openSUSE Commits
Threads by month
- ----- 2024 -----
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2014 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2013 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2012 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2011 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2010 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2009 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2008 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2007 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2006 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
July 2024
- 1 participants
- 1521 discussions
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package nushell for openSUSE:Factory checked in at 2024-07-30 11:55:32
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/nushell (Old)
and /work/SRC/openSUSE:Factory/.nushell.new.1882 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nushell"
Tue Jul 30 11:55:32 2024 rev:4 rq:1190391 version:0.96.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/nushell/nushell.changes 2024-07-25 15:50:07.149481036 +0200
+++ /work/SRC/openSUSE:Factory/.nushell.new.1882/nushell.changes 2024-07-30 11:57:50.109693558 +0200
@@ -1,0 +2,10 @@
+Tue Jul 30 04:04:10 UTC 2024 - Dead Mozay <dead_mozay(a)opensuse.org>
+
+- Update to version 0.96.1:
+ * Fix $in in range expressions.
+ * IR: fix incorrect capturing of subexpressions.
+ * Clean up arguments added to stack after `CallDecl` engine call.
+ * Changes to commands:
+ - Bug fixes and other changes `keybindings list`.
+
+-------------------------------------------------------------------
Old:
----
nushell-0.96.0.obscpio
New:
----
nushell-0.96.1.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ nushell.spec ++++++
--- /var/tmp/diff_new_pack.6DjDYq/_old 2024-07-30 11:57:52.137775583 +0200
+++ /var/tmp/diff_new_pack.6DjDYq/_new 2024-07-30 11:57:52.141775745 +0200
@@ -17,7 +17,7 @@
Name: nushell
-Version: 0.96.0
+Version: 0.96.1
Release: 0
Summary: A new type of shell
License: MIT
++++++ _service ++++++
--- /var/tmp/diff_new_pack.6DjDYq/_old 2024-07-30 11:57:52.173777039 +0200
+++ /var/tmp/diff_new_pack.6DjDYq/_new 2024-07-30 11:57:52.177777201 +0200
@@ -6,7 +6,7 @@
<param name="scm">git</param>
<param name="version">git-master</param>
<param name="versionformat">@PARENT_TAG@</param>
- <param name="revision">0.96.0</param>
+ <param name="revision">0.96.1</param>
<param name="changesgenerate">disable</param>
<param name="changesauthor">dead_mozay(a)opensuse.org</param>
</service>
++++++ nushell-0.96.0.obscpio -> nushell-0.96.1.obscpio ++++++
/work/SRC/openSUSE:Factory/nushell/nushell-0.96.0.obscpio /work/SRC/openSUSE:Factory/.nushell.new.1882/nushell-0.96.1.obscpio differ: char 50, line 1
++++++ nushell.obsinfo ++++++
--- /var/tmp/diff_new_pack.6DjDYq/_old 2024-07-30 11:57:52.229779305 +0200
+++ /var/tmp/diff_new_pack.6DjDYq/_new 2024-07-30 11:57:52.233779466 +0200
@@ -1,5 +1,5 @@
name: nushell
-version: 0.96.0
-mtime: 1721776235
-commit: a80dfe8e807035ad8d5bb751b385315982e7aad6
+version: 0.96.1
+mtime: 1722295896
+commit: f7d6c28a001f94f224e459e21df0da2ab5bdc923
++++++ vendor.tar.zst ++++++
/work/SRC/openSUSE:Factory/nushell/vendor.tar.zst /work/SRC/openSUSE:Factory/.nushell.new.1882/vendor.tar.zst differ: char 302745, line 1251
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package go-passbolt-cli for openSUSE:Factory checked in at 2024-07-30 11:55:30
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/go-passbolt-cli (Old)
and /work/SRC/openSUSE:Factory/.go-passbolt-cli.new.1882 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "go-passbolt-cli"
Tue Jul 30 11:55:30 2024 rev:3 rq:1190395 version:0.3.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/go-passbolt-cli/go-passbolt-cli.changes 2024-07-22 17:19:19.076432996 +0200
+++ /work/SRC/openSUSE:Factory/.go-passbolt-cli.new.1882/go-passbolt-cli.changes 2024-07-30 11:57:47.629593251 +0200
@@ -1,0 +2,5 @@
+Fri Jul 26 06:26:40 UTC 2024 - Sai Karthik Karra <kskarthik(a)disroot.org>
+
+- fix shell completions dir name
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ go-passbolt-cli.spec ++++++
--- /var/tmp/diff_new_pack.XCURQO/_old 2024-07-30 11:57:48.185615739 +0200
+++ /var/tmp/diff_new_pack.XCURQO/_new 2024-07-30 11:57:48.185615739 +0200
@@ -92,9 +92,9 @@
install -D -m 0755 %{bin_name} "%{buildroot}%{_bindir}/%{bin_name}"
# Install the shell autocomplete files
-install -Dm 644 %{name}-autocomplete.bash %{buildroot}%{_datadir}/bash-completion/completions/%{name}
-install -Dm 644 %{name}-autocomplete.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{name}
-install -Dm 644 %{name}-autocomplete.fish %{buildroot}%{_datadir}/fish/completions/_%{name}
+install -Dm 644 %{name}-autocomplete.bash %{buildroot}%{_datadir}/bash-completion/completions/%{bin_name}
+install -Dm 644 %{name}-autocomplete.zsh %{buildroot}%{_datadir}/zsh/site-functions/_%{bin_name}
+install -Dm 644 %{name}-autocomplete.fish %{buildroot}%{_datadir}/fish/completions/_%{bin_name}
# Install the man pages.
mkdir -p "%{buildroot}%{_mandir}/man1"
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package perl-pcsc for openSUSE:Factory checked in at 2024-07-30 11:55:27
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/perl-pcsc (Old)
and /work/SRC/openSUSE:Factory/.perl-pcsc.new.1882 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "perl-pcsc"
Tue Jul 30 11:55:27 2024 rev:12 rq:1190393 version:1.4.16
Changes:
--------
--- /work/SRC/openSUSE:Factory/perl-pcsc/perl-pcsc.changes 2017-08-01 09:26:08.957186338 +0200
+++ /work/SRC/openSUSE:Factory/.perl-pcsc.new.1882/perl-pcsc.changes 2024-07-30 11:57:46.629552805 +0200
@@ -1,0 +2,7 @@
+Mon Jul 29 15:40:11 UTC 2024 - pgajdos(a)suse.com
+
+- version update to 1.4.16
+ * moved to github
+ * modernize a bit
+
+-------------------------------------------------------------------
Old:
----
pcsc-perl-1.4.14.tar.bz2
pcsc-perl-1.4.14.tar.bz2.asc
New:
----
Chipcard-PCSC-v1.4.16.tar.gz
Chipcard-PCSC-v1.4.16.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ perl-pcsc.spec ++++++
--- /var/tmp/diff_new_pack.TSS86L/_old 2024-07-30 11:57:47.497587912 +0200
+++ /var/tmp/diff_new_pack.TSS86L/_new 2024-07-30 11:57:47.497587912 +0200
@@ -1,7 +1,7 @@
#
# spec file for package perl-pcsc
#
-# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -12,20 +12,20 @@
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
-# Please submit bugfixes or comments via http://bugs.opensuse.org/
+# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%define cpan_name pcsc-perl
Name: perl-pcsc
-Version: 1.4.14
+Version: 1.4.16
Release: 0
Summary: Perl interface to Smart Card Reader
-License: GPL-2.0+
+License: GPL-2.0-or-later
Group: Development/Libraries/Perl
-Url: http://ludovic.rousseau.free.fr/softwares/pcsc-perl/
-Source: http://ludovic.rousseau.free.fr/softwares/pcsc-perl/%{cpan_name}-%{version}…
-Source1: http://ludovic.rousseau.free.fr/softwares/pcsc-perl/%{cpan_name}-%{version}…
+URL: https://github.com/LudovicRousseau/%{cpan_name}
+Source: https://pcsc-perl.apdu.fr/Chipcard-PCSC-v%{version}.tar.gz
+Source1: https://pcsc-perl.apdu.fr/Chipcard-PCSC-v%{version}.tar.gz.asc
Source2: %{name}.keyring
BuildRequires: perl
BuildRequires: pkg-config
@@ -45,7 +45,7 @@
readers through a standardized API.
%prep
-%setup -q -n %{cpan_name}-%{version}
+%autosetup -n Chipcard-PCSC-v%{version}
%build
perl Makefile.PL INSTALLDIRS=vendor OPTIMIZE="%{optflags}"
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package urh for openSUSE:Factory checked in at 2024-07-30 11:55:24
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/urh (Old)
and /work/SRC/openSUSE:Factory/.urh.new.1882 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "urh"
Tue Jul 30 11:55:24 2024 rev:44 rq:1190373 version:2.9.6
Changes:
--------
--- /work/SRC/openSUSE:Factory/urh/urh.changes 2024-03-17 22:17:57.268694575 +0100
+++ /work/SRC/openSUSE:Factory/.urh.new.1882/urh.changes 2024-07-30 11:57:45.681514461 +0200
@@ -1,0 +2,5 @@
+Mon Jul 29 18:51:08 UTC 2024 - Frank Kunz <mailinglists(a)kunz-im-inter.net>
+
+- Enable PlutoSDR support
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ urh.spec ++++++
--- /var/tmp/diff_new_pack.EkejCI/_old 2024-07-30 11:57:46.445545362 +0200
+++ /var/tmp/diff_new_pack.EkejCI/_new 2024-07-30 11:57:46.445545362 +0200
@@ -28,6 +28,7 @@
BuildRequires: fdupes
BuildRequires: gcc-c++
BuildRequires: hicolor-icon-theme
+BuildRequires: libiio-devel
BuildRequires: limesuite-devel
BuildRequires: pkgconfig
BuildRequires: python-rpm-macros
@@ -72,7 +73,8 @@
--with-hackrf \
--with-limesdr \
--with-rtlsdr \
- --with-usrp
+ --with-usrp \
+ --with-plutosdr
%install
%python3_install
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package tlrc for openSUSE:Factory checked in at 2024-07-30 11:55:22
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tlrc (Old)
and /work/SRC/openSUSE:Factory/.tlrc.new.1882 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tlrc"
Tue Jul 30 11:55:22 2024 rev:5 rq:1190369 version:1.9.3+0
Changes:
--------
--- /work/SRC/openSUSE:Factory/tlrc/tlrc.changes 2024-04-30 17:29:45.147391552 +0200
+++ /work/SRC/openSUSE:Factory/.tlrc.new.1882/tlrc.changes 2024-07-30 11:57:41.381340542 +0200
@@ -1,0 +2,9 @@
+Tue Jul 30 03:54:02 UTC 2024 - Michael Vetter <mvetter(a)suse.com>
+
+- Update to 1.9.3:
+ * Use native TLS certificates instead of webpki-roots
+ * ~ in the config now expands to the user's home directory (#80)
+ * Fixed wrong next automatic update time in tldr --offline --info
+ * Fixed extraction of files that contain .. in the path from zip archives
+
+-------------------------------------------------------------------
Old:
----
tlrc-1.9.2+0.tar.zst
New:
----
tlrc-1.9.3+0.tar.zst
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tlrc.spec ++++++
--- /var/tmp/diff_new_pack.mL4P6c/_old 2024-07-30 11:57:45.397502975 +0200
+++ /var/tmp/diff_new_pack.mL4P6c/_new 2024-07-30 11:57:45.401503137 +0200
@@ -17,7 +17,7 @@
Name: tlrc
-Version: 1.9.2+0
+Version: 1.9.3+0
Release: 0
Summary: A tldr-pages client written in Rust
License: MIT
++++++ _service ++++++
--- /var/tmp/diff_new_pack.mL4P6c/_old 2024-07-30 11:57:45.429504269 +0200
+++ /var/tmp/diff_new_pack.mL4P6c/_new 2024-07-30 11:57:45.433504431 +0200
@@ -3,7 +3,7 @@
<param name="url">https://github.com/tldr-pages/tlrc.git</param>
<param name="versionformat">@PARENT_TAG@+@TAG_OFFSET@</param>
<param name="scm">git</param>
- <param name="revision">v1.9.2</param>
+ <param name="revision">v1.9.3</param>
<param name="match-tag">*</param>
<param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
<param name="versionrewrite-replacement">\1</param>
++++++ tlrc-1.9.2+0.tar.zst -> tlrc-1.9.3+0.tar.zst ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tlrc-1.9.2+0/.devcontainer/devcontainer.json new/tlrc-1.9.3+0/.devcontainer/devcontainer.json
--- old/tlrc-1.9.2+0/.devcontainer/devcontainer.json 1970-01-01 01:00:00.000000000 +0100
+++ new/tlrc-1.9.3+0/.devcontainer/devcontainer.json 2024-07-29 14:43:45.000000000 +0200
@@ -0,0 +1,17 @@
+{
+ "name": "tlrc",
+ "image": "mcr.microsoft.com/devcontainers/base:ubuntu",
+ "features": {
+ "ghcr.io/devcontainers/features/rust:1": {}
+ },
+ "privileged": false,
+ "customizations": {
+ "vscode": {
+ "extensions": [
+ "GitHub.vscode-pull-request-github",
+ "github.vscode-github-actions",
+ "DavidAnson.vscode-markdownlint"
+ ]
+ }
+ }
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tlrc-1.9.2+0/.github/workflows/build-release.yml new/tlrc-1.9.3+0/.github/workflows/build-release.yml
--- old/tlrc-1.9.2+0/.github/workflows/build-release.yml 2024-04-29 17:06:53.000000000 +0200
+++ new/tlrc-1.9.3+0/.github/workflows/build-release.yml 2024-07-29 14:43:45.000000000 +0200
@@ -33,6 +33,10 @@
name: Build ${{ matrix.target }}
runs-on: ${{ matrix.os }}
needs: release
+ permissions:
+ contents: write # to upload assets to releases
+ attestations: write # to upload assets attestation for build provenance
+ id-token: write # grant additional permission to attestation action to mint the OIDC token permission
strategy:
fail-fast: false
@@ -84,3 +88,9 @@
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
run: gh release upload "$GITHUB_REF_NAME" "$NAME"-*
+
+ - name: Attest release files
+ id: attest
+ uses: actions/attest-build-provenance@v1
+ with:
+ subject-path: '*.zip, *.tar.gz'
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tlrc-1.9.2+0/Cargo.lock new/tlrc-1.9.3+0/Cargo.lock
