Fri Oct 27 03:17:26 UTC 2023 - william.brown@suse.com
- Update to version 0.18.3~git0.3544515:
* Bump version
* Populate changelog
* Update the `fix` subcommand to the new API
* Fix deadlock on missing lockfile
* build(deps): bump regex from 1.9.5 to 1.10.2
* Update rustsec changelog
* Configure `gix` with `max-performance-safe` feature
* feat: let `Severity` implement `Hash`
* Bump rustsec version to 0.28.3
* Bump date
* Changelog for 0.28.3
* fix typo
* fix typo
* Update rustsec/src/repository/git/repository.rs
* Expand documentation on locking
* build(deps): bump webpki from 0.22.1 to 0.22.2
* Correctly classify only lock timeout errors as LockTimeout, not all lock-related errors
* cargo fmt
* Use Result instead of an unwrap()
* Fix DB directory locking
* Regenerate Cargo.lock
* Add comment
* Migrade rustsec-admin to tame-index 0.7
* bump gix version in admin too
* cargo fmt
* Switch from Git-compatible locks to OS locks in database checkout
* Purge gix lock to rustsec error conversion; I am removing gix locks
* Only create LockTimeout error variant from tame-index locks
* cargo fmt
* Update docs
* regenerate Cargo.lock
* Initial conversion to tame-index 0.7.1. Compiles but untested.
* Bump admin version
* Populate changelog for admin
* Update Clippy to fix useless warnings
* admin: use `gix` max-performance-safe instead of max-performance
* configure `gix` for best performance
* Bump version to 0.18.2
* thanks clippy
* Populate changelog for cargo-audit
* Require rustsec 0.28.2 in cargo-audit to fix RUSTSEC-2023-0064
* change edition to 2021
* Use tame-index which switches `rustsec-admin` to `gix`.
* Bump version to 0.28.2
* Populate changelog
* Drop hyperlinks to gix in documentation because we don't have the necessary features enabled. Temporary hack to unblock a release with a security fix
* Fix up code to deal with API changes
* Bump tame-index, explicitly depend on `gix` to enable the necessary features
* Fix error reporting on stale lockfile
* build(deps): bump termcolor from 1.2.0 to 1.3.0 (#1009)
* build(deps): bump chrono from 0.4.30 to 0.4.31
* build(deps): bump xml-rs from 0.8.17 to 0.8.18
* Fix `deny = ["warnings"]` being ignored (#995)
* rustsec-admin 0.8.7 (#998)
* Additional information in advisory content (#997)
* build(deps): bump chrono from 0.4.29 to 0.4.30
* commit Cargo.lock
* bump rustsec crate to 0.28.1
* bump tame-index version requirement to 0.5.5, it contains the HTTP/2 change
* Populate changelog
* cargo fmt
* Do not require http2 when establishing the connection
* build(deps): bump chrono from 0.4.27 to 0.4.29
* Appease clippy
* Do not re-lookup packages that are already cached
* build(deps): bump regex from 1.9.4 to 1.9.5
* build(deps): bump xml-rs from 0.8.16 to 0.8.17
* build(deps): bump actions/checkout from 3 to 4
* review feedback: reduce boilerplate
* replace feature default, with v3 and std
* make 'cargo test --no-default-features' run without errors
* Add manual trigger mechanism to release workflow
* Drop remaining 'fix' features
* cargo-audit v0.18.1 (#981)
* Release workflow: don't enable `fix` and `vendored-openssl` features
