Accepting request 1120657 from home:firstyear:branches:devel:languages:rust

- Update to version 0.18.3~git0.3544515: * Bump version * Populate changelog * Update the `fix` subcommand to the new API * Fix deadlock on missing lockfile * build(deps): bump regex from 1.9.5 to 1.10.2 * Update rustsec changelog * Configure `gix` with `max-performance-safe` feature * feat: let `Severity` implement `Hash` * Bump rustsec version to 0.28.3 * Bump date * Changelog for 0.28.3 * fix typo * fix typo * Update rustsec/src/repository/git/repository.rs * Expand documentation on locking * build(deps): bump webpki from 0.22.1 to 0.22.2 * Correctly classify only lock timeout errors as LockTimeout, not all lock-related errors * cargo fmt * Use Result instead of an unwrap() * Fix DB directory locking * Regenerate Cargo.lock * Add comment * Migrade rustsec-admin to tame-index 0.7 * bump gix version in admin too * cargo fmt * Switch from Git-compatible locks to OS locks in database checkout * Purge gix lock to rustsec error conversion; I am removing gix locks * Only create LockTimeout error variant from tame-index locks * cargo fmt OBS-URL: https://build.opensuse.org/request/show/1120657 OBS-URL: https://build.opensuse.org/package/show/devel:languages:rust/cargo-audit?expand=0&rev=31
2023-10-27 04:46:40 +00:00 · 2023-10-27 04:46:40 +00:00 · 820694bb37
commit 820694bb37
parent 13b5370678
8 changed files with 283 additions and 9 deletions
--- a/2
+++ b/2
@ -3,7 +3,7 @@
    <param name="url">https://github.com/RustSec/rustsec.git</param>
    <param name="versionformat">@PARENT_TAG@~git@TAG_OFFSET@.%h</param>
    <param name="scm">git</param>
-    <param name="revision">cargo-audit/v0.17.5</param>
+    <param name="revision">cargo-audit/v0.18.3</param>
    <param name="match-tag">cargo-audit*</param>
    <param name="versionrewrite-pattern">.*v(\d+\.\d+\.\d+)</param>
    <param name="versionrewrite-replacement">\1</param>
--- a/2
+++ b/2
@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">https://github.com/RustSec/rustsec.git</param>
-              <param name="changesrevision">dc8ec71098bd202c9e1177329f512173a4ffa029</param></service></servicedata>
+              <param name="changesrevision">3544515990b09441ecc12df8d0291bc6f23d3d30</param></service></servicedata>
--- a/cargo-audit.changes
+++ b/cargo-audit.changes
@ -1,3 +1,277 @@
+-------------------------------------------------------------------
+Fri Oct 27 03:17:26 UTC 2023 - william.brown@suse.com
+
+- Update to version 0.18.3~git0.3544515:
+  * Bump version
+  * Populate changelog
+  * Update the `fix` subcommand to the new API
+  * Fix deadlock on missing lockfile
+  * build(deps): bump regex from 1.9.5 to 1.10.2
+  * Update rustsec changelog
+  * Configure `gix` with `max-performance-safe` feature
+  * feat: let `Severity` implement `Hash`
+  * Bump rustsec version to 0.28.3
+  * Bump date
+  * Changelog for 0.28.3
+  * fix typo
+  * fix typo
+  * Update rustsec/src/repository/git/repository.rs
+  * Expand documentation on locking
+  * build(deps): bump webpki from 0.22.1 to 0.22.2
+  * Correctly classify only lock timeout errors as LockTimeout, not all lock-related errors
+  * cargo fmt
+  * Use Result instead of an unwrap()
+  * Fix DB directory locking
+  * Regenerate Cargo.lock
+  * Add comment
+  * Migrade rustsec-admin to tame-index 0.7
+  * bump gix version in admin too
+  * cargo fmt
+  * Switch from Git-compatible locks to OS locks in database checkout
+  * Purge gix lock to rustsec error conversion; I am removing gix locks
+  * Only create LockTimeout error variant from tame-index locks
+  * cargo fmt
+  * Update docs
+  * regenerate Cargo.lock
+  * Initial conversion to tame-index 0.7.1. Compiles but untested.
+  * Bump admin version
+  * Populate changelog for admin
+  * Update Clippy to fix useless warnings
+  * admin: use `gix` max-performance-safe instead of max-performance
+  * configure `gix` for best performance
+  * Bump version to 0.18.2
+  * thanks clippy
+  * Populate changelog for cargo-audit
+  * Require rustsec 0.28.2 in cargo-audit to fix RUSTSEC-2023-0064
+  * change edition to 2021
+  * Use tame-index which switches `rustsec-admin` to `gix`.