--- old/tlrc-1.9.2+0/Cargo.lock 2024-04-29 17:06:53.000000000 +0200
+++ new/tlrc-1.9.3+0/Cargo.lock 2024-07-29 14:43:45.000000000 +0200
@@ -10,57 +10,67 @@
[[package]]
name = "anstream"
-version = "0.6.13"
+version = "0.6.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d96bd03f33fe50a863e394ee9718a706f988b9079b20c3784fb726e7678b62fb"
+checksum = "64e15c1ab1f89faffbf04a634d5e1962e9074f2741eef6d97f3c4e322426d526"
dependencies = [
"anstyle",
"anstyle-parse",
"anstyle-query",
"anstyle-wincon",
"colorchoice",
+ "is_terminal_polyfill",
"utf8parse",
]
[[package]]
name = "anstyle"
-version = "1.0.6"
+version = "1.0.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "8901269c6307e8d93993578286ac0edf7f195079ffff5ebdeea6a59ffb7e36bc"
+checksum = "1bec1de6f59aedf83baf9ff929c98f2ad654b97c9510f4e70cf6f661d49fd5b1"
[[package]]
name = "anstyle-parse"
-version = "0.2.3"
+version = "0.2.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c75ac65da39e5fe5ab759307499ddad880d724eed2f6ce5b5e8a26f4f387928c"
+checksum = "eb47de1e80c2b463c735db5b217a0ddc39d612e7ac9e2e96a5aed1f57616c1cb"
dependencies = [
"utf8parse",
]
[[package]]
name = "anstyle-query"
-version = "1.0.2"
+version = "1.1.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e28923312444cdd728e4738b3f9c9cac739500909bb3d3c94b43551b16517648"
+checksum = "6d36fc52c7f6c869915e99412912f22093507da8d9e942ceaf66fe4b7c14422a"
dependencies = [
"windows-sys 0.52.0",
]
[[package]]
name = "anstyle-wincon"
-version = "3.0.2"
+version = "3.0.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "1cd54b81ec8d6180e24654d0b371ad22fc3dd083b6ff8ba325b72e00c87660a7"
+checksum = "5bf74e1b6e971609db8ca7a9ce79fd5768ab6ae46441c572e46cf596f59e57f8"
dependencies = [
"anstyle",
"windows-sys 0.52.0",
]
[[package]]
+name = "arbitrary"
+version = "1.3.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7d5a26814d8dcb93b0e5a0ff3c6d80a8843bafb21b39e8e18a6f05471870e110"
+dependencies = [
+ "derive_arbitrary",
+]
+
+[[package]]
name = "assert_cmd"
-version = "2.0.14"
+version = "2.0.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ed72493ac66d5804837f480ab3766c72bdfab91a65e565fc54fa9e42db0073a8"
+checksum = "bc65048dd435533bb1baf2ed9956b9a278fbfdcf90301b39ee117f06c0199d37"
dependencies = [
"anstyle",
"bstr",
@@ -73,21 +83,21 @@
[[package]]
name = "base64"
-version = "0.22.0"
+version = "0.22.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9475866fec1451be56a3c2400fd081ff546538961565ccb5b7142cbd22bc7a51"
+checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6"
[[package]]
name = "bitflags"
-version = "2.5.0"
+version = "2.6.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "cf4b9d6a944f767f8e5e0db018570623c85f3d925ac718db4e06d0187adb21c1"
+checksum = "b048fb63fd8b5923fc5aa7b340d8e156aec7ec02f0c78fa8a6ddc2613f6f71de"
[[package]]
name = "bstr"
-version = "1.9.1"
+version = "1.10.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "05efc5cfd9110c8416e471df0e96702d58690178e206e61b7173706673c93706"
+checksum = "40723b8fb387abc38f4f4a37c09073622e41dd12327033091ef8950659e6dc0c"
dependencies = [
"memchr",
"regex-automata",
@@ -95,6 +105,12 @@
]
[[package]]
+name = "bumpalo"
+version = "3.16.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "79296716171880943b8470b5f8d03aa55eb2e645a4874bdbb28adb49162e012c"
+
+[[package]]
name = "byteorder"
version = "1.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -102,9 +118,9 @@
[[package]]
name = "cc"
-version = "1.0.95"
+version = "1.1.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d32a725bc159af97c3e629873bb9f88fb8cf8a4867175f76dc987815ea07c83b"
+checksum = "26a5c3fd7bfa1ce3897a3a3501d362b2d87b7f2583ebcb4a949ec25911025cbc"
[[package]]
name = "cfg-if"
@@ -114,9 +130,9 @@
[[package]]
name = "clap"
-version = "4.5.4"
+version = "4.5.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "90bc066a67923782aa8515dbaea16946c5bcc5addbd668bb80af688e53e548a0"
+checksum = "35723e6a11662c2afb578bcf0b88bf6ea8e21282a953428f240574fcc3a2b5b3"
dependencies = [
"clap_builder",
"clap_derive",
@@ -124,9 +140,9 @@
[[package]]
name = "clap_builder"
-version = "4.5.2"
+version = "4.5.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "ae129e2e766ae0ec03484e609954119f123cc1fe650337e155d03b022f24f7b4"
+checksum = "49eb96cbfa7cfa35017b7cd548c75b14c3118c98b423041d70562665e07fb0fa"
dependencies = [
"anstream",
"anstyle",
@@ -136,9 +152,9 @@
[[package]]
name = "clap_derive"
-version = "4.5.4"
+version = "4.5.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "528131438037fd55894f62d6e9f068b8f45ac57ffa77517819645d10aed04f64"
+checksum = "5d029b67f89d30bbb547c89fd5161293c0aec155fc691d7924b64550662db93e"
dependencies = [
"heck",
"proc-macro2",
@@ -148,30 +164,57 @@
[[package]]
name = "clap_lex"
-version = "0.7.0"
+version = "0.7.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "98cc8fbded0c607b7ba9dd60cd98df59af97e84d24e49c8557331cfc26d301ce"
+checksum = "1462739cb27611015575c0c11df5df7601141071f07518d56fcc1be504cbec97"
[[package]]
name = "colorchoice"
-version = "1.0.0"
+version = "1.0.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d3fd119d74b830634cea2a0f58bbd0d54540518a14397557951e79340abc28c0"
+
+[[package]]
+name = "core-foundation"
+version = "0.9.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "acbf1af155f9b9ef647e42cdc158db4b64a1b61f743629225fde6f3e0be2a7c7"
+checksum = "91e195e091a93c46f7102ec7818a2aa394e1e1771c3ab4825963fa03e45afb8f"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
+name = "core-foundation-sys"
+version = "0.8.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "06ea2b9bc92be3c2baa9334a323ebca2d6f074ff852cd1d7b11064035cd3868f"
[[package]]
name = "crc32fast"
-version = "1.4.0"
+version = "1.4.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b3855a8a784b474f333699ef2bbca9db2c4a1f6d9088a90a2d25b1eb53111eaa"
+checksum = "a97769d94ddab943e4510d138150169a2758b5ef3eb191a9ee688de3e23ef7b3"
dependencies = [
"cfg-if",
]
[[package]]
name = "crossbeam-utils"
-version = "0.8.19"
+version = "0.8.20"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "22ec99545bb0ed0ea7bb9b8e1e9122ea386ff8a48c0922e43f36d45ab09e0e80"
+
+[[package]]
+name = "derive_arbitrary"
+version = "1.3.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "248e3bacc7dc6baa3b21e405ee045c3047101a49145e7e9eca583ab4c2ca5345"
+checksum = "67e77553c4162a157adbf834ebae5b415acbecbeafc7a74b0e886657506a7611"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
[[package]]
name = "difflib"
@@ -201,6 +244,17 @@
]
[[package]]
+name = "displaydoc"
+version = "0.2.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn",
+]
+
+[[package]]
name = "doc-comment"
version = "0.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -233,9 +287,9 @@
[[package]]
name = "getrandom"
-version = "0.2.14"
+version = "0.2.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "94b22e06ecb0110981051723910cbf0b5f5e09a2062dd7663334ee79a9d1286c"
+checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7"
dependencies = [
"cfg-if",
"libc",
@@ -275,10 +329,16 @@
]
[[package]]
+name = "is_terminal_polyfill"
+version = "1.70.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "7943c866cc5cd64cbc25b2e01621d07fa8eb2a1a23160ee81ce38704e97b8ecf"
+
+[[package]]
name = "libc"
-version = "0.2.153"
+version = "0.2.155"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9c198f91728a82281a64e1f4f9eeb25d82cb32a5de251c6bd1b5154d63a8e7bd"
+checksum = "97b3888a4aecf77e811145cadf6eef5901f4782c53886191b2f693f24761847c"
[[package]]
name = "libredox"
@@ -291,22 +351,28 @@
]
[[package]]
+name = "lockfree-object-pool"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "9374ef4228402d4b7e403e5838cb880d9ee663314b0a900d5a6aabf0c213552e"
+
+[[package]]
name = "log"
-version = "0.4.21"
+version = "0.4.22"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "90ed8c1e510134f979dbc4f070f87d4313098b704861a105fe34231c70a3901c"
+checksum = "a7a70ba024b9dc04c27ea2f0c0548feb474ec5c54bba33a7f72f873a39d07b24"
[[package]]
name = "memchr"
-version = "2.7.2"
+version = "2.7.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6c8640c5d730cb13ebd907d8d04b52f55ac9a2eec55b440c8892f40d56c76c1d"
+checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3"
[[package]]
name = "miniz_oxide"
-version = "0.7.2"
+version = "0.7.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9d811f3e15f28568be3407c8e7fdb6514c1cda3cb30683f15b6a1a1dc4ea14a7"
+checksum = "b8a240ddb74feaf34a79a7add65a741f3167852fba007066dcac1ca548d89c08"
dependencies = [
"adler",
]
@@ -318,6 +384,12 @@
checksum = "3fdb12b2476b595f9358c5161aa467c2438859caa136dec86c26fdd2efe17b92"
[[package]]
+name = "openssl-probe"
+version = "0.1.5"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "ff011a302c396a5197692431fc1948019154afc178baf7d8e37367442a4601cf"
+
+[[package]]
name = "option-ext"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -331,9 +403,9 @@
[[package]]
name = "predicates"
-version = "3.1.0"
+version = "3.1.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "68b87bfd4605926cdfefc1c3b5f8fe560e3feca9d5552cf68c466d3d8236c7e8"
+checksum = "7e9086cc7640c29a356d1a29fd134380bee9d8f79a17410aa76e7ad295f42c97"
dependencies = [
"anstyle",
"difflib",
@@ -342,15 +414,15 @@
[[package]]
name = "predicates-core"
-version = "1.0.6"
+version = "1.0.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b794032607612e7abeb4db69adb4e33590fa6cf1149e95fd7cb00e634b92f174"
+checksum = "ae8177bee8e75d6846599c6b9ff679ed51e882816914eec639944d7c9aa11931"
[[package]]
name = "predicates-tree"
-version = "1.0.9"
+version = "1.0.11"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "368ba315fb8c5052ab692e68a0eefec6ec57b23a36959c14496f0b0df2c0cecf"
+checksum = "41b740d195ed3166cd147c8047ec98db0e22ec019eb8eeb76d343b795304fb13"
dependencies = [
"predicates-core",
"termtree",
@@ -358,9 +430,9 @@
[[package]]
name = "proc-macro2"
-version = "1.0.81"
+version = "1.0.86"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3d1597b0c024618f09a9c3b8655b7e430397a36d23fdafec26d6965e9eec3eba"
+checksum = "5e719e8df665df0d1c8fbfd238015744736151d4445ec0836b8e628aae103b77"
dependencies = [
"unicode-ident",
]
@@ -387,9 +459,9 @@
[[package]]
name = "regex-automata"
-version = "0.4.6"
+version = "0.4.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "86b83b8b9847f9bf95ef68afb0b8e6cdb80f498442f5179a29fad448fcc1eaea"
+checksum = "38caf58cc5ef2fed281f89292ef23f6365465ed9a41b7a7754eb4e26496c92df"
[[package]]
name = "ring"
@@ -408,11 +480,12 @@
[[package]]
name = "rustls"
-version = "0.22.4"
+version = "0.23.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bf4ef73721ac7bcd79b2b315da7779d8fc09718c6b3d2d1b2d94850eb8c18432"
+checksum = "c58f8c84392efc0a126acce10fa59ff7b3d2ac06ab451a33f2741989b806b044"
dependencies = [
"log",
+ "once_cell",
"ring",
"rustls-pki-types",
"rustls-webpki",
@@ -421,16 +494,39 @@
]
[[package]]
+name = "rustls-native-certs"
+version = "0.7.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "a88d6d420651b496bdd98684116959239430022a115c1240e6c3993be0b15fba"
+dependencies = [
+ "openssl-probe",
+ "rustls-pemfile",
+ "rustls-pki-types",
+ "schannel",
+ "security-framework",
+]
+
+[[package]]
+name = "rustls-pemfile"
+version = "2.1.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "29993a25686778eb88d4189742cd713c9bce943bc54251a33509dc63cbacf73d"
+dependencies = [
+ "base64",
+ "rustls-pki-types",
+]
+
+[[package]]
name = "rustls-pki-types"
-version = "1.5.0"
+version = "1.7.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "beb461507cee2c2ff151784c52762cf4d9ff6a61f3e80968600ed24fa837fa54"
+checksum = "976295e77ce332211c0d24d92c0e83e50f5c5f046d11082cea19f3df13a3562d"
[[package]]
name = "rustls-webpki"
-version = "0.102.3"
+version = "0.102.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f3bce581c0dd41bce533ce695a1437fa16a7ab5ac3ccfa99fe1a620a7885eabf"
+checksum = "8e6b52d4fda176fd835fdc55a835d4a89b8499cad995885a21149d5ad62f852e"
dependencies = [
"ring",
"rustls-pki-types",
@@ -438,19 +534,51 @@
]
[[package]]
+name = "schannel"
+version = "0.1.23"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "fbc91545643bcf3a0bbb6569265615222618bdf33ce4ffbbd13c4bbd4c093534"
+dependencies = [
+ "windows-sys 0.52.0",
+]
+
+[[package]]
+name = "security-framework"
+version = "2.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02"
+dependencies = [
+ "bitflags",
+ "core-foundation",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
+[[package]]
+name = "security-framework-sys"