* Bump versions
* Fill in release date in changelogs
* commit Cargo.lock
* bump rustsec requirement in admin
* Commit Cargo.lock
* bump cargo-audit version to 0.18.0-rc.1
* Bump rustsec to 0.28.0-rc.1
* Mention `fix` feature not being converted in changelog
* Fill in cargo-audit changelog
* build(deps): bump time from 0.3.27 to 0.3.28
* build(deps): bump chrono from 0.4.26 to 0.4.27
* build(deps): bump url from 2.4.0 to 2.4.1
* build(deps): bump regex from 1.9.3 to 1.9.4
* Exclude auto-generation scripts from the published package
* Ignore the file downloaded by the regeneration script
* Bump `platforms` version
* Add myself to authors, I've built out the whole autogeneration infrastructure
* Re-run the generation script
* Bring back the hyperlinks in README.md
* Automatically regenerate the table of known platforms in README
* Turn links into hyperlinks to stop recent rustdoc from complaining (#965)
* Bump version
* Regenerate platforms crate
* Bump MSRV in README.md
* Add another PR
* Also filter warnings by binary type in `cargo audit bin`
* fix build
* Add `affected` field to warnings in `rustsec` so that we could enable platform filtering in `cargo audit bin`
* Correctly state MSRV in changelog
* Populate changelog for the rustsec crate
* remove redundant clone as advised by clippy
* placate clippy
* placate clippy
* Cargo fmt
* Add more methods to CommitHash
* Add forgotten file
* WIP wrapper for gix::ObjectId
* cargo fmt
* Do not expose `toml` types through the public API
* Drop `toml` crate from the public API as well
* Drop unused Error conversion impl
* Add a TODO
* Slightly better doc comments
* Do not expose gix types in the Error public API
* Use a private function for converting from tame_index::Error to rustsec::Error
* don't pub use gix, we do not want it to leak into the public API
* cargo fmt
* Put import at the top to fix doc links
* Feature-gate tame_inxed import
* cargo fmt
* Fix build
* build(deps): bump time from 0.3.26 to 0.3.27
* build(deps): bump tame-index from 0.5.3 to 0.5.4
* cargo fmt
* Handle #[non_exhaustive] enum from tame-index
* Fix remaining discrepancies
* WIP conversion to tame-index 0.5.x and gix 0.52.x
* Fix unknown license handling (#956)
* Print the GHSA URL for GHSA advisories, take 2
* Revert "Print the GHSA URL for GHSA advisories"
* Print the GHSA URL for GHSA advisories
* Expose License type
* Rename license variants
* Implement license + url
* Bump hermit-abi to move away from a yanked version
* Bump rustls-webpki to resolve RUSTSEC-2023-0053
* build(deps): bump regex from 1.9.1 to 1.9.3
* build(deps): bump toml from 0.7.5 to 0.7.6
* build(deps): bump regex from 1.8.4 to 1.9.1
* build(deps): bump time from 0.3.25 to 0.3.26
* Regenerate Cargo.lock
* Use native certificates for TLS
* build(deps): bump petgraph from 0.6.3 to 0.6.4
* build(deps): bump tame-index from 0.4.0 to 0.4.1
* Document locking considerations
* More consistent status printing
* cargo fmt
* Warn before waiting on crates.io cache locks. Verbose but cannot be expressed via a higher-order function, and macros would make it much worse.