+  * Bump version to 0.28.2
+  * Populate changelog
+  * Drop hyperlinks to gix in documentation because we don't have the necessary features enabled. Temporary hack to unblock a release with a security fix
+  * Fix up code to deal with API changes
+  * Bump tame-index, explicitly depend on `gix` to enable the necessary features
+  * Fix error reporting on stale lockfile
+  * build(deps): bump termcolor from 1.2.0 to 1.3.0 (#1009)
+  * build(deps): bump chrono from 0.4.30 to 0.4.31
+  * build(deps): bump xml-rs from 0.8.17 to 0.8.18
+  * Fix `deny = ["warnings"]` being ignored (#995)
+  * rustsec-admin 0.8.7 (#998)
+  * Additional information in advisory content (#997)
+  * build(deps): bump chrono from 0.4.29 to 0.4.30
+  * commit Cargo.lock
+  * bump rustsec crate to 0.28.1
+  * bump tame-index version requirement to 0.5.5, it contains the HTTP/2 change
+  * Populate changelog
+  * cargo fmt
+  * Do not require http2 when establishing the connection
+  * build(deps): bump chrono from 0.4.27 to 0.4.29
+  * Appease clippy
+  * Do not re-lookup packages that are already cached
+  * build(deps): bump regex from 1.9.4 to 1.9.5
+  * build(deps): bump xml-rs from 0.8.16 to 0.8.17
+  * build(deps): bump actions/checkout from 3 to 4
+  * review feedback: reduce boilerplate
+  * replace feature default, with v3 and std
+  * make 'cargo test --no-default-features' run without errors
+  * Add manual trigger mechanism to release workflow
+  * Drop remaining 'fix' features
+  * cargo-audit v0.18.1 (#981)
+  * Release workflow: don't enable `fix` and `vendored-openssl` features
+  * Bump versions
+  * Fill in release date in changelogs
+  * commit Cargo.lock
+  * bump rustsec requirement in admin
+  * Commit Cargo.lock
+  * bump cargo-audit version to 0.18.0-rc.1
+  * Bump rustsec to 0.28.0-rc.1
+  * Mention `fix` feature not being converted in changelog
+  * Fill in cargo-audit changelog
+  * build(deps): bump time from 0.3.27 to 0.3.28
+  * build(deps): bump chrono from 0.4.26 to 0.4.27
+  * build(deps): bump url from 2.4.0 to 2.4.1
+  * build(deps): bump regex from 1.9.3 to 1.9.4
+  * Exclude auto-generation scripts from the published package
+  * Ignore the file downloaded by the regeneration script
+  * Bump `platforms` version
+  * Add myself to authors, I've built out the whole autogeneration infrastructure
+  * Re-run the generation script
+  * Bring back the hyperlinks in README.md
+  * Automatically regenerate the table of known platforms in README
+  * Turn links into hyperlinks to stop recent rustdoc from complaining (#965)
+  * Bump version
+  * Regenerate platforms crate
+  * Bump MSRV in README.md
+  * Add another PR
+  * Also filter warnings by binary type in `cargo audit bin`
+  * fix build
+  * Add `affected` field to warnings in `rustsec` so that we could enable platform filtering in `cargo audit bin`
+  * Correctly state MSRV in changelog
+  * Populate changelog for the rustsec crate
+  * remove redundant clone as advised by clippy
+  * placate clippy
+  * placate clippy
+  * Cargo fmt
+  * Add more methods to CommitHash
+  * Add forgotten file
+  * WIP wrapper for gix::ObjectId
+  * cargo fmt
+  * Do not expose `toml` types through the public API
+  * Drop `toml` crate from the public API as well
+  * Drop unused Error conversion impl
+  * Add a TODO
+  * Slightly better doc comments
+  * Do not expose gix types in the Error public API
+  * Use a private function for converting from tame_index::Error to rustsec::Error
+  * don't pub use gix, we do not want it to leak into the public API
+  * cargo fmt
+  * Put import at the top to fix doc links
+  * Feature-gate tame_inxed import
+  * cargo fmt
+  * Fix build
+  * build(deps): bump time from 0.3.26 to 0.3.27
+  * build(deps): bump tame-index from 0.5.3 to 0.5.4
+  * cargo fmt
+  * Handle #[non_exhaustive] enum from tame-index
+  * Fix remaining discrepancies
+  * WIP conversion to tame-index 0.5.x and gix 0.52.x
+  * Fix unknown license handling (#956)
+  * Print the GHSA URL for GHSA advisories, take 2
+  * Revert "Print the GHSA URL for GHSA advisories"
+  * Print the GHSA URL for GHSA advisories
+  * Expose License type
+  * Rename license variants
+  * Implement license + url
+  * Bump hermit-abi to move away from a yanked version
+  * Bump rustls-webpki to resolve RUSTSEC-2023-0053
+  * build(deps): bump regex from 1.9.1 to 1.9.3
+  * build(deps): bump toml from 0.7.5 to 0.7.6
+  * build(deps): bump regex from 1.8.4 to 1.9.1
+  * build(deps): bump time from 0.3.25 to 0.3.26
+  * Regenerate Cargo.lock
+  * Use native certificates for TLS
+  * build(deps): bump petgraph from 0.6.3 to 0.6.4
+  * build(deps): bump tame-index from 0.4.0 to 0.4.1
+  * Document locking considerations
+  * More consistent status printing
+  * cargo fmt
+  * Warn before waiting on crates.io cache locks. Verbose but cannot be expressed via a higher-order function, and macros would make it much worse.