+version = "2.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "75da29fe9b9b08fe9d6b22b5b4bcbc75d8db3aa31e639aa56bb62e9d46bfceaf"
+dependencies = [
+ "core-foundation-sys",
+ "libc",
+]
+
+[[package]]
name = "serde"
-version = "1.0.199"
+version = "1.0.204"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "0c9f6e76df036c77cd94996771fb40db98187f096dd0b9af39c6c6e452ba966a"
+checksum = "bc76f558e0cbb2a839d37354c575f1dc3fdc6546b5be373ba43d95f231bf7c12"
dependencies = [
"serde_derive",
]
[[package]]
name = "serde_derive"
-version = "1.0.199"
+version = "1.0.204"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "11bd257a6541e141e42ca6d24ae26f7714887b47e89aa739099104c7e4d3b7fc"
+checksum = "e0cd7e117be63d3c3678776753929474f3b04a43a080c744d6b0ae2a8c28e222"
dependencies = [
"proc-macro2",
"quote",
@@ -459,14 +587,20 @@
[[package]]
name = "serde_spanned"
-version = "0.6.5"
+version = "0.6.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "eb3622f419d1296904700073ea6cc23ad690adbd66f13ea683df73298736f0c1"
+checksum = "eb5b1b31579f3811bf615c144393417496f152e12ac8b7663bf664f4a815306d"
dependencies = [
"serde",
]
[[package]]
+name = "simd-adler32"
+version = "0.3.7"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d66dc143e6b11c1eddc06d5c423cfc97062865baf299914ab64caa38182078fe"
+
+[[package]]
name = "socks"
version = "0.3.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
@@ -491,15 +625,15 @@
[[package]]
name = "subtle"
-version = "2.5.0"
+version = "2.6.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc"
+checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292"
[[package]]
name = "syn"
-version = "2.0.60"
+version = "2.0.72"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "909518bc7b1c9b779f1bbf07f2929d35af9f0f37e47c6e9ef7f9dddc1e1821f3"
+checksum = "dc4b9b9bf2add8093d3f2c0204471e951b2285580335de42f9d2534f3ae7a8af"
dependencies = [
"proc-macro2",
"quote",
@@ -514,18 +648,18 @@
[[package]]
name = "thiserror"
-version = "1.0.59"
+version = "1.0.63"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f0126ad08bff79f29fc3ae6a55cc72352056dfff61e3ff8bb7129476d44b23aa"
+checksum = "c0342370b38b6a11b6cc11d6a805569958d54cfa061a29969c3b5ce2ea405724"
dependencies = [
"thiserror-impl",
]
[[package]]
name = "thiserror-impl"
-version = "1.0.59"
+version = "1.0.63"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d1cd413b5d558b4c5bf3680e324a6fa5014e7b7c067a51e69dbdf47eb7148b66"
+checksum = "a4558b58466b9ad7ca0f102865eccc95938dca1a74a856f2b57b6629050da261"
dependencies = [
"proc-macro2",
"quote",
@@ -534,9 +668,9 @@
[[package]]
name = "tinyvec"
-version = "1.6.0"
+version = "1.8.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87cc5ceb3875bb20c2890005a4e226a4651264a5c75edb2421b52861a0a0cb50"
+checksum = "445e881f4f6d382d5f27c034e25eb92edd7c784ceab92a0937db7f2e9471b938"
dependencies = [
"tinyvec_macros",
]
@@ -549,7 +683,7 @@
[[package]]
name = "tlrc"
-version = "1.9.2"
+version = "1.9.3"
dependencies = [
"assert_cmd",
"clap",
@@ -565,9 +699,9 @@
[[package]]
name = "toml"
-version = "0.8.12"
+version = "0.8.16"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e9dd1545e8208b4a5af1aa9bbd0b4cf7e9ea08fabc5d0a5c67fcaafa17433aa3"
+checksum = "81967dd0dd2c1ab0bc3468bd7caecc32b8a4aa47d0c8c695d8c2b2108168d62c"
dependencies = [
"serde",
"serde_spanned",
@@ -577,18 +711,18 @@
[[package]]
name = "toml_datetime"
-version = "0.6.5"
+version = "0.6.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "3550f4e9685620ac18a50ed434eb3aec30db8ba93b0287467bca5826ea25baf1"
+checksum = "f8fb9f64314842840f1d940ac544da178732128f1c78c21772e876579e0da1db"
dependencies = [
"serde",
]
[[package]]
name = "toml_edit"
-version = "0.22.12"
+version = "0.22.17"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d3328d4f68a705b2a4498da1d580585d39a6510f98318a2cec3018a7ec61ddef"
+checksum = "8d9f8729f5aea9562aac1cc0441f5d6de3cff1ee0c5d67293eeca5eb36ee7c16"
dependencies = [
"indexmap",
"serde",
@@ -626,16 +760,16 @@
[[package]]
name = "ureq"
-version = "2.9.7"
+version = "2.10.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d11a831e3c0b56e438a28308e7c810799e3c118417f342d30ecec080105395cd"
+checksum = "72139d247e5f97a3eff96229a7ae85ead5328a39efe76f8bf5a06313d505b6ea"
dependencies = [
"base64",
"log",
"once_cell",
"rustls",
+ "rustls-native-certs",
"rustls-pki-types",
- "rustls-webpki",
"socks",
"url",
"webpki-roots",
@@ -643,9 +777,9 @@
[[package]]
name = "url"
-version = "2.5.0"
+version = "2.5.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "31e6302e3bb753d46e83516cae55ae196fc0c309407cf11ab35cc51a4c2a4633"
+checksum = "22784dbdf76fdde8af1aeda5622b546b422b6fc585325248a2bf9f5e41e94d6c"
dependencies = [
"form_urlencoded",
"idna",
@@ -654,9 +788,9 @@
[[package]]
name = "utf8parse"
-version = "0.2.1"
+version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "711b9620af191e0cdc7468a8d14e709c3dcdb115b36f838e601583af800a370a"
+checksum = "06abde3611657adf66d383f00b093d7faecc7fa57071cce2578660c9f1010821"
[[package]]
name = "wait-timeout"
@@ -675,9 +809,9 @@
[[package]]
name = "webpki-roots"
-version = "0.26.1"
+version = "0.26.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b3de34ae270483955a94f4b21bdaaeb83d508bb84a01435f393818edb0012009"
+checksum = "bd7c23921eeb1713a4e851530e9b9756e4fb0e89978582942612524cf09f01cd"
dependencies = [
"rustls-pki-types",
]
@@ -719,7 +853,7 @@
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d"
dependencies = [
- "windows-targets 0.52.5",
+ "windows-targets 0.52.6",
]
[[package]]
@@ -739,18 +873,18 @@
[[package]]
name = "windows-targets"
-version = "0.52.5"
+version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "6f0713a46559409d202e70e28227288446bf7841d3211583a4b53e3f6d96e7eb"
+checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973"
dependencies = [
- "windows_aarch64_gnullvm 0.52.5",
- "windows_aarch64_msvc 0.52.5",
- "windows_i686_gnu 0.52.5",
+ "windows_aarch64_gnullvm 0.52.6",
+ "windows_aarch64_msvc 0.52.6",
+ "windows_i686_gnu 0.52.6",
"windows_i686_gnullvm",
- "windows_i686_msvc 0.52.5",
- "windows_x86_64_gnu 0.52.5",
- "windows_x86_64_gnullvm 0.52.5",
- "windows_x86_64_msvc 0.52.5",
+ "windows_i686_msvc 0.52.6",
+ "windows_x86_64_gnu 0.52.6",
+ "windows_x86_64_gnullvm 0.52.6",
+ "windows_x86_64_msvc 0.52.6",
]
[[package]]
@@ -761,9 +895,9 @@
[[package]]
name = "windows_aarch64_gnullvm"
-version = "0.52.5"
+version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7088eed71e8b8dda258ecc8bac5fb1153c5cffaf2578fc8ff5d61e23578d3263"
+checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3"
[[package]]
name = "windows_aarch64_msvc"
@@ -773,9 +907,9 @@
[[package]]
name = "windows_aarch64_msvc"
-version = "0.52.5"
+version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9985fd1504e250c615ca5f281c3f7a6da76213ebd5ccc9561496568a2752afb6"
+checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469"
[[package]]
name = "windows_i686_gnu"
@@ -785,15 +919,15 @@
[[package]]
name = "windows_i686_gnu"
-version = "0.52.5"
+version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "88ba073cf16d5372720ec942a8ccbf61626074c6d4dd2e745299726ce8b89670"
+checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b"
[[package]]
name = "windows_i686_gnullvm"
-version = "0.52.5"
+version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "87f4261229030a858f36b459e748ae97545d6f1ec60e5e0d6a3d32e0dc232ee9"
+checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66"
[[package]]
name = "windows_i686_msvc"
@@ -803,9 +937,9 @@
[[package]]
name = "windows_i686_msvc"
-version = "0.52.5"
+version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "db3c2bf3d13d5b658be73463284eaf12830ac9a26a90c717b7f771dfe97487bf"
+checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66"
[[package]]
name = "windows_x86_64_gnu"
@@ -815,9 +949,9 @@
[[package]]
name = "windows_x86_64_gnu"
-version = "0.52.5"
+version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "4e4246f76bdeff09eb48875a0fd3e2af6aada79d409d33011886d3e1581517d9"
+checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78"
[[package]]
name = "windows_x86_64_gnullvm"
@@ -827,9 +961,9 @@
[[package]]
name = "windows_x86_64_gnullvm"
-version = "0.52.5"
+version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "852298e482cd67c356ddd9570386e2862b5673c85bd5f88df9ab6802b334c596"
+checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d"
[[package]]
name = "windows_x86_64_msvc"
@@ -839,15 +973,15 @@
[[package]]
name = "windows_x86_64_msvc"
-version = "0.52.5"
+version = "0.52.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bec47e5bfd1bff0eeaf6d8b485cc1074891a197ab4225d504cb7a1ab88b02bf0"
+checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec"
[[package]]
name = "winnow"
-version = "0.6.7"
+version = "0.6.16"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "14b9415ee827af173ebb3f15f9083df5a122eb93572ec28741fb153356ea2578"
+checksum = "b480ae9340fc261e6be3e95a1ba86d54ae3f9171132a73ce8d4bbaf68339507c"
dependencies = [
"memchr",
]
@@ -860,18 +994,37 @@
[[package]]
name = "zeroize"
-version = "1.7.0"
+version = "1.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "525b4ec142c6b68a2d10f01f7bbf6755599ca3f81ea53b8431b7dd348f5fdb2d"
+checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde"
[[package]]
name = "zip"
-version = "0.6.6"
+version = "2.1.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "760394e246e4c28189f19d488c058bf16f564016aefac5d32bb1f3b51d5e9261"
+checksum = "b895748a3ebcb69b9d38dcfdf21760859a4b0d0b0015277640c2ef4c69640e6f"
dependencies = [
- "byteorder",
+ "arbitrary",
"crc32fast",
"crossbeam-utils",
+ "displaydoc",
"flate2",
+ "indexmap",
+ "memchr",
+ "thiserror",
+ "zopfli",
+]
+
+[[package]]
+name = "zopfli"
+version = "0.8.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5019f391bac5cf252e93bbcc53d039ffd62c7bfb7c150414d61369afe57e946"
+dependencies = [
+ "bumpalo",
+ "crc32fast",
+ "lockfree-object-pool",
+ "log",
+ "once_cell",
+ "simd-adler32",
]
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tlrc-1.9.2+0/Cargo.toml new/tlrc-1.9.3+0/Cargo.toml
--- old/tlrc-1.9.2+0/Cargo.toml 2024-04-29 17:06:53.000000000 +0200
+++ new/tlrc-1.9.3+0/Cargo.toml 2024-07-29 14:43:45.000000000 +0200
@@ -1,6 +1,6 @@
[package]
name = "tlrc"
-version = "1.9.2"
+version = "1.9.3"
description = "Official tldr client written in Rust"
categories = ["command-line-utilities"]
homepage = "https://github.com/tldr-pages/tlrc"
@@ -8,7 +8,7 @@
documentation = "https://tldr.sh/tlrc"
license = "MIT"
edition = "2021"
-rust-version = "1.70"
+rust-version = "1.74"
[[bin]]
name = "tldr"
@@ -19,18 +19,18 @@
socks-proxy = ["ureq/socks-proxy"]
[dependencies]
-clap = { version = "4.5.4", features = ["derive"] }
+clap = { version = "4.5.11", features = ["derive"] }
dirs = "5.0.1"
once_cell = "1.19.0"
ring = "0.17.8"
-serde = { version = "1.0.199", features = ["derive"] }
-toml = "0.8.12"
-ureq = { version = "2.9.7", default-features = false, features = ["tls"] }
+serde = { version = "1.0.204", features = ["derive"] }
+toml = "0.8.16"
+ureq = { version = "2.10.0", default-features = false, features = ["tls", "native-certs"] }
yansi = "1.0.1"
-zip = { version = "0.6.6", default-features = false, features = ["deflate"] }
+zip = { version = "2.1.5", default-features = false, features = ["deflate"] }
[dev-dependencies]
-assert_cmd = "2.0.14"
+assert_cmd = "2.0.15"
[lints.clippy]
all = "warn"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tlrc-1.9.2+0/README.md new/tlrc-1.9.3+0/README.md
--- old/tlrc-1.9.2+0/README.md 2024-04-29 17:06:53.000000000 +0200
+++ new/tlrc-1.9.3+0/README.md 2024-07-29 14:43:45.000000000 +0200
@@ -46,7 +46,7 @@
zypper install tlrc
```
-### Windows
+### Windows using Winget
Install [tlrc](https://github.com/microsoft/winget-pkgs/tree/master/manifests/t/tldr… with Winget:
@@ -54,6 +54,14 @@
winget install tldr-pages.tlrc
```
+### Windows using Scoop
+
+Install [tlrc](https://scoop.sh/#/apps?q=tlrc&id=67f36cdb01b1573ed454af11605b7b8efc732dc7) with Scoop:
+
+```shell
+scoop install tlrc
+```
+
### macOS using MacPorts
Install [tlrc](https://ports.macports.org/port/tlrc/details) with MacPorts:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tlrc-1.9.2+0/src/args.rs new/tlrc-1.9.3+0/src/args.rs
--- old/tlrc-1.9.2+0/src/args.rs 2024-04-29 17:06:53.000000000 +0200
+++ new/tlrc-1.9.3+0/src/args.rs 2024-07-29 14:43:45.000000000 +0200
@@ -31,7 +31,7 @@
#[command(
arg_required_else_help = true,
about,
- // VERSION_STRING is generated and set in the build script.
