher_sync_data) = cipher_sync_data {
-                return cipher_sync_data.user_group_full_access_for_organizations.get(org_uuid).is_some();
+                return cipher_sync_data.user_group_full_access_for_organizations.contains(org_uuid);
            } else {
                return Group::is_in_full_access_group(user_uuid, org_uuid, conn).await;
            }
--- a/src/db/models/emergency_access.rs
+++ b/src/db/models/emergency_access.rs
@ -174,7 +174,7 @@ impl EmergencyAccess {
        // Update the grantee so that it will refresh it's status.
        User::update_uuid_revision(self.grantee_uuid.as_ref().expect("Error getting grantee"), conn).await;
        self.status = status;
-        self.updated_at = date.to_owned();
+        date.clone_into(&mut self.updated_at);

        db_run! {conn: {
            crate::util::retry(|| {
@ -192,7 +192,7 @@ impl EmergencyAccess {
        conn: &mut DbConn,
    ) -> EmptyResult {
        self.last_notification_at = Some(date.to_owned());
-        self.updated_at = date.to_owned();
+        date.clone_into(&mut self.updated_at);

        db_run! {conn: {
            crate::util::retry(|| {
--- a/src/util.rs
+++ b/src/util.rs
@ -520,7 +520,7 @@ pub fn container_base_image() -> &'static str {
 use std::fmt;

 use serde::de::{self, DeserializeOwned, Deserializer, MapAccess, SeqAccess, Visitor};
-use serde_json::{self, Value};
+use serde_json::Value;

 pub type JsonMap = serde_json::Map<String, Value>;