+  * Add lock timeout parameter to open() and fetch()
+  * Split creating a new remote index into a separate function in preparation for more complex logic around it
+  * Add a comment
+  * Drop manual map_err now that the conversion is implemented on rustsec::Error
+  * cargo fmt made the code more succinct for once, drop my comment complaining about verbosity
+  * cargo fmt
+  * Convert from lock error rather than from its immutable borrow
+  * Implement From conversions for LockTimeout error variant, since we will need to reuse it
+  * build(deps): bump tame-index from 0.3.1 to 0.4.0
+  * Fix doc links
+  * More clear documentation
+  * Less esoteric pattern matching
+  * silence unused variable warnings
+  * Convert cargo-audit to use explicit locking
+  * Update docs to match code
+  * Drop unused import
+  * Create a separate error kind for lock timeouts, and expose configurable lock timeouts from the advanced fetching function only
+  * Fix docs
+  * cargo fmt
+  * Provide a rationale for the bulk API
+  * Hide index implementation details and remove the performance pitfall of calling is_yanked on individual packages
+  * Migrate check_for_yanked_crates() to the bulk API
+  * cargo fmt
+  * Do not short-cirquit on index update failure
+  * Rework bulk yank-checking code to report errors granularly instead of short-cirquiting on first error it encounters
+  * Transparently populate cache from `find_yanked`
+  * Documentation tweaks
+  * Even more caching for even faster CI
+  * Fix intra-doc links
+  * Explicitly document locking considerations
+  * Revert "Re-enable self-audit"
+  * Re-unify CI matrix, fulfilling a TODO
+  * Attempt to fix CI by explicitly generating the lockfile
+  * Re-enable self-audit
+  * Dummy commit to trigger a CI re-run
+  * Add rust-cache job properly now
+  * Revert "Add Rust-specific caching job to see if that speeds up CI"
+  * Dummy commit to trigger a CI re-run
+  * Add Rust-specific caching job to see if that speeds up CI
+  * Switch rustsec crate CI back to MSRV to see what happens
+  * Drop --release from rustsec CI, the tests execute really quickly in debug mode
+  * No need to reimplement CmdRunner::default() now that binary scanning is a default feature
+  * Drop the --release flag so that the compilation artifacts could be reused - Abscissa doesn't seem to have an option to run acceptance tests with `cargo run --release`
+  * Switch to Rust 1.71.0 for select jobs
+  * Placate both versions of rustfmt
+  * cargo fmt
+  * build(deps): bump semver from 1.0.17 to 1.0.18
+  * Add a TODO
+  * Re-add some of the comments
+  * Normalize time offsets to UTC
+  * Justify clippy opt-out
+  * Undo autoformat
+  * Finish up transition to gix
+  * WIP
+  * build(deps): bump xml-rs from 0.8.14 to 0.8.16
+  * Ignore clippy lint
+  * Checkpoint
+  * Update error message
+  * Use `AsyncRemoteSparseIndex::krates_blocking`
+  * Oops
+  * Make sparse index cache population parallel
+  * Fix remaining lints
+  * Make public
+  * Fix lint
+  * Allow clippy lint
+  * Bump CI
+  * Bump MSRV to 1.67.0
+  * Transition from `crates-index` -> `tame-index`
+  * build(deps): bump atom_syndication from 0.12.1 to 0.12.2 (#921)
+  * Add license and attribution fields to advisories
+  * rustsec-admin 0.8.6 (#915)
+  * Case-insensitive search on website
+  * build(deps): bump rust-embed from 6.7.0 to 6.8.1 (#909)
+  * Cargo.lock: bump dependencies (#908)
+  * build(deps): bump toml from 0.7.3 to 0.7.5 (#904)
+  * build(deps): bump crates-index from 0.19.8 to 0.19.13 (#903)