+ // This env var is generated and set in the build script.
version = env!("VERSION_STRING"),
disable_version_flag = true,
after_help = AFTER_HELP,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tlrc-1.9.2+0/src/cache.rs new/tlrc-1.9.3+0/src/cache.rs
--- old/tlrc-1.9.2+0/src/cache.rs 2024-04-29 17:06:53.000000000 +0200
+++ new/tlrc-1.9.3+0/src/cache.rs 2024-07-29 14:43:45.000000000 +0200
@@ -181,23 +181,29 @@
let mut n_downloaded = 0;
for i in 0..archive.len() {
- let mut page = archive.by_index(i).unwrap();
- let fname = page.name();
+ let mut zipfile = archive.by_index(i)?;
+ let Some(fname) = zipfile.enclosed_name() else {
+ warnln!(
+ "found an unsafe path in the zip archive: '{}', ignoring it",
+ zipfile.name()
+ );
+ continue;
+ };
// Skip files that are not in a directory (we want only pages).
- if !fname.contains('/') {
+ if zipfile.is_file() && fname.parent() == Some(Path::new("")) {
continue;
}
- let path = self.dir.join(lang_dir).join(fname);
+ let path = self.dir.join(lang_dir).join(&fname);
- if fname.ends_with('/') {
+ if zipfile.is_dir() {
fs::create_dir_all(&path)?;
continue;
}
let mut file = File::create(&path)?;
- io::copy(&mut page, &mut file)?;
+ io::copy(&mut zipfile, &mut file)?;
n_downloaded += 1;
}
@@ -523,13 +529,16 @@
)?;
if cfg.cache.auto_update {
- let age_diff = cfg.cache_max_age().as_secs() - age;
-
- writeln!(
- stdout,
- "Automatic update in {}",
- util::duration_fmt(age_diff).green().bold()
- )?;
+ let max_age = cfg.cache_max_age().as_secs();
+ if max_age > age {
+ let age_diff = max_age - age;
+
+ writeln!(
+ stdout,
+ "Automatic update in {}",
+ util::duration_fmt(age_diff).green().bold()
+ )?;
+ }
} else {
writeln!(stdout, "Automatic updates are disabled")?;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tlrc-1.9.2+0/src/config.rs new/tlrc-1.9.3+0/src/config.rs
--- old/tlrc-1.9.2+0/src/config.rs 2024-04-29 17:06:53.000000000 +0200
+++ new/tlrc-1.9.3+0/src/config.rs 2024-07-29 14:43:45.000000000 +0200
@@ -282,6 +282,12 @@
}
// English pages should always be downloaded and searched.
cfg.cache.languages.push("en".to_string());
+
+ if cfg.cache.dir.starts_with("~") {
+ let mut p = dirs::home_dir().unwrap();
+ p.extend(cfg.cache.dir.components().skip(1));
+ cfg.cache.dir = p;
+ }
cfg
})
}
@@ -304,8 +310,16 @@
/// Print the default config.
pub fn print_default() -> Result<()> {
- let default = toml::ser::to_string_pretty(&Config::default()).unwrap();
- write!(io::stdout(), "{default}")?;
+ let mut cfg = Config::default();
+ let home = dirs::home_dir().unwrap();
+
+ if cfg.cache.dir.starts_with(&home) {
+ let rel_part = cfg.cache.dir.strip_prefix(&home).unwrap();
+ cfg.cache.dir = Path::new("~").join(rel_part);
+ }
+
+ let cfg = toml::ser::to_string_pretty(&cfg).unwrap();
+ write!(io::stdout(), "{cfg}")?;
Ok(())
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tlrc-1.9.2+0/src/output.rs new/tlrc-1.9.3+0/src/output.rs
--- old/tlrc-1.9.2+0/src/output.rs 2024-04-29 17:06:53.000000000 +0200
+++ new/tlrc-1.9.3+0/src/output.rs 2024-07-29 14:43:45.000000000 +0200
@@ -28,7 +28,7 @@
pub struct PageRenderer<'a> {
/// Path to the page.
path: &'a Path,
- /// A BufReader containing the page.
+ /// A buffered reader containing the page.
reader: BufReader<File>,
/// A buffered handle to standard output.
stdout: BufWriter<io::StdoutLock<'static>>,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/tlrc-1.9.2+0/tldr.1 new/tlrc-1.9.3+0/tldr.1
--- old/tlrc-1.9.2+0/tldr.1 2024-04-29 17:06:53.000000000 +0200
+++ new/tlrc-1.9.3+0/tldr.1 2024-07-29 14:43:45.000000000 +0200
@@ -1,4 +1,4 @@
-.TH "TLRC" "1" "2024-04-29" "tlrc 1.9.2" "tlrc manual"
+.TH "TLRC" "1" "2024-07-29" "tlrc 1.9.3" "tlrc manual"
.nh
.ad l
.SH NAME
++++++ vendor.tar.zst ++++++
/work/SRC/openSUSE:Factory/tlrc/vendor.tar.zst /work/SRC/openSUSE:Factory/.tlrc.new.1882/vendor.tar.zst differ: char 7, line 1
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package presenterm for openSUSE:Factory checked in at 2024-07-30 11:55:20
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/presenterm (Old)
and /work/SRC/openSUSE:Factory/.presenterm.new.1882 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "presenterm"
Tue Jul 30 11:55:20 2024 rev:9 rq:1190368 version:0.8.0+0
Changes:
--------
--- /work/SRC/openSUSE:Factory/presenterm/presenterm.changes 2024-03-04 21:25:29.683176496 +0100
+++ /work/SRC/openSUSE:Factory/.presenterm.new.1882/presenterm.changes 2024-07-30 11:57:39.333257708 +0200
@@ -1,0 +2,44 @@
+Tue Jul 30 03:51:48 UTC 2024 - Michael Vetter <mvetter(a)suse.com>
+
+- Update to 0.8.0:
+ Breaking changes:
+ * Force users to explicitly enable snippet execution (#276) (#281).
+ New features:
+ * Code snippet execution for various programming languages (#253) (#255) (#256) (#258) (#282).
+ * Allow executing compiled snippets in windows (#303).
+ * Add support for hidden lines in code snippets (#283) (#254).
+ * Support mermaid snippet rendering to image via +render attribute (#268).
+ * Allow scaling images dynamically based on terminal size (#288) (#291).
+ * Allow scaling images generated via +render code blocks (mermaid, typst, latex) (#290).
+ * Show stderr output from code execution (#252).
+ * Wait for code execution process to exit completely (#250).
+ * Generate images in +render code snippets asynchronously (#273) (#293) (#284) (#279).
+ * Dim non highlighted code snippet lines (#287).
+ * Shrink snippet execution to match code block width (#286).
+ * Include code snippet execution output in generated PDF (#295).
+ * Cache +render block images (#270).
+ * Add kotlin script executor (#257).
+ * Add nushell code execution (#274) (#275).
+ * Add rust-script as a new code executor (#269).
+ * Allow custom themes to extend others (#265).
+ * Allow jumping fast between slides (#244).
+ * Allow explicitly disabling footer in certain slides (#239).
+ * Allow using image paths in typst (#235).
+ * Add JSON schema for validation,completion,documentation (#228) (#236).
+ * Allow having multiple authors (#227).
+ Fixes:
+ * Avoid re-rendering code output and auto rendered blocks (#280).
+ * Use unicode width to calculate execution output's line len (#261).
+ * Display background color behind '\t' in code exec output (#245).
+ * Close child process stdin by default (#297).
+ Improvements:
+ * Update install instructions for Arch Linux (#248).
+ * Fix all clippy warnings (#231).
+ * Include strict _front_matter_parsing in default config (#229).
+ * CHANGELOG.md contains clickable links to issues (#230).
+ * Add Support for Ruby Code Highlighting (#226).
+ * Use ".presenterm" as prefix for tmp files (#306).
+ * Add more descriptive error message when loading image fails (#298).
+ * Align all error messages to left (#301).
+
+-------------------------------------------------------------------
Old:
----
presenterm-0.7.0+0.tar.zst
New:
----
presenterm-0.8.0+0.tar.zst
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ presenterm.spec ++++++
--- /var/tmp/diff_new_pack.mlpxuM/_old 2024-07-30 11:57:40.841318701 +0200
+++ /var/tmp/diff_new_pack.mlpxuM/_new 2024-07-30 11:57:40.845318863 +0200
@@ -17,7 +17,7 @@
Name: presenterm
-Version: 0.7.0+0
+Version: 0.8.0+0
Release: 0
Summary: A terminal slideshow tool
License: BSD-2-Clause
++++++ _service ++++++
--- /var/tmp/diff_new_pack.mlpxuM/_old 2024-07-30 11:57:40.873319996 +0200
+++ /var/tmp/diff_new_pack.mlpxuM/_new 2024-07-30 11:57:40.877320157 +0200
@@ -3,7 +3,7 @@
<param name="url">https://github.com/mfontanini/presenterm</param>
<param name="versionformat">@PARENT_TAG@+@TAG_OFFSET@</param>
<param name="scm">git</param>
- <param name="revision">v0.7.0</param>
+ <param name="revision">v0.8.0</param>
<param name="match-tag">*</param>
<param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
<param name="versionrewrite-replacement">\1</param>
++++++ presenterm-0.7.0+0.tar.zst -> presenterm-0.8.0+0.tar.zst ++++++
++++ 9219 lines of diff (skipped)
++++++ vendor.tar.zst ++++++
/work/SRC/openSUSE:Factory/presenterm/vendor.tar.zst /work/SRC/openSUSE:Factory/.presenterm.new.1882/vendor.tar.zst differ: char 7, line 1
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package procs for openSUSE:Factory checked in at 2024-07-30 11:55:18
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/procs (Old)
and /work/SRC/openSUSE:Factory/.procs.new.1882 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "procs"
Tue Jul 30 11:55:18 2024 rev:10 rq:1190367 version:0.14.6+0
Changes:
--------
--- /work/SRC/openSUSE:Factory/procs/procs.changes 2024-03-21 17:00:49.705244249 +0100
+++ /work/SRC/openSUSE:Factory/.procs.new.1882/procs.changes 2024-07-30 11:57:34.089045607 +0200
@@ -1,0 +2,7 @@
+Tue Jul 30 03:50:01 UTC 2024 - Michael Vetter <mvetter(a)suse.com>
+
+- Update to 0.14.6:
+ * [Changed] MSRV to Rust 1.74
+ * [Added] aarch64-apple-darwin build release
+
+-------------------------------------------------------------------
Old:
----
procs-0.14.5+0.tar.zst
New:
----
procs-0.14.6+0.tar.zst
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ procs.spec ++++++
--- /var/tmp/diff_new_pack.1do8nY/_old 2024-07-30 11:57:38.701232146 +0200
+++ /var/tmp/diff_new_pack.1do8nY/_new 2024-07-30 11:57:38.705232308 +0200
@@ -17,7 +17,7 @@
Name: procs
-Version: 0.14.5+0
+Version: 0.14.6+0
Release: 0
Summary: A modern replacement for ps written in Rust
License: MIT
++++++ _service ++++++
--- /var/tmp/diff_new_pack.1do8nY/_old 2024-07-30 11:57:38.737233602 +0200
+++ /var/tmp/diff_new_pack.1do8nY/_new 2024-07-30 11:57:38.737233602 +0200
@@ -3,7 +3,7 @@
<param name="url">https://github.com/dalance/procs.git</param>
<param name="versionformat">@PARENT_TAG@+@TAG_OFFSET@</param>
<param name="scm">git</param>
- <param name="revision">v0.14.5</param>
+ <param name="revision">v0.14.6</param>
<param name="match-tag">*</param>
<param name="versionrewrite-pattern">v(\d+\.\d+\.\d+)</param>
<param name="versionrewrite-replacement">\1</param>
++++++ procs-0.14.5+0.tar.zst -> procs-0.14.6+0.tar.zst ++++++
++++ 3534 lines of diff (skipped)
++++++ vendor.tar.zst ++++++
/work/SRC/openSUSE:Factory/procs/vendor.tar.zst /work/SRC/openSUSE:Factory/.procs.new.1882/vendor.tar.zst differ: char 7, line 1
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package cargo-audit-advisory-db for openSUSE:Factory checked in at 2024-07-30 11:55:16
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/cargo-audit-advisory-db (Old)
and /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1882 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "cargo-audit-advisory-db"
Tue Jul 30 11:55:16 2024 rev:41 rq:1190363 version:20240730
Changes:
--------
--- /work/SRC/openSUSE:Factory/cargo-audit-advisory-db/cargo-audit-advisory-db.changes 2024-05-29 19:36:52.626715764 +0200
+++ /work/SRC/openSUSE:Factory/.cargo-audit-advisory-db.new.1882/cargo-audit-advisory-db.changes 2024-07-30 11:57:32.936999013 +0200
@@ -1,0 +2,15 @@
+Tue Jul 30 02:41:17 UTC 2024 - william.brown(a)suse.com
+
+- Update to version 20240730:
+ * Assigned RUSTSEC-2024-0360 to xmp_toolkit (#2030)
+ * Unsoundness notice for xmp_toolkit < 1.9.0 (#2029)
+ * Assigned RUSTSEC-2024-0359 to gix-attributes (#2028)
+ * Unsoundness notice for gix-attributes (kstring integration) (#2027)
+ * Assigned RUSTSEC-2024-0358 to object_store (#2026)
+ * Add advisory for object_store credentials leak via logs (#2025)
+ * Assigned RUSTSEC-2024-0357 to openssl (#2022)
+ * Added advisory for undefined behavior in openssl (#2021)
+ * Assigned RUSTSEC-2024-0356 to matrix-sdk-crypto (#2019)
+ * Add CVE-2024-40648 for matrix-sdk-crypto (#2018)
+
+-------------------------------------------------------------------
Old:
----
advisory-db-20240528.tar.xz
New:
----
advisory-db-20240730.tar.xz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ cargo-audit-advisory-db.spec ++++++
--- /var/tmp/diff_new_pack.9sNEcD/_old 2024-07-30 11:57:33.605026031 +0200
+++ /var/tmp/diff_new_pack.9sNEcD/_new 2024-07-30 11:57:33.605026031 +0200
@@ -17,7 +17,7 @@
Name: cargo-audit-advisory-db
-Version: 20240528
+Version: 20240730
Release: 0
Summary: A database of known security issues for Rust depedencies
License: CC0-1.0
++++++ _service ++++++
--- /var/tmp/diff_new_pack.9sNEcD/_old 2024-07-30 11:57:33.637027326 +0200
+++ /var/tmp/diff_new_pack.9sNEcD/_new 2024-07-30 11:57:33.641027487 +0200
@@ -2,7 +2,7 @@
<service mode="disabled" name="obs_scm">
<param name="url">https://github.com/RustSec/advisory-db.git</param>
<param name="scm">git</param>
- <param name="version">20240528</param>
+ <param name="version">20240730</param>
<param name="revision">main</param>
<param name="changesgenerate">enable</param>
<param name="changesauthor">william.brown(a)suse.com</param>
++++++ advisory-db-20240528.tar.xz -> advisory-db-20240730.tar.xz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/.duplicate-id-guard new/advisory-db-20240730/.duplicate-id-guard
--- old/advisory-db-20240528/.duplicate-id-guard 2024-05-26 22:27:57.000000000 +0200
+++ new/advisory-db-20240730/.duplicate-id-guard 2024-07-26 20:09:25.000000000 +0200
@@ -1,3 +1,3 @@
This file causes merge conflicts if two ID assignment jobs run concurrently.