* Add lock timeout parameter to open() and fetch()
* Split creating a new remote index into a separate function in preparation for more complex logic around it
* Add a comment
* Drop manual map_err now that the conversion is implemented on rustsec::Error
* cargo fmt made the code more succinct for once, drop my comment complaining about verbosity
* cargo fmt
* Convert from lock error rather than from its immutable borrow
* Implement From conversions for LockTimeout error variant, since we will need to reuse it
* build(deps): bump tame-index from 0.3.1 to 0.4.0
* Fix doc links
* More clear documentation
* Less esoteric pattern matching
* silence unused variable warnings
* Convert cargo-audit to use explicit locking
* Update docs to match code
* Drop unused import
* Create a separate error kind for lock timeouts, and expose configurable lock timeouts from the advanced fetching function only
* Fix docs
* cargo fmt
* Provide a rationale for the bulk API
* Hide index implementation details and remove the performance pitfall of calling is_yanked on individual packages
* Migrate check_for_yanked_crates() to the bulk API
* cargo fmt
* Do not short-cirquit on index update failure
* Rework bulk yank-checking code to report errors granularly instead of short-cirquiting on first error it encounters
* Transparently populate cache from `find_yanked`
* Documentation tweaks
* Even more caching for even faster CI
* Fix intra-doc links
* Explicitly document locking considerations
* Revert "Re-enable self-audit"
* Re-unify CI matrix, fulfilling a TODO
* Attempt to fix CI by explicitly generating the lockfile
* Re-enable self-audit
* Dummy commit to trigger a CI re-run
* Add rust-cache job properly now
* Revert "Add Rust-specific caching job to see if that speeds up CI"
* Dummy commit to trigger a CI re-run
* Add Rust-specific caching job to see if that speeds up CI
* Switch rustsec crate CI back to MSRV to see what happens
* Drop --release from rustsec CI, the tests execute really quickly in debug mode
* No need to reimplement CmdRunner::default() now that binary scanning is a default feature
* Drop the --release flag so that the compilation artifacts could be reused - Abscissa doesn't seem to have an option to run acceptance tests with `cargo run --release`
* Switch to Rust 1.71.0 for select jobs
* Placate both versions of rustfmt
* cargo fmt
* build(deps): bump semver from 1.0.17 to 1.0.18
* Add a TODO
* Re-add some of the comments
* Normalize time offsets to UTC
* Justify clippy opt-out
* Undo autoformat
* Finish up transition to gix
* WIP
* build(deps): bump xml-rs from 0.8.14 to 0.8.16
* Ignore clippy lint
* Checkpoint
* Update error message
* Use `AsyncRemoteSparseIndex::krates_blocking`
* Oops
* Make sparse index cache population parallel
* Fix remaining lints
* Make public
* Fix lint
* Allow clippy lint
* Bump CI
* Bump MSRV to 1.67.0
* Transition from `crates-index` -> `tame-index`
* build(deps): bump atom_syndication from 0.12.1 to 0.12.2 (#921)
* Add license and attribution fields to advisories
* rustsec-admin 0.8.6 (#915)
* Case-insensitive search on website
* build(deps): bump rust-embed from 6.7.0 to 6.8.1 (#909)
* Cargo.lock: bump dependencies (#908)
* build(deps): bump toml from 0.7.3 to 0.7.5 (#904)
* build(deps): bump crates-index from 0.19.8 to 0.19.13 (#903)
* cargo-lock: MSRV 1.65 (#907)
* build(deps): bump openssl from 0.10.52 to 0.10.55 (#906)
* cargo-audit+rustsec: MSRV 1.65 (#905)
* build(deps): bump chrono from 0.4.24 to 0.4.25 (#894)
* Fix edge case in git source dependency resolution
* Update cargo-audit changelog
