Accepting request 1251916 from devel:languages:rust

OBS-URL: https://build.opensuse.org/request/show/1251916
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/cargo-audit?expand=0&rev=25

_service

@@ -3,8 +3,8 @@
     <param name="url">https://github.com/RustSec/rustsec.git</param>
     <param name="versionformat">@PARENT_TAG@~git@TAG_OFFSET@.%h</param>
     <param name="scm">git</param>
-    <!-- <param name="revision">cargo-audit/v0.20.0</param> -->
+    <param name="revision">cargo-audit/v0.21.2</param>
-    <param name="revision">main</param>
+    <!-- <param name="revision">main</param> -->
     <param name="match-tag">cargo-audit/v*</param>
     <param name="versionrewrite-pattern">.*v(\d+\.\d+\.\d+)</param>
     <param name="versionrewrite-replacement">\1</param>
@@ -20,7 +20,7 @@
   <service name="cargo_vendor" mode="disabled">
      <param name="srcdir">rustsec</param>
      <param name="compression">zst</param>
-     <param name="update">false</param>
+     <param name="update">true</param>
      <param name="i-accept-the-risk">RUSTSEC-2024-0019</param>
   </service>
   <service name="cargo_audit" mode="disabled">

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://github.com/RustSec/rustsec.git</param>
-              <param name="changesrevision">972ac9329076e2e6347a8324dc95ec4cc35561a1</param></service></servicedata>
+              <param name="changesrevision">18e58c28d9e6a542a167f19057c97554ec9b845f</param></service></servicedata>