This prevents duplicate ID assignment due to a race between those jobs.
-033b059b6cbbf2107fc1270372f4f929601a920f3927c9d46b3f1f937901c634 -
+f52db948a1d9ab0f9f40dfdb4192e6e0762ffdbcf4c28552b8002cde58d02c6e -
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/CONTRIBUTING.md new/advisory-db-20240730/CONTRIBUTING.md
--- old/advisory-db-20240528/CONTRIBUTING.md 2024-05-26 22:27:57.000000000 +0200
+++ new/advisory-db-20240730/CONTRIBUTING.md 2024-07-26 20:09:25.000000000 +0200
@@ -69,6 +69,19 @@
have been lifted and details have been disclosed to the public prior to filing
them against RustSec.
+**Q: Is this where I report a vulnerability in `rustc`?**
+
+A: No, for official Rust projects, please see the [Rust Security Policy](https://www.rust-lang.org/policies/security) and follow the guidelines there.
+
+**Q: Is this where I report intentionally malicious code or malware present on crates.io?**
+
+A: No, please see the [Crates.io Security Policy](https://crates.io/policies/security) to get content violating crates.io's policies taken down.
+
+**Q: I'm a crate author and someone reported a vulnerability in my crate to me. Can you help me?**
+
+A: The Rust Foundation has resources that can help handle Rust ecosystem security issues.
+Please see the [Ecosystem security help for crate authors](https://crates.io/policies/security#ecosystem-security-help) section of the crates.io security policy.
+
[Pull Request]: https://github.com/RustSec/advisory-db/pulls
[TOML advisory template]: https://github.com/RustSec/advisory-db#advisory-format
[Yank]: https://doc.rust-lang.org/cargo/commands/cargo-yank.html
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/HOWTO_UNMAINTAINED.md new/advisory-db-20240730/HOWTO_UNMAINTAINED.md
--- old/advisory-db-20240528/HOWTO_UNMAINTAINED.md 2024-05-26 22:27:57.000000000 +0200
+++ new/advisory-db-20240730/HOWTO_UNMAINTAINED.md 2024-07-26 20:09:25.000000000 +0200
@@ -8,7 +8,7 @@
switching to maintained alternatives.
When approaching a potentially unmaintained crate, do not behave rudely
-towards open soruce maintainers. Submitting a RUSTSEC advisory for an
+towards open source maintainers. Submitting a RUSTSEC advisory for an
unmaintained crate should not be treated as a weapon to coerce open source
maintainers.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/README.md new/advisory-db-20240730/README.md
--- old/advisory-db-20240528/README.md 2024-05-26 22:27:57.000000000 +0200
+++ new/advisory-db-20240730/README.md 2024-07-26 20:09:25.000000000 +0200
@@ -96,7 +96,7 @@
# Optional: the advisory license as an SPDX identifier. The default is "CC0-1.0".
# Accepted values are "CC0-1.0" and "CC-BY-4.0".
-# When using "CC-BY-4.0", the `url` field must constain the link to the source
+# When using "CC-BY-4.0", the `url` field must contain the link to the source
# advisory. This should only be used for advisories imported for the GitHub
# Advisory database ("GHSA").
#license = "CC-BY-4.0"
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/curve25519-dalek/RUSTSEC-2024-0344.md new/advisory-db-20240730/crates/curve25519-dalek/RUSTSEC-2024-0344.md
--- old/advisory-db-20240528/crates/curve25519-dalek/RUSTSEC-2024-0344.md 1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240730/crates/curve25519-dalek/RUSTSEC-2024-0344.md 2024-07-26 20:09:25.000000000 +0200
@@ -0,0 +1,42 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0344"
+package = "curve25519-dalek"
+date = "2024-06-18"
+categories = ["crypto-failure"]
+url = "https://github.com/dalek-cryptography/curve25519-dalek/pull/659"
+
+[versions]
+patched = [">= 4.1.3"]
+```
+
+# Timing variability in `curve25519-dalek`'s `Scalar29::sub`/`Scalar52::sub`
+
+Timing variability of any kind is problematic when working with potentially secret values such as
+elliptic curve scalars, and such issues can potentially leak private keys and other secrets. Such a
+problem was recently discovered in `curve25519-dalek`.
+
+The `Scalar29::sub` (32-bit) and `Scalar52::sub` (64-bit) functions contained usage of a mask value
+inside a loop where LLVM saw an opportunity to insert a branch instruction (`jns` on x86) to
+conditionally bypass this code section when the mask value is set to zero as can be seen in godbolt:
+
+- 32-bit (see L106): <https://godbolt.org/z/zvaWxzvqv>
+- 64-bit (see L48): <https://godbolt.org/z/PczYj7Pda>
+
+A similar problem was recently discovered in the Kyber reference implementation:
+
+<https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/hqbtIGFKIpU/m/cnE3p…>
+
+As discussed on that thread, one portable solution, which is also used in this PR, is to introduce a
+volatile read as an optimization barrier, which prevents the compiler from optimizing it away.
+
+The fix can be validated in godbolt here:
+
+- 32-bit: <https://godbolt.org/z/jc9j7eb8E>
+- 64-bit: <https://godbolt.org/z/x8d46Yfah>
+
+The problem was discovered and the solution independently verified by
+Alexander Wagner <alexander.wagner(a)aisec.fraunhofer.de> and Lea Themint <lea.thiemt(a)tum.de> using
+their DATA tool:
+
+<https://github.com/Fraunhofer-AISEC/DATA>
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/gix-attributes/RUSTSEC-2024-0359.md new/advisory-db-20240730/crates/gix-attributes/RUSTSEC-2024-0359.md
--- old/advisory-db-20240528/crates/gix-attributes/RUSTSEC-2024-0359.md 1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240730/crates/gix-attributes/RUSTSEC-2024-0359.md 2024-07-26 20:09:25.000000000 +0200
@@ -0,0 +1,23 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0359"
+package = "gix-attributes"
+date = "2024-07-24"
+url = "https://github.com/Byron/gitoxide/issues/1460"
+informational = "unsound"
+
+[versions]
+patched = [">= 0.22.3"]
+```
+
+# The kstring integration in gix-attributes is unsound
+
+`gix-attributes` (in [`state::ValueRef`](https://github.com/Byron/gitoxide/blob/gix-attributes-v0.22.2/gix-attributes/src/state.rs#L19-L27)) unsafely creates a `&str` from a `&[u8]` containing non-UTF8 data, with the justification that so long as nothing reads the `&str` and relies on it being UTF-8 in the `&str`, there is no UB:
+
+```rust
+// SAFETY: our API makes accessing that value as `str` impossible, so illformed UTF8 is never exposed as such.
+```
+
+The problem is that the non-UTF8 `str` **is** exposed to outside code: first to the `kstring` crate itself, which requires UTF-8 in its documentation and may have UB as a consequence of this, but also to `serde`, where it propagates to e.g. `serde_json`, `serde_yaml`, etc., where the same problems occur.
+
+This is not sound, and it could cause further UB down the line in these places that can view the `&str`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/gix-fs/RUSTSEC-2024-0350.md new/advisory-db-20240730/crates/gix-fs/RUSTSEC-2024-0350.md
--- old/advisory-db-20240528/crates/gix-fs/RUSTSEC-2024-0350.md 1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240730/crates/gix-fs/RUSTSEC-2024-0350.md 2024-07-26 20:09:25.000000000 +0200
@@ -0,0 +1,87 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0350"
+package = "gix-fs"
+date = "2024-05-22"
+url = "https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c"
+references = [
+ "https://github.com/advisories/GHSA-7w47-3wg8-547c",
+ "https://nvd.nist.gov/vuln/detail/CVE-2024-35186",
+]
+categories = ["code-execution"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+keywords = ["directory-traversal"]
+aliases = ["CVE-2024-35186", "GHSA-7w47-3wg8-547c"]
+license = "CC0-1.0"
+
+[versions]
+patched = [">= 0.11.0"]
+```
+
+# Traversal outside working tree enables arbitrary code execution
+
+### Summary
+
+During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application.
+
+### Details
+
+Although `gix-worktree-state` checks for collisions with existing files, it does not itself check if a path is really in the working tree when performing a checkout, nor do the path checks in `gix-fs` and `gix-worktree` prevent this. Cloning an untrusted repository containing specially crafted tree or blob names will create new files outside the repository, or inside the repository or a submodule's `.git` directory. The simplest cases are:
+
+- A tree named `..` to traverse upward. This facilitates arbitrary code execution because files can be placed in one or more locations where they are likely to be executed soon.
+- A tree named `.git` to enter a `.git` directory. This facilitates arbitrary code execution because hooks can be installed.
+
+A number of alternatives that achieve the same effect are also possible, some of which correspond to specific vulnerabilities that have affected Git in the past:
+
+- A tree or blob whose name contains one or more `/`, to traverse upward or downward. For example, even without containing any tree named `..` or `.git`, a repository can represent a file named `../outside` or `.git/hooks/pre-commit`. This is distinct from the more intuitive case a repository containing trees that represent those paths.
+- In Windows, a tree or blob whose name contains one or more `\`, to traverse upward or downward. (Unlike `/`, these are valid on other systems.) See [GHSA-xjx4-8694-q2fq](https://github.com/git/git/security/advisories/GHSA-xj….
+- On a case-insensitive filesystem (such as NTFS, APFS, or HFS+), a tree named as a case variant of `.git`.
+- On HFS+, a tree named like `.git` or a case variant, with characters added that HFS+ ignores [in collation](https://developer.apple.com/library/archive/technotes/tn/tn1150.…. See https://github.com/git/git/commit/6162a1d323d24fd8cbbb1a6145a91fb849b2568f.
+- On NTFS, a tree equivalent to `.git` (or a case variant) by the use of [NTFS stream](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fs… notation, such as `.git::$INDEX_ALLOCATION`. See [GHSA-5wph-8frv-58vj](https://github.com/git/git/security/advisories/GHSA-5w….
+- On an NTFS volume with [8.3 aliasing](https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-f… enabled, a tree named as `git~1` (or a case variant). See [GHSA-589j-mmg9-733v](https://github.com/git/git/security/advisories/GHSA-58….