* Update rustsec crate changelog
* commit Cargo.lock version bump
* Bump rustsec version following the cargo-lock bump
* 🔥 Remove $ from install snippet on README (#879)
* Cargo.lock: update dependencies (#876)
* Bump `cargo-lock` to v0.9 + auditable deps (#875)
* build(deps): bump home from 0.5.4 to 0.5.5 (#874)
* build(deps): bump atom_syndication from 0.12.0 to 0.12.1 (#851)
Wed Nov 09 00:01:18 UTC 2022 - william.brown@suse.com
- Update to version 0.17.4~git0.0b05e18:
* Set 0.17.4 date in changelog
* Bump `cargo-audit` to 0.17.4
* Update documentation for 0.17.4; `cargo audit bin` is now officially enabled by default
* Fix homepage style on mobile (#755)
* Add comment
* Only attempt to check for yanked crates for crates coming from crates.io
* Remove an unused inport
* placate Clippy
* cargo fmt
* Fix #747 in `cargo-audit instead, and don't silence errors that occur during checking for yanked crates`
* Revert "Only check if a package is yanked if it comes from crates.io; fixes #747" This is a significant behavioral change that should only come with a semver bump
* Add tests validating yank behavior so that #747 can't regress again
* Only check if a package is yanked if it comes from crates.io; fixes #747
* Add a test fixture depending on a yanked crate
* Consolidate CODE_OF_CONDUCT.d files into one; switch to Rust code of conduct (#751)
* list-affected-versions: Also print the crate in question
* Bump crates-index from 0.16.5 to 0.16.6
* Fix doc comments
* Added docs
* Clean up the code and commit stuff I forgot to add to git
* Implement list-affected-versions subcommand, works fine with current DB
* Add list-affected-versions subcommand stub
* Clarify error message
* Update the crates.io index if not up to date
* Drop ureq dependency
* cargo fmt
* Better error reporting
* Initial untested attempt to get rid of crates.io API querying completely
* Comment, thanks Alex
* cargo fmt
* Fix crates.io API interaction
* Ditched crates_io_api crate, did the same thing with ureq. Gets rid of tokio and a whole lot of other deps. Fixes breakage due to the recent crates.io API breakage, and prevents similar breakage in the future
* Add new exit status for errors (#368)
* Bump git2 from 0.13.18 to 0.13.19 (#365)
* cargo-lock: add support for V3 format (#363)
* cvss v1.0.3 (#362)
* CI: gate workflow execution for PRs on changed files
* cvss: fixups
* Update CI badges
* Add some tier 3 targets
* Workspace CI configuration
* Update repo urls in Cargo.toml files
* README.md: add new toplevel one for workspace
* platforms: sync with Rust platform support documentation
* CI configuration
* Wire up Cargo workspace
* cargo-audit: prepare for merge into RustSec monorepo
* rustsec: prepare for merge into RustSec monorepo
* platforms: prepare for merge into RustSec monorepo
* cvss: prepare for merge into RustSec monorepo
* rustsec-admin: prepare for merge into RustSec monorepo
* rustsec-admin: prepare for merge into RustSec monorepo
* Web: Add pages per package (#143)
* v0.4.2 (#142)
* web: Add back an Atom feed for advisories (#140)
* Cargo.lock: bump dependencies (#136)
* Upgrade to GitHub-native Dependabot (#134)
* v0.4.1 (#135)
* Display more information on the website (#133)
* Upgrade to GitHub-native Dependabot (#344)
* Vendor OpenSSL for arm and musl builds (#343)
* Bump git2 from 0.13.17 to 0.13.18 (#314)
* Bump crates-index from 0.16.3 to 0.16.5 (#313)
* Bump comrak from 0.9.1 to 0.10.0 (#129)
* Fix typo in comments about mips64. (#36)
* Bump rustsec from 0.23.2 to 0.23.3 (#128)
* v0.23.3 (#310)
* Workaround for stale git refs (#309)