cargo-audit.changes

@@ -1,3 +1,147 @@
+-------------------------------------------------------------------
+Tue Mar 04 00:49:12 UTC 2025 - william.brown@suse.com
+
+- Update to version 0.21.2~git0.18e58c2:
+  * Bump date in changelog
+  * Reference the incompat issue in changelogs
+  * Populate cargo-audit changelog
+  * Bump cargo-audit version
+  * bump rustsec version requirement in Cargo.toml
+  * Populate changelog for rustsec
+  * bump rustsec crate to 0.30.2
+  * build(deps): bump tame-index from 0.18.0 to 0.18.1
+  * Bump tame-index to 0.18 to gain support for Rust 1.85
+  * Suppress Clippy complaint
+  * Update MSRV in Cargo.toml files
+  * Try 1.73 MSRV to see if that fixes cvss crate
+  * Don't bump MSRV on crates that don't depend on gix
+  * bluntly bump the MSRV to 1.81 as it seems to be required by `tame-index`s dependencies.
+  * update `gix` to v0.70 and `tame-index` index to 0.17.
+  * Cargo.lock: bump Abscissa to v0.8.2 (#1326)
+  * Temporarily ignore RUSTSEC-2025-0001 (#1325)
+
+-------------------------------------------------------------------
+Tue Feb 04 00:59:28 UTC 2025 - william.brown@suse.com
+
+- Remove 0001-Skip-warnings.patch
+- Update to version 0.21.1~git0.bd6fb0f:
+  * bump cargo-audit version in cargo toml, I forgot
+  * Bump minor version of cargo-lock according to the msrv policy of the crate
+  * Populate changelogs
+  * Bump versions of crates to be published
+  * Documentation tweaks
+  * Move binary scanning into its own top-level module, improve documentation
+  * More informative doc strings on BinaryFormat variants
+  * Fix conditional compilation by always exposing binary format struct in rustsec
+  * cfg-out binary format type only available with binary scanning enabled
+  * Remove binary scanning from rustsec default features
+  * Correctly pass through the binary-scanning feature to rustsec crate
+  * Do not assert in tests that there are no vulnerabilities in our own Cargo.lock
+  * lower cargo-lock MSRV to 1.73, that's all that our locked dependencies require
+  * Bump cargo-lock MSRV to 1.74 following the bump in dependency versions
+  * Bump other dependencies with vulns, preserving MSRV
+  * Upgrade url crate to fix self-audit issue
+  * cargo fmt
+  * Comment out hanging test
+  * allow(lint) for allow(lint), how deep does the rabbit hole go?
+  * Fix typo
+  * Don't fail the build if something in acceptance test code is missing documentation
+  * Suppress useless warnings that break the build due to deny(warnings)
+  * fix: formatting for `*.rs` files
+  * style: simplify some statements for readability
+  * cargo fmt
+  * Fix handling of the database.fetch option
+  * fix(cargo-lock): normalize everything for git-ref in dependencies
+  * test(cargo-lock): show tag in dependencies is not normalized
+  * test(cargo-lock): show branch in dependencies is normalized
+  * test(cargo-lock): make lockfile loading inline
+  * update
+  * move binary-scanning to rustsec api
+  * Additionnal clippy and fmt fixes
+  * Make cargo-audit's binary_deps module public
+  * Do not serialize schema version as 'null' if not set to fix OSV JSON schema compliance
+  * Fix links to CVSS calculator
+  * Wording tweak in README
+  * Document recursive scanning recipe in README.md
+  * Nicer link
+  * Document the changes for 0.20.1
+  * Populate cargo-audit v0.21 changelog
+  * Commit Cargo.lock changes
+  * Bump platforms to v3.5.0 following #1278
+  * chore: regenerate platform support and bump to platforms@3.4.2
+
+-------------------------------------------------------------------
+Tue Jan  7 00:30:30 UTC 2025 - William Brown <william.brown@suse.com>
+
+- add 0001-Skip-warnings.patch to allow building on rust 1.83
+
+-------------------------------------------------------------------
+Wed Oct 30 01:07:51 UTC 2024 - william.brown@suse.com
+
+- Update to version 0.21.0~git0.78f9859:
+  * cargo-audit v0.21.0 (#1277)
+  * README.md(s): fix crate badges (#1276)
+  * rustsec v0.30.0 (#1275)
+  * Cargo.lock: bump dependencies (#1274)
+  * Cargo.toml: bump `cargo-lock` to v10.0.1 (#1272)
+  * cargo-lock v10.0.1 (#1271)
+  * cargo-lock: fix issue with v4 lockfiles (#1270)
+  * cargo-audit v0.21.0-rc.0 (#1267)
+  * rustsec v0.30.0-rc.1 (#1266)
+  * Cargo.toml(s): fix `repository` links (#1265)
+  * cargo-lock v10.0.0 (#1264)
+  * cargo-lock: use `doc_auto_cfg` (#1263)
+  * cargo-audit: bump `abscissa` to v0.8 (#1262)
+  * Bump auditable-extract in Cargo.lock for the WASM bugfix
+  * build(deps): bump actions/cache from 4.1.0 to 4.1.1 (#1259)
+  * V4 is supported now (#1260)
+  * rustsec v0.30.0-rc.0 (#1258)
+  * cargo-lock v10.0.0-rc.0 (#1257)
+  * cargo-lock: add support for V4 lockfiles (#1206)
+  * Cargo.lock: bump dependencies (#1256)
+  * build(deps): bump actions/cache from 4.0.2 to 4.1.0 (#1252)
+  * bump gix to 0.66 and fwe others (#1251)
+  * .github: install target in release workflow
+  * build(deps): bump regex from 1.10.5 to 1.10.6 (#1234)
+  * build(deps): bump xml-rs from 0.8.20 to 0.8.21 (#1236)
+  * cargo-audit: make `cargo-lock` a hard dependency (#1239)
+  * build(deps): bump tame-index from 0.13.0 to 0.13.1
+  * cargo-audit v0.21.0-pre.0 (#1233)
+  * rustsec v0.30.0-pre.0 (#1232)
+  * Bump `gix` => v0.64; `tame-index` => v0.13 (#1230)
+  * rustsec: fix test name (#1231)
+  * Bump `auditable-info` => 0.8; `auditable-serde` => v0.7 (#1229)
+  * Use cargo-lock v10.0.0-pre.0 branch for `auditable-serde` (#1228)
+  * cargo-lock v10.0.0-pre.0 (#1227)
+  * cargo-lock: remove `toml` from the public API (#1226)
+  * Bump `toml` to v0.8 (#1225)
+  * Bump versions to prepare for breaking changes (#1224)
+  * CI: re-enable self-audit (#1223)
+  * Cargo.lock: bump dependencies (#1222)
+  * build(deps): bump actions/cache from 4.0.1 to 4.0.2 (#1154)
+  * build(deps): bump xml-rs from 0.8.19 to 0.8.20 (#1163)
+  * build(deps): bump rust-embed from 8.4.0 to 8.5.0 (#1210)
+  * build(deps): bump tame-index from 0.12.0 to 0.12.2 (#1215)
+  * rustsec: re-enable happy path test (#1221)
+  * build(deps): bump regex from 1.10.4 to 1.10.5 (#1199)
+  * build(deps): bump gix-attributes from 0.22.2 to 0.22.3 (#1220)
+  * build(deps): bump mio from 0.8.10 to 0.8.11 (#1219)
+  * rustsec: Rust 1.80 fixes (#1218)
+  * deps: bump libc from 0.2.153 to 0.2.155 (#1197)
+  * build(deps): bump url from 2.5.0 to 2.5.2 (#1201)
+  * build(deps): bump softprops/action-gh-release from 2.0.5 to 2.0.8 (#1214)
+  * chore: leverage workspace inheritance (#1209)
+  * chore: cargo fmt
+  * tweak help to still show default
+  * feat(cli): Honor CARGO_TERM_COLOR if found for cargo-audit
+  * chore: regenerate platform support and bump to platforms@3.4.1
+
+-------------------------------------------------------------------
+Tue Sep 24 00:54:04 UTC 2024 - Xiaoguang Wang <xiaoguang.wang@suse.com>
+
+- Update vendor.tar.zst: gix-path improper path resolution
+  (bsc#1230688 CVE-2024-45405).
+
 -------------------------------------------------------------------
 Tue Sep 10 23:56:50 UTC 2024 - William Brown <william.brown@suse.com>
 