+
+When a checkout creates some files outside the repository directory but fails to complete, the repository directory is usually removed, but the outside files remain.
+
+### PoC
+
+For simplicity, these examples stage a stand-in file with a valid name, modify the index, and commit. The instructions assume `sed` supports `-i`, which is the case on most systems. If using Windows, a Git Bash shell should be used.
+
+#### Example: Downward traversal to install hooks
+
+1. Create a new repository with `git init dangerous-repo-installs-hook` and `cd` into the directory.
+2. Create the stand-in called `.git@hooks@pre-commit`, with the *contents*:
+ ```sh
+ #!/bin/sh
+ printf 'Vulnerable!\n'
+ date >vulnerable
+ ```
+3. Stage the stand-in: `git add --chmod=+x .git@hooks@pre-commit`
+4. Edit the index: `env LC_ALL=C sed -i.orig 's|\.git@hooks@pre-commit|.git/hooks/pre-commit|' .git/index`
+5. Commit: `git commit -m 'Initial commit'`
+6. *Optionally*, push to a private remote.
+
+Then, on another or the same machine:
+
+1. Clone the repository with a `gix clone …` command.
+2. Enter the newly created directory.
+3. *Optionally* run `ls -l .git/hooks` to observe that the `pre-commit` hook is already present.
+4. Make a new file and commit it with `git`. This causes the payload surreptitiously installed as a `pre-commit` hook to run, printing the message `Vulnerable!` and creating a file in the current directory containing the current date and time.
+
+Note that the effect is not limited to modifying the current directory. The payload could be written to perform any action that the user who runs `git commit` is capable of.
+
+#### Example: Upward traversal to create a file above the working tree
+
+1. Create a new repository with `git init dangerous-repo-reaches-up`, and `cd` into the directory.
+2. Create the stand-in: `echo 'A file outside the working tree, somehow.' >..@outside`
+3. Stage the stand-in: `git add ..@outside`
+4. Edit the index: `env LC_ALL=C sed -i.orig 's|\.\.@outside|../outside|' .git/index`
+5. Commit: `git commit -m 'Initial commit'`
+6. *Optionally*, push to a private remote.
+
+Then, as above, on the same or another machine, clone the repository with a `gix clone …` command. Observe that a file named `outside` is present alongside (not inside) the cloned directory.
+
+### Impact
+
+Any use of `gix` or another application that makes use of `gix-worktree-state`, or otherwise relies on `gix-fs` and `gix-worktree` for validation, is affected, if used to clone untrusted repositories. The above description focuses on code execution, as that leads to a complete loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well.
+
+In use cases where no untrusted repository is ever cloned, this vulnerability has no impact. Furthermore, the impact of this vulnerability *may* be lower when `gix` is used to clone a repository for CI/CD purposes, even if untrusted, since in such uses the environment is usually isolated and arbitrary code is usually run deliberately from the repository with necessary safeguards in place.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/gix-index/RUSTSEC-2024-0348.md new/advisory-db-20240730/crates/gix-index/RUSTSEC-2024-0348.md
--- old/advisory-db-20240528/crates/gix-index/RUSTSEC-2024-0348.md 1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240730/crates/gix-index/RUSTSEC-2024-0348.md 2024-07-26 20:09:25.000000000 +0200
@@ -0,0 +1,87 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0348"
+package = "gix-index"
+date = "2024-05-22"
+url = "https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c"
+references = [
+ "https://github.com/advisories/GHSA-7w47-3wg8-547c",
+ "https://nvd.nist.gov/vuln/detail/CVE-2024-35186",
+]
+categories = ["code-execution"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+keywords = ["directory-traversal"]
+aliases = ["CVE-2024-35186", "GHSA-7w47-3wg8-547c"]
+license = "CC0-1.0"
+
+[versions]
+patched = [">= 0.33.0"]
+```
+
+# Traversal outside working tree enables arbitrary code execution
+
+### Summary
+
+During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application.
+
+### Details
+
+Although `gix-worktree-state` checks for collisions with existing files, it does not itself check if a path is really in the working tree when performing a checkout, nor do the path checks in `gix-fs` and `gix-worktree` prevent this. Cloning an untrusted repository containing specially crafted tree or blob names will create new files outside the repository, or inside the repository or a submodule's `.git` directory. The simplest cases are:
+
+- A tree named `..` to traverse upward. This facilitates arbitrary code execution because files can be placed in one or more locations where they are likely to be executed soon.
+- A tree named `.git` to enter a `.git` directory. This facilitates arbitrary code execution because hooks can be installed.
+
+A number of alternatives that achieve the same effect are also possible, some of which correspond to specific vulnerabilities that have affected Git in the past:
+
+- A tree or blob whose name contains one or more `/`, to traverse upward or downward. For example, even without containing any tree named `..` or `.git`, a repository can represent a file named `../outside` or `.git/hooks/pre-commit`. This is distinct from the more intuitive case a repository containing trees that represent those paths.
+- In Windows, a tree or blob whose name contains one or more `\`, to traverse upward or downward. (Unlike `/`, these are valid on other systems.) See [GHSA-xjx4-8694-q2fq](https://github.com/git/git/security/advisories/GHSA-xj….
+- On a case-insensitive filesystem (such as NTFS, APFS, or HFS+), a tree named as a case variant of `.git`.
+- On HFS+, a tree named like `.git` or a case variant, with characters added that HFS+ ignores [in collation](https://developer.apple.com/library/archive/technotes/tn/tn1150.…. See https://github.com/git/git/commit/6162a1d323d24fd8cbbb1a6145a91fb849b2568f.
+- On NTFS, a tree equivalent to `.git` (or a case variant) by the use of [NTFS stream](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fs… notation, such as `.git::$INDEX_ALLOCATION`. See [GHSA-5wph-8frv-58vj](https://github.com/git/git/security/advisories/GHSA-5w….
+- On an NTFS volume with [8.3 aliasing](https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-f… enabled, a tree named as `git~1` (or a case variant). See [GHSA-589j-mmg9-733v](https://github.com/git/git/security/advisories/GHSA-58….
+
+When a checkout creates some files outside the repository directory but fails to complete, the repository directory is usually removed, but the outside files remain.
+
+### PoC
+
+For simplicity, these examples stage a stand-in file with a valid name, modify the index, and commit. The instructions assume `sed` supports `-i`, which is the case on most systems. If using Windows, a Git Bash shell should be used.
+
+#### Example: Downward traversal to install hooks
+
+1. Create a new repository with `git init dangerous-repo-installs-hook` and `cd` into the directory.
+2. Create the stand-in called `.git@hooks@pre-commit`, with the *contents*:
+ ```sh
+ #!/bin/sh
+ printf 'Vulnerable!\n'
+ date >vulnerable
+ ```
+3. Stage the stand-in: `git add --chmod=+x .git@hooks@pre-commit`
+4. Edit the index: `env LC_ALL=C sed -i.orig 's|\.git@hooks@pre-commit|.git/hooks/pre-commit|' .git/index`
+5. Commit: `git commit -m 'Initial commit'`
+6. *Optionally*, push to a private remote.
+
+Then, on another or the same machine:
+
+1. Clone the repository with a `gix clone …` command.
+2. Enter the newly created directory.
+3. *Optionally* run `ls -l .git/hooks` to observe that the `pre-commit` hook is already present.
+4. Make a new file and commit it with `git`. This causes the payload surreptitiously installed as a `pre-commit` hook to run, printing the message `Vulnerable!` and creating a file in the current directory containing the current date and time.
+
+Note that the effect is not limited to modifying the current directory. The payload could be written to perform any action that the user who runs `git commit` is capable of.
+
+#### Example: Upward traversal to create a file above the working tree
+
+1. Create a new repository with `git init dangerous-repo-reaches-up`, and `cd` into the directory.
+2. Create the stand-in: `echo 'A file outside the working tree, somehow.' >..@outside`
+3. Stage the stand-in: `git add ..@outside`
+4. Edit the index: `env LC_ALL=C sed -i.orig 's|\.\.@outside|../outside|' .git/index`
+5. Commit: `git commit -m 'Initial commit'`
+6. *Optionally*, push to a private remote.
+
+Then, as above, on the same or another machine, clone the repository with a `gix clone …` command. Observe that a file named `outside` is present alongside (not inside) the cloned directory.
+
+### Impact
+
+Any use of `gix` or another application that makes use of `gix-worktree-state`, or otherwise relies on `gix-fs` and `gix-worktree` for validation, is affected, if used to clone untrusted repositories. The above description focuses on code execution, as that leads to a complete loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well.
+
+In use cases where no untrusted repository is ever cloned, this vulnerability has no impact. Furthermore, the impact of this vulnerability *may* be lower when `gix` is used to clone a repository for CI/CD purposes, even if untrusted, since in such uses the environment is usually isolated and arbitrary code is usually run deliberately from the repository with necessary safeguards in place.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/gix-index/RUSTSEC-2024-0352.md new/advisory-db-20240730/crates/gix-index/RUSTSEC-2024-0352.md
--- old/advisory-db-20240528/crates/gix-index/RUSTSEC-2024-0352.md 1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240730/crates/gix-index/RUSTSEC-2024-0352.md 2024-07-26 20:09:25.000000000 +0200
@@ -0,0 +1,91 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0352"
+package = "gix-index"
+date = "2024-05-22"
+url = "https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9"
+references = [
+ "https://github.com/advisories/GHSA-49jc-r788-3fc9",
+ "https://nvd.nist.gov/vuln/detail/CVE-2024-35197",
+]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L"
+aliases = ["CVE-2024-35197", "GHSA-49jc-r788-3fc9"]
+license = "CC0-1.0"
+
+[affected]
+os = ["windows"]
+
+[versions]
+patched = [">= 0.33.0"]
+```
+
+# Refs and paths with reserved Windows device names access the devices
+
+### Summary
+
+On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances.
+
+### Details
+
+It is possible to create a Git repository that contains references or filenames that Windows treats as legacy DOS-style aliases for system devices. When such a repository is cloned:
+
+- In references, `gix-ref` does not include a check for such names before attempting to access them on disk, which reads from the devices, though the ability to exfiltrate data appears limited.
+- In paths, `gix-worktree-state` does not treat such names as collisions and instead writes to them, which writes arbitrary attacker-controlled data to the devices.
+
+Some such device names refer to devices that are often absent or inaccessible. But a few are guaranteed to be available, allowing some attacks to be carried out with low complexity. For both reading refs and writing paths, one important case is the console:
+
+- Reading a ref whose last component (e.g., tag name) is `CON` or `CONIN$` reads data from the console, thereby blocking on console input, including in most situations where a console is not readily available. This may facilitate denial of service attacks.
+- Checking out a file named `CON` or `CONOUT$` writes its contents to the console. This allows an untrusted repository to produce arbitrary text that appears to be a message from the application. Such text may facilitate social engineering if it is selected to instruct the user to perform a particular action.
+
+Another potentially important case is serial ports. For example, `COM1` refers to the first serial port, if present. A malicious repository may be able to disrupt intended use of serial ports or attempt to interact with a device. In some configurations, it may be possible to interfere with the operation of a physical or virtual serial console. On Windows, local access to serial ports is often permitted even for limited user accounts without elevation.
+
+[Naming Files, Paths, and Namespaces](https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a… covers most reserved names. `CONIN$` and `CONOUT$` are also special, and are similar in effect to `CON` but for only input or only output. These names are case-insensitive and can also be accessed with file extensions (e.g, `CON.txt` is equivalent to `CON`) and with some variations involving added spaces or colons.
+
+### PoC
+
+#### Ref example
+
+Create a repository on a non-Windows system (or in WSL) with at least one commit. Use `git tag CON` to create a lightweight tag named `CON`. Place the repository somewhere it can be cloned on Windows. A `file://` URL is sufficient for testing if a private remote is unavailable. If using `git push`, pass `--tags` so the remote has the tag.
+
+On a Windows system, clone the repository with `gix clone`. This command will block immediately, reading input from the console. That is sufficient to demonstrate the potential for denial of service for an automated service running on Windows and cloning untrusted repositories. The experiment can be stopped with <kbd>Ctrl</kbd>+<kbd>C</kbd>.
+
+However, if desired, input can be provided. Ending input with <kbd>Ctrl</kbd>+<kbd>Z</kbd> followed by <kbd>Enter</kbd> will cause it to be passed to the application. This will lead to an error message, the specific details of which vary by whether the input is empty or nonempty, and whether it matches or does not match the hexadecimal hash of the tagged commit.
+
+#### Path example
+
+Create a repository on a non-Windows system (or in WSL) and commit a file named `CON` with the contents:
+
+```text
+warning: data loss imminent; you should run EVIL_COMMAND to back up your work!
+```
+
+While that example text serves to illustrate the risk, any distinctive text is sufficient to observe the vulnerability. Place the repository somewhere it can be cloned on Windows. As above, a `file://` URL is sufficient.
+
+On a Windows system, clone the repository with `gix clone`. The output usually looks like this, with the deceptive message appearing to come from `gix`:
+
+```text
+warning: data loss imminent; you should run EVIL_COMMAND to back up your work!
+ 04:45:15 indexing done 3.0 objects in 0.00s (12.1K objects/s)
+ 04:45:15 decompressing done 309B in 0.00s (1.2MB/s)
+ 04:45:15 Resolving done 3.0 objects in 0.05s (58.0 objects/s)
+ 04:45:15 Decoding done 309B in 0.05s (6.0KB/s)
+ 04:45:15 writing index file done 1.2KB in 0.00s (7.0MB/s)
+ 04:45:15 create index file done 3.0 objects in 0.05s (55.0 objects/s)
+ 04:45:15 read pack done 294B in 0.05s (5.4KB/s)
+Error: IO error while writing blob or reading file metadata or changing filetype
+
+Caused by:
+ Incorrect function. (os error 1)
+```
+
+The exact placement of the message is nondeterministic. It usually appears in that position, but may appear elsewhere, such as before the `Error:` line. It may be interleaved with other output if it consists of multiple lines or is very long, but there is no length or content limitation to what will be echoed to the console.