* Bump rustsec from 0.23.0 to 0.23.2 (#127)
* v0.23.2 (#308)
* Rename advisory-db `master` branch to `main` (#307)
* CI: use actions-rs/audit-check for self-audit (#306)
* Cargo.lock: bump dependencies (#305)
* v0.4.0 (#126)
* v0.3.5 (#124)
* Use rust-embed for static assets (#122)
* Add argument to change where website is outputted (#123)
* v0.23.1 (#301)
* Bump url from 2.2.0 to 2.2.1 (#98)
* Fix parsing error on windows (#295)
* Cargo.lock: bump deps (#296)
* Bump comrak from 0.9.0 to 0.9.1 (#116)
* Use a fully Rust based solution for rendering web page (#115)
* v0.3.4 (#113)
* Bump `rustsec` crate to v0.23 (#112)
* v0.23.0 (#292)
* Cargo.toml: dependency cleanups (#291)
* Add `thread-safety` category (#290)
* Rename default branch to `main` (#289)
* v1.0.1 (#15)
* Rename default branch to `main` (#14)
* Cargo.lock: bump deps (#288)
* v6.0.1 (#96)
* Rename CI workflow (#95)
* Rename default branch to `main` (#94)
* Cargo.lock: bump deps (#93)
* Bump semver-parser from 0.10.0 to 0.10.2 (#280)
* v0.3.3 (#106)
* Cargo.lock: bump dependencies (#105)
* Rename `master` branch to `main` (#104)
* CI config improvements (#103)
* assigner: fix "new year's" bug (#102)
* Bump handlebars from 3.5.1 to 3.5.2 (#101)
* Bump platforms from 1.0.3 to 1.1.0 (#279)
* v1.1.0 (#35)
* Rename default branch to `main` (#34)
* Rename GH Actions workflow to "CI" (#33)
* Update README platform list using table gen
* Add aarch64-apple-darwin, a.k.a. Apple Silicon macOS
* Bump serde from 1.0.117 to 1.0.118 (#88)
* Bump toml from 0.5.7 to 0.5.8 (#89)
* v0.3.2 (#97)
* Bump `rustsec` crate to v0.23.0-pre (#96)
* v0.23.0-pre (#272)
* Rename `repository::GitRepository` to `repository::git::Repository` (#271)
* Rename `fetch` Cargo feature to `git` (#270)
* Use `SystemTime` instead of a `git::Timestamp` type (#269)
* Add support for omitting leading `[advisory]` table (#268)
* Mark enums as non_exhaustive (#267)
* Re-add advisory `references` as a URL list (#266)
* Replace `chrono` with `humantime` (#265)
* Bump `smol_str` to v0.1.17; MSRV 1.46+ (#264)
* Use `url` crate to parse metadata URL (#263)
* Remove `markdown` feature (#262)
* Bump termcolor from 1.1.0 to 1.1.1 (#94)
* Rename `references` to `related` (#261)
* Bump once_cell from 1.5.1 to 1.5.2 (#259)
* Bump crates-index from 0.16.0 to 0.16.2 (#260)
* Bump once_cell from 1.5.0 to 1.5.1 (#92)
* Cargo.lock: bump deps (#258)
* Bump once_cell from 1.4.1 to 1.5.1 (#257)
* .github: rename CI workflow to "CI" (#256)
* Bump once_cell from 1.4.1 to 1.5.0 (#91)
* Bump serde from 1.0.116 to 1.0.117 (#86)
* Bump url from 2.1.1 to 2.2.0 (#87)
* Bump platforms from 1.0.2 to 1.0.3 (#252)
* v1.0.3 (#30)
* fix Platform::guess_current to use actual target architecture (#29)
* v0.3.1 (#89)
* Bump `rustsec` crate to v0.22.2 (#88)
* v0.22.2 (#250)
* Revert "Refactor Advisory type handling (#246)" (#249)
* Cargo.lock: bump dependencies (#248)
* Cargo.lock: bump dependencies (#87)
* v0.22.1 (#247)
* Refactor Advisory type handling (#246)
* Bump handlebars from 3.5.0 to 3.5.1 (#84)
* Bump toml from 0.5.6 to 0.5.7 (#85)
* v0.3.0 (#86)
* Bump `rustsec` crate dependency to v0.22 (#83)
* v0.22.0 (#245)
* Bump `cargo-lock` to v6; `semver` to v0.11 (#244)
* Remove more V2 advisory format vestiges (#243)
* Remove support for the V2 advisory format (#242)
* v0.3.0-pre3 (#82)
* assign-id: fix TOML front matter parsing (#81)
* v0.3.0-pre2 (#80)
* Attempt to fix `assign-id` command (#79)
* v0.22.0-pre3 (#241)
* advisory: mark the `parser` module as `pub` (#240)
* Bump thiserror from 1.0.20 to 1.0.21 (#74)
* Bump rustsec from 0.22.0-pre to 0.22.0-pre2 (#78)