cargo-audit.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package cargo-audit
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -20,7 +20,7 @@
 %global workspace_name rustsec
 
 Name:           cargo-audit
-Version:        0.20.0~git66.972ac93
+Version:        0.21.2~git0.18e58c2
 Release:        0
 Summary:        Audit rust sources for known security vulnerabilities
 License:        ( 0BSD OR MIT OR Apache-2.0 ) AND ( Apache-2.0 OR BSL-1.0 ) AND ( Apache-2.0 OR MIT ) AND ( MIT OR Zlib OR Apache-2.0 ) AND ( Unlicense OR MIT ) AND ( Zlib OR Apache-2.0 OR MIT ) AND Apache-2.0 AND BSD-2-Clause AND BSD-3-Clause AND CC0-1.0 AND MIT AND MPL-2.0 AND MPL-2.0+
@@ -28,9 +28,7 @@ Group:          Development/Languages/Rust
 URL:            https://github.com/RustSec/cargo-audit
 Source0:        %{workspace_name}-%{version}.tar.zst
 Source1:        vendor.tar.zst
-Source2:        cargo_config
 
-BuildRequires:  cargo
 BuildRequires:  cargo-packaging
 BuildRequires:  pkgconfig(openssl)
 ExclusiveArch:  %{rust_tier1_arches}
@@ -41,8 +39,7 @@ Audit Cargo.lock files for crates with security vulnerabilities reported to the
 %prep
 %setup -q -n %{workspace_name}-%{version}
 %setup -qa1 -n %{workspace_name}-%{version}
-mkdir -p .cargo
+%autopatch -p 1
-cp %{SOURCE2} .cargo/config
 
 %build
 %{cargo_build}

cargo_config

@@ -1,5 +0,0 @@
-[source.crates-io]
-replace-with = "vendored-sources"
-
-[source.vendored-sources]
-directory = "vendor"

rustsec-0.20.0~git66.972ac93.tar.zst

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:b2aa891ed289a8b0ec3165b52722186d5898a5316e022a8da22476b0cf2d2c76
-size 656733