+
+### Impact
+
+If Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact.
+
+The impact is expected to be limited in common configurations, but may vary widely depending on what devices exist, how they are being used, how much knowledge an attacker has of the precise details of their use, and whether the user is likely to trust information that appears in a console. Accessing devices through refs is expected to be less dangerous than accessing them through filenames, since it is trivial to attempt to write arbitrary data using filenames.
+
+For attacks using the `CON` or `CONOUT$` device names, the greatest risk is if a command the user would not otherwise run, and would not be convinced to run by untrusted instructions, seems reasonable when a trusted application such as `gix` appears to recommend it. The user may then be misled into running an attacker's command.
+
+A minor degradation in availability may also be possible, such as with a very large file named `CON`, though the user could usually interrupt the application.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/gix-path/RUSTSEC-2024-0355.md new/advisory-db-20240730/crates/gix-path/RUSTSEC-2024-0355.md
--- old/advisory-db-20240528/crates/gix-path/RUSTSEC-2024-0355.md 1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240730/crates/gix-path/RUSTSEC-2024-0355.md 2024-07-26 20:09:25.000000000 +0200
@@ -0,0 +1,73 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0355"
+package = "gix-path"
+date = "2024-07-18"
+url = "https://github.com/Byron/gitoxide/security/advisories/GHSA-mgvv-9p9g-3jv4"
+references = ["https://github.com/advisories/GHSA-mgvv-9p9g-3jv4"]
+categories = ["code-execution", "privilege-escalation"]
+cvss = "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:L"
+keywords = ["search-path"]
+aliases = ["CVE-2024-40644", "GHSA-mgvv-9p9g-3jv4"]
+license = "CC0-1.0"
+
+[affected]
+os = ["windows"]
+
+[affected.functions]
+"gix_path::env::exe_invocation" = ["*"]
+"gix_path::env::installation_config" = ["*"]
+"gix_path::env::installation_config_prefix" = ["*"]
+"gix_path::env::system_prefix" = ["*"]
+
+[versions]
+patched = [">= 0.10.9"]
+unaffected = ["< 0.10.8"]
+```
+
+# gix-path can use a fake program files location
+
+### Summary
+
+When looking for Git for Windows so it can run it to report its paths, `gix-path` can be tricked into running another `git.exe` placed in an untrusted location by a limited user account.
+
+### Details
+
+Windows permits limited user accounts without administrative privileges to create new directories in the root of the system drive. While `gix-path` first looks for `git` using a `PATH` search, in version 0.10.8 it also has a fallback strategy on Windows of checking [two hard-coded paths](https://github.com/Byron/gitoxide/blob/6cd8b4665bb7582f744c3244abaef… intended to be the 64-bit and 32-bit Program Files directories:
+
+```rust
+/// Other places to find Git in.
+#[cfg(windows)]
+pub(super) static ALTERNATIVE_LOCATIONS: &[&str] = &[
+ "C:/Program Files/Git/mingw64/bin",
+ "C:/Program Files (x86)/Git/mingw32/bin",
+];
+```
+
+Existing functions, as well as the newly introduced `exe_invocation` function, were updated to make use of these alternative locations. This causes facilities in `gix_path::env` to directly execute `git.exe` in those locations, as well as to return its path or whatever configuration it reports to callers who rely on it.
+
+Although unusual setups where the system drive is not `C:`, or even where Program Files directories have non-default names, are technically possible, the main problem arises on a 32-bit Windows system. Such a system has no `C:\Program Files (x86)` directory.
+
+A limited user on a 32-bit Windows system can therefore create the `C:\Program Files (x86)` directory and populate it with arbitrary contents. Once a payload has been placed at the second of the two hard-coded paths in this way, other user accounts including administrators will execute it if they run an application that uses `gix-path` and do not have `git` in a `PATH` directory.
+
+(While having `git` found in a `PATH` search prevents exploitation, merely having it installed in the default location under the real `C:\Program Files` directory does not. This is because the first hard-coded path's `mingw64` component assumes a 64-bit installation.)
+
+### PoC
+
+On a 32-bit (x86) Windows 10 system, with or without Git for Windows installed:
+
+1. Create a limited user account in `lusrmgr.msc` or the Settings application.
+2. Log in with that account and, using Windows Explorer or the `mkdir` command in PowerShell, create the directories `C:\Program Files (x86)\Git\mingw32\bin`. Although a limited user account cannot create regular files directly in `C:\`, it can create directories including one called `Program Files (x86)`.
+3. Place a copy of `C:\Windows\system32\calc.exe` in `C:\Program Files (x86)\Git\mingw32\bin` and rename it from `calc.exe` to `git.exe`. A different test payload may be used if preferred, and the executable need not already be signed or trusted.
+4. Log out, and log in as a different user. This user may be an administrator.
+5. If `gitoxide` is not installed, install it. If `cargo install gitoxide` is used for the installation, then the version of `gix-path` used in the installation can be observed.
+6. The vulnerability is only exploitable if `git` cannot be found in a `PATH` search. So, in PowerShell, run `gcm git` to check if `git` is present in the `PATH`. If so, temporarily remove it. One way to do this is for the current shell only, by running `$env:PATH` to inspect it and by assigning `$env:PATH = '...'` where `...` omits directories that contain `git`.
+7. Some commands that can be run outside a repository, and most commands that can be run inside a repository, will run the Calculator or other payload at least once per invocation. Try `gix clone foo` or, inside of a repository, `gix status`, `gix config`, `gix is-changed`, `gix fetch`, `ein t hours`, or `ein t query`. This is not exhaustive; most other `gix` and `ein` commands that access existing repository state or a network resource likewise run the payload.
+
+### Impact
+
+Only Windows is affected. Exploitation is unlikely except on a 32-bit system. In particular, running a 32-bit build on a 64-bit system is not a risk factor. Furthermore, the attacker must have a user account on the system, though it may be a relatively unprivileged account. Such a user can perform privilege escalation and execute code as another user, though it may be difficult to do so reliably because the targeted user account must run an application or service that uses `gix-path` and must not have `git` in its `PATH`.
+
+The main exploitable configuration is one where Git for Windows has been installed but not added to `PATH`. This is one of the options in its installer, though not the default option. Alternatively, an affected program that sanitizes its `PATH` to remove seemingly nonessential directories could allow exploitation. But for the most part, if the target user has configured a `PATH` in which the real `git.exe` can be found, then this cannot be exploited.
+
+This vulnerability is comparable to [CVE-2022-24765](https://github.com/git-for-windows/git/security/advisories/…, in which an uncontrolled path like `C:\.git\config`, which a limited user can create, could supply configuration used by other users. However, in this case, exploitation is slightly simpler because, rather than using configuration, an executable is directly run.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/gix-ref/RUSTSEC-2024-0351.md new/advisory-db-20240730/crates/gix-ref/RUSTSEC-2024-0351.md
--- old/advisory-db-20240528/crates/gix-ref/RUSTSEC-2024-0351.md 1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240730/crates/gix-ref/RUSTSEC-2024-0351.md 2024-07-26 20:09:25.000000000 +0200
@@ -0,0 +1,91 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0351"
+package = "gix-ref"
+date = "2024-05-22"
+url = "https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9"
+references = [
+ "https://github.com/advisories/GHSA-49jc-r788-3fc9",
+ "https://nvd.nist.gov/vuln/detail/CVE-2024-35197",
+]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L"
+aliases = ["CVE-2024-35197", "GHSA-49jc-r788-3fc9"]
+license = "CC0-1.0"
+
+[affected]
+os = ["windows"]
+
+[versions]
+patched = [">= 0.44.0"]
+```
+
+# Refs and paths with reserved Windows device names access the devices
+
+### Summary
+
+On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances.
+
+### Details
+
+It is possible to create a Git repository that contains references or filenames that Windows treats as legacy DOS-style aliases for system devices. When such a repository is cloned:
+
+- In references, `gix-ref` does not include a check for such names before attempting to access them on disk, which reads from the devices, though the ability to exfiltrate data appears limited.
+- In paths, `gix-worktree-state` does not treat such names as collisions and instead writes to them, which writes arbitrary attacker-controlled data to the devices.
+
+Some such device names refer to devices that are often absent or inaccessible. But a few are guaranteed to be available, allowing some attacks to be carried out with low complexity. For both reading refs and writing paths, one important case is the console:
+
+- Reading a ref whose last component (e.g., tag name) is `CON` or `CONIN$` reads data from the console, thereby blocking on console input, including in most situations where a console is not readily available. This may facilitate denial of service attacks.
+- Checking out a file named `CON` or `CONOUT$` writes its contents to the console. This allows an untrusted repository to produce arbitrary text that appears to be a message from the application. Such text may facilitate social engineering if it is selected to instruct the user to perform a particular action.
+
+Another potentially important case is serial ports. For example, `COM1` refers to the first serial port, if present. A malicious repository may be able to disrupt intended use of serial ports or attempt to interact with a device. In some configurations, it may be possible to interfere with the operation of a physical or virtual serial console. On Windows, local access to serial ports is often permitted even for limited user accounts without elevation.
+
+[Naming Files, Paths, and Namespaces](https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a… covers most reserved names. `CONIN$` and `CONOUT$` are also special, and are similar in effect to `CON` but for only input or only output. These names are case-insensitive and can also be accessed with file extensions (e.g, `CON.txt` is equivalent to `CON`) and with some variations involving added spaces or colons.
+
+### PoC
+
+#### Ref example
+
+Create a repository on a non-Windows system (or in WSL) with at least one commit. Use `git tag CON` to create a lightweight tag named `CON`. Place the repository somewhere it can be cloned on Windows. A `file://` URL is sufficient for testing if a private remote is unavailable. If using `git push`, pass `--tags` so the remote has the tag.
+
+On a Windows system, clone the repository with `gix clone`. This command will block immediately, reading input from the console. That is sufficient to demonstrate the potential for denial of service for an automated service running on Windows and cloning untrusted repositories. The experiment can be stopped with <kbd>Ctrl</kbd>+<kbd>C</kbd>.
+
+However, if desired, input can be provided. Ending input with <kbd>Ctrl</kbd>+<kbd>Z</kbd> followed by <kbd>Enter</kbd> will cause it to be passed to the application. This will lead to an error message, the specific details of which vary by whether the input is empty or nonempty, and whether it matches or does not match the hexadecimal hash of the tagged commit.
+
+#### Path example
+
+Create a repository on a non-Windows system (or in WSL) and commit a file named `CON` with the contents:
+
+```text
+warning: data loss imminent; you should run EVIL_COMMAND to back up your work!
+```
+
+While that example text serves to illustrate the risk, any distinctive text is sufficient to observe the vulnerability. Place the repository somewhere it can be cloned on Windows. As above, a `file://` URL is sufficient.
+
+On a Windows system, clone the repository with `gix clone`. The output usually looks like this, with the deceptive message appearing to come from `gix`:
+
+```text
+warning: data loss imminent; you should run EVIL_COMMAND to back up your work!
+ 04:45:15 indexing done 3.0 objects in 0.00s (12.1K objects/s)
+ 04:45:15 decompressing done 309B in 0.00s (1.2MB/s)
+ 04:45:15 Resolving done 3.0 objects in 0.05s (58.0 objects/s)
+ 04:45:15 Decoding done 309B in 0.05s (6.0KB/s)
+ 04:45:15 writing index file done 1.2KB in 0.00s (7.0MB/s)
+ 04:45:15 create index file done 3.0 objects in 0.05s (55.0 objects/s)
+ 04:45:15 read pack done 294B in 0.05s (5.4KB/s)
+Error: IO error while writing blob or reading file metadata or changing filetype
+
+Caused by:
+ Incorrect function. (os error 1)
+```
+
+The exact placement of the message is nondeterministic. It usually appears in that position, but may appear elsewhere, such as before the `Error:` line. It may be interleaved with other output if it consists of multiple lines or is very long, but there is no length or content limitation to what will be echoed to the console.
+
+### Impact
+
+If Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact.
+
+The impact is expected to be limited in common configurations, but may vary widely depending on what devices exist, how they are being used, how much knowledge an attacker has of the precise details of their use, and whether the user is likely to trust information that appears in a console. Accessing devices through refs is expected to be less dangerous than accessing them through filenames, since it is trivial to attempt to write arbitrary data using filenames.
+
+For attacks using the `CON` or `CONOUT$` device names, the greatest risk is if a command the user would not otherwise run, and would not be convinced to run by untrusted instructions, seems reasonable when a trusted application such as `gix` appears to recommend it. The user may then be misled into running an attacker's command.
+
+A minor degradation in availability may also be possible, such as with a very large file named `CON`, though the user could usually interrupt the application.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/gix-transport/RUSTSEC-2024-0335.md new/advisory-db-20240730/crates/gix-transport/RUSTSEC-2024-0335.md
--- old/advisory-db-20240528/crates/gix-transport/RUSTSEC-2024-0335.md 2024-05-26 22:27:57.000000000 +0200
+++ new/advisory-db-20240730/crates/gix-transport/RUSTSEC-2024-0335.md 2024-07-26 20:09:25.000000000 +0200
@@ -29,7 +29,7 @@
- The difficulty of forming an option argument `ssh` accepts, given that characters such as `=`, `/`, and `\`, are URL-encoded, `:` is removed, and the argument passed to `ssh` contains the `@` sign and subsequent host identifier, which in an effective attack must be parseable as a suffix of the operand passed to the last option.