+  * cargo-lock: MSRV 1.65 (#907)
+  * build(deps): bump openssl from 0.10.52 to 0.10.55 (#906)
+  * cargo-audit+rustsec: MSRV 1.65 (#905)
+  * build(deps): bump chrono from 0.4.24 to 0.4.25 (#894)
+  * Fix edge case in git source dependency resolution
+  * Update cargo-audit changelog
+  * Update rustsec crate changelog
+  * commit Cargo.lock version bump
+  * Bump rustsec version following the cargo-lock bump
+  * 🔥 Remove $ from install snippet on README (#879)
+  * Cargo.lock: update dependencies (#876)
+  * Bump `cargo-lock` to v0.9 + auditable deps (#875)
+  * build(deps): bump home from 0.5.4 to 0.5.5 (#874)
+  * build(deps): bump atom_syndication from 0.12.0 to 0.12.1 (#851)
+  * build(deps): bump softprops/action-gh-release (#852)
+  * build(deps): bump rust-embed from 6.6.0 to 6.6.1 (#849)
+  * build(deps): bump crates-index from 0.19.7 to 0.19.8 (#864)
+  * cargo-lock v9.0.0 (#870)
+  * Fix docs build (#871)
+  * Fix review comments
+  * Various improvements to the "cargo-lock tree" subcommand
+  * Fix is_default_registry for sparse index (#859)
+  * Remove build script for platforms, it's now unused (#856)
+  * build(deps): bump comrak from 0.16.0 to 0.18.0
+  * Link to rustsec/audit-check (#854)
+  * Fix formatting to `cargo fmt` spec.
+  * Fix #736 - Cargo audit self advisories repeated
+  * build(deps): bump openssl from 0.10.47 to 0.10.48
+  * build(deps): bump semver from 1.0.16 to 1.0.17
+  * cargo fmt
+  * Wrap binfarce::Format in our own struct to make `binfarce` an optional dependency
+  * placate clippy
+  * cargo fmt
+  * Fix no-default-features compilation by making binfarce an unconditional dependency
+  * Start fixing up compilation with no default features
+  * Expand TODO
+  * Fix filtering by binary type but this makes the dependency on binfarce unconditional (for now)
+  * Add a FIXME explaining why it's not working
+  * wire up filtering by binary type
+  * Initial code for binary-type-based filtering; not wired up yet
+
 -------------------------------------------------------------------
 Mon Mar 27 02:52:07 UTC 2023 - william.brown@suse.com

--- a/cargo-audit.spec
+++ b/cargo-audit.spec
@ -20,7 +20,7 @@
 %global workspace_name rustsec

 Name:           cargo-audit
-Version:        0.17.5~git0.dc8ec71
+Version:        0.18.3~git0.3544515
 Release:        0
 Summary:        Audit rust sources for known security vulnerabilities
 License:        ( 0BSD OR MIT OR Apache-2.0 ) AND ( Apache-2.0 OR BSL-1.0 ) AND ( Apache-2.0 OR MIT ) AND ( MIT OR Zlib OR Apache-2.0 ) AND ( Unlicense OR MIT ) AND ( Zlib OR Apache-2.0 OR MIT ) AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND CC0-1.0 AND MIT AND MPL-2.0 AND MPL-2.0+
--- a/2
+++ b/2
@ -2,4 +2,4 @@
 replace-with = "vendored-sources"

 [source.vendored-sources]
-directory = "vendor"
+directory = "vendor"
--- a/rustsec-0.17.5~git0.dc8ec71.tar.zst
+++ b/rustsec-0.17.5~git0.dc8ec71.tar.zst
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:3f8ed1a9bff3ba6ce78d5e28d9628cf6a3beaf94beece863322f5fb59b198ceb
-size 631148
--- a/rustsec-0.18.3~git0.3544515.tar.zst
+++ b/rustsec-0.18.3~git0.3544515.tar.zst
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ee3041f9f14a6ad6b4c5ee6371440fd3c2e73992cf6a0ad5f333018920647619
+size 648872
--- a/vendor.tar.zst
+++ b/vendor.tar.zst
@ -1,3 +1,3 @@
 version https://git-lfs.github.com/spec/v1
-oid sha256:7b0ea9d085b1cf141333bf5da7c448ad073dbaaaca5b0edb8bf6023b5037bb92
-size 51430453
+oid sha256:ccaa6f850c29638d559fee370017f5b9422f2e2549602eca0426ec3ff78a8333
+size 40885456