- The inability to include a literal `=` prevents the use of `-oNAME=VALUE` (e.g., `-oProxyCommand=payload`). The inability to include a literal `/` or `\` prevents smuggling in a path operand residing outside the current working directory, incuding on Windows. (Although a `~` character may be smuggled in, `ssh` does not perform its own tilde expansion, so it does not form an absolute path.)
+ The inability to include a literal `=` prevents the use of `-oNAME=VALUE` (e.g., `-oProxyCommand=payload`). The inability to include a literal `/` or `\` prevents smuggling in a path operand residing outside the current working directory, including on Windows. (Although a `~` character may be smuggled in, `ssh` does not perform its own tilde expansion, so it does not form an absolute path.)
- The difficulty, or perhaps impossibility, of completing a connection (other than when arbitrary code execution has been achieved). This complicates or altogether prevents the use of options such as `-A` and `-X` together with a connection to a real but malicious server. The reason a connection cannot generally be completed when exploiting this vulnerability is that, because the argument `gix-transport` intends as a URL is treated as an option argument, `ssh` treats the subsequent non-option argument `git-upload-pack` as the host instead of the command, but it is not a valid host name.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/gix-worktree/RUSTSEC-2024-0349.md new/advisory-db-20240730/crates/gix-worktree/RUSTSEC-2024-0349.md
--- old/advisory-db-20240528/crates/gix-worktree/RUSTSEC-2024-0349.md 1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240730/crates/gix-worktree/RUSTSEC-2024-0349.md 2024-07-26 20:09:25.000000000 +0200
@@ -0,0 +1,87 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0349"
+package = "gix-worktree"
+date = "2024-05-22"
+url = "https://github.com/Byron/gitoxide/security/advisories/GHSA-7w47-3wg8-547c"
+references = [
+ "https://github.com/advisories/GHSA-7w47-3wg8-547c",
+ "https://nvd.nist.gov/vuln/detail/CVE-2024-35186",
+]
+categories = ["code-execution"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+keywords = ["directory-traversal"]
+aliases = ["CVE-2024-35186", "GHSA-7w47-3wg8-547c"]
+license = "CC0-1.0"
+
+[versions]
+patched = [">= 0.34.0"]
+```
+
+# Traversal outside working tree enables arbitrary code execution
+
+### Summary
+
+During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application.
+
+### Details
+
+Although `gix-worktree-state` checks for collisions with existing files, it does not itself check if a path is really in the working tree when performing a checkout, nor do the path checks in `gix-fs` and `gix-worktree` prevent this. Cloning an untrusted repository containing specially crafted tree or blob names will create new files outside the repository, or inside the repository or a submodule's `.git` directory. The simplest cases are:
+
+- A tree named `..` to traverse upward. This facilitates arbitrary code execution because files can be placed in one or more locations where they are likely to be executed soon.
+- A tree named `.git` to enter a `.git` directory. This facilitates arbitrary code execution because hooks can be installed.
+
+A number of alternatives that achieve the same effect are also possible, some of which correspond to specific vulnerabilities that have affected Git in the past:
+
+- A tree or blob whose name contains one or more `/`, to traverse upward or downward. For example, even without containing any tree named `..` or `.git`, a repository can represent a file named `../outside` or `.git/hooks/pre-commit`. This is distinct from the more intuitive case a repository containing trees that represent those paths.
+- In Windows, a tree or blob whose name contains one or more `\`, to traverse upward or downward. (Unlike `/`, these are valid on other systems.) See [GHSA-xjx4-8694-q2fq](https://github.com/git/git/security/advisories/GHSA-xj….
+- On a case-insensitive filesystem (such as NTFS, APFS, or HFS+), a tree named as a case variant of `.git`.
+- On HFS+, a tree named like `.git` or a case variant, with characters added that HFS+ ignores [in collation](https://developer.apple.com/library/archive/technotes/tn/tn1150.…. See https://github.com/git/git/commit/6162a1d323d24fd8cbbb1a6145a91fb849b2568f.
+- On NTFS, a tree equivalent to `.git` (or a case variant) by the use of [NTFS stream](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fs… notation, such as `.git::$INDEX_ALLOCATION`. See [GHSA-5wph-8frv-58vj](https://github.com/git/git/security/advisories/GHSA-5w….
+- On an NTFS volume with [8.3 aliasing](https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a-f… enabled, a tree named as `git~1` (or a case variant). See [GHSA-589j-mmg9-733v](https://github.com/git/git/security/advisories/GHSA-58….
+
+When a checkout creates some files outside the repository directory but fails to complete, the repository directory is usually removed, but the outside files remain.
+
+### PoC
+
+For simplicity, these examples stage a stand-in file with a valid name, modify the index, and commit. The instructions assume `sed` supports `-i`, which is the case on most systems. If using Windows, a Git Bash shell should be used.
+
+#### Example: Downward traversal to install hooks
+
+1. Create a new repository with `git init dangerous-repo-installs-hook` and `cd` into the directory.
+2. Create the stand-in called `.git@hooks@pre-commit`, with the *contents*:
+ ```sh
+ #!/bin/sh
+ printf 'Vulnerable!\n'
+ date >vulnerable
+ ```
+3. Stage the stand-in: `git add --chmod=+x .git@hooks@pre-commit`
+4. Edit the index: `env LC_ALL=C sed -i.orig 's|\.git@hooks@pre-commit|.git/hooks/pre-commit|' .git/index`
+5. Commit: `git commit -m 'Initial commit'`
+6. *Optionally*, push to a private remote.
+
+Then, on another or the same machine:
+
+1. Clone the repository with a `gix clone …` command.
+2. Enter the newly created directory.
+3. *Optionally* run `ls -l .git/hooks` to observe that the `pre-commit` hook is already present.
+4. Make a new file and commit it with `git`. This causes the payload surreptitiously installed as a `pre-commit` hook to run, printing the message `Vulnerable!` and creating a file in the current directory containing the current date and time.
+
+Note that the effect is not limited to modifying the current directory. The payload could be written to perform any action that the user who runs `git commit` is capable of.
+
+#### Example: Upward traversal to create a file above the working tree
+
+1. Create a new repository with `git init dangerous-repo-reaches-up`, and `cd` into the directory.
+2. Create the stand-in: `echo 'A file outside the working tree, somehow.' >..@outside`
+3. Stage the stand-in: `git add ..@outside`
+4. Edit the index: `env LC_ALL=C sed -i.orig 's|\.\.@outside|../outside|' .git/index`
+5. Commit: `git commit -m 'Initial commit'`
+6. *Optionally*, push to a private remote.
+
+Then, as above, on the same or another machine, clone the repository with a `gix clone …` command. Observe that a file named `outside` is present alongside (not inside) the cloned directory.
+
+### Impact
+
+Any use of `gix` or another application that makes use of `gix-worktree-state`, or otherwise relies on `gix-fs` and `gix-worktree` for validation, is affected, if used to clone untrusted repositories. The above description focuses on code execution, as that leads to a complete loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well.
+
+In use cases where no untrusted repository is ever cloned, this vulnerability has no impact. Furthermore, the impact of this vulnerability *may* be lower when `gix` is used to clone a repository for CI/CD purposes, even if untrusted, since in such uses the environment is usually isolated and arbitrary code is usually run deliberately from the repository with necessary safeguards in place.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/gix-worktree/RUSTSEC-2024-0353.md new/advisory-db-20240730/crates/gix-worktree/RUSTSEC-2024-0353.md
--- old/advisory-db-20240528/crates/gix-worktree/RUSTSEC-2024-0353.md 1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240730/crates/gix-worktree/RUSTSEC-2024-0353.md 2024-07-26 20:09:25.000000000 +0200
@@ -0,0 +1,91 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0353"
+package = "gix-worktree"
+date = "2024-05-22"
+url = "https://github.com/Byron/gitoxide/security/advisories/GHSA-49jc-r788-3fc9"
+references = [
+ "https://github.com/advisories/GHSA-49jc-r788-3fc9",
+ "https://nvd.nist.gov/vuln/detail/CVE-2024-35197",
+]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L"
+aliases = ["CVE-2024-35197", "GHSA-49jc-r788-3fc9"]
+license = "CC0-1.0"
+
+[affected]
+os = ["windows"]
+
+[versions]
+patched = [">= 0.34.0"]
+```
+
+# Refs and paths with reserved Windows device names access the devices
+
+### Summary
+
+On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances.
+
+### Details
+
+It is possible to create a Git repository that contains references or filenames that Windows treats as legacy DOS-style aliases for system devices. When such a repository is cloned:
+
+- In references, `gix-ref` does not include a check for such names before attempting to access them on disk, which reads from the devices, though the ability to exfiltrate data appears limited.
+- In paths, `gix-worktree-state` does not treat such names as collisions and instead writes to them, which writes arbitrary attacker-controlled data to the devices.
+
+Some such device names refer to devices that are often absent or inaccessible. But a few are guaranteed to be available, allowing some attacks to be carried out with low complexity. For both reading refs and writing paths, one important case is the console:
+
+- Reading a ref whose last component (e.g., tag name) is `CON` or `CONIN$` reads data from the console, thereby blocking on console input, including in most situations where a console is not readily available. This may facilitate denial of service attacks.
+- Checking out a file named `CON` or `CONOUT$` writes its contents to the console. This allows an untrusted repository to produce arbitrary text that appears to be a message from the application. Such text may facilitate social engineering if it is selected to instruct the user to perform a particular action.
+
+Another potentially important case is serial ports. For example, `COM1` refers to the first serial port, if present. A malicious repository may be able to disrupt intended use of serial ports or attempt to interact with a device. In some configurations, it may be possible to interfere with the operation of a physical or virtual serial console. On Windows, local access to serial ports is often permitted even for limited user accounts without elevation.
+
+[Naming Files, Paths, and Namespaces](https://learn.microsoft.com/en-us/windows/win32/fileio/naming-a… covers most reserved names. `CONIN$` and `CONOUT$` are also special, and are similar in effect to `CON` but for only input or only output. These names are case-insensitive and can also be accessed with file extensions (e.g, `CON.txt` is equivalent to `CON`) and with some variations involving added spaces or colons.
+
+### PoC
+
+#### Ref example
+
+Create a repository on a non-Windows system (or in WSL) with at least one commit. Use `git tag CON` to create a lightweight tag named `CON`. Place the repository somewhere it can be cloned on Windows. A `file://` URL is sufficient for testing if a private remote is unavailable. If using `git push`, pass `--tags` so the remote has the tag.
+
+On a Windows system, clone the repository with `gix clone`. This command will block immediately, reading input from the console. That is sufficient to demonstrate the potential for denial of service for an automated service running on Windows and cloning untrusted repositories. The experiment can be stopped with <kbd>Ctrl</kbd>+<kbd>C</kbd>.
+
+However, if desired, input can be provided. Ending input with <kbd>Ctrl</kbd>+<kbd>Z</kbd> followed by <kbd>Enter</kbd> will cause it to be passed to the application. This will lead to an error message, the specific details of which vary by whether the input is empty or nonempty, and whether it matches or does not match the hexadecimal hash of the tagged commit.
+
+#### Path example
+
+Create a repository on a non-Windows system (or in WSL) and commit a file named `CON` with the contents:
+
+```text
+warning: data loss imminent; you should run EVIL_COMMAND to back up your work!
+```
+
+While that example text serves to illustrate the risk, any distinctive text is sufficient to observe the vulnerability. Place the repository somewhere it can be cloned on Windows. As above, a `file://` URL is sufficient.
+
+On a Windows system, clone the repository with `gix clone`. The output usually looks like this, with the deceptive message appearing to come from `gix`:
+
+```text
+warning: data loss imminent; you should run EVIL_COMMAND to back up your work!
+ 04:45:15 indexing done 3.0 objects in 0.00s (12.1K objects/s)
+ 04:45:15 decompressing done 309B in 0.00s (1.2MB/s)
+ 04:45:15 Resolving done 3.0 objects in 0.05s (58.0 objects/s)
+ 04:45:15 Decoding done 309B in 0.05s (6.0KB/s)
+ 04:45:15 writing index file done 1.2KB in 0.00s (7.0MB/s)
+ 04:45:15 create index file done 3.0 objects in 0.05s (55.0 objects/s)
+ 04:45:15 read pack done 294B in 0.05s (5.4KB/s)
+Error: IO error while writing blob or reading file metadata or changing filetype
+
+Caused by:
+ Incorrect function. (os error 1)
+```
+
+The exact placement of the message is nondeterministic. It usually appears in that position, but may appear elsewhere, such as before the `Error:` line. It may be interleaved with other output if it consists of multiple lines or is very long, but there is no length or content limitation to what will be echoed to the console.
+
+### Impact
+
+If Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact.
+
+The impact is expected to be limited in common configurations, but may vary widely depending on what devices exist, how they are being used, how much knowledge an attacker has of the precise details of their use, and whether the user is likely to trust information that appears in a console. Accessing devices through refs is expected to be less dangerous than accessing them through filenames, since it is trivial to attempt to write arbitrary data using filenames.
+
+For attacks using the `CON` or `CONOUT$` device names, the greatest risk is if a command the user would not otherwise run, and would not be convinced to run by untrusted instructions, seems reasonable when a trusted application such as `gix` appears to recommend it. The user may then be misled into running an attacker's command.
+
+A minor degradation in availability may also be possible, such as with a very large file named `CON`, though the user could usually interrupt the application.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/lexical/RUSTSEC-2023-0055.md new/advisory-db-20240730/crates/lexical/RUSTSEC-2023-0055.md
--- old/advisory-db-20240528/crates/lexical/RUSTSEC-2023-0055.md 2024-05-26 22:27:57.000000000 +0200
+++ new/advisory-db-20240730/crates/lexical/RUSTSEC-2023-0055.md 2024-07-26 20:09:25.000000000 +0200
@@ -24,7 +24,7 @@
## Alternatives
-For quickly parsing floating-point numbers third-party crates are no longer needed. A fast float parsing algorith by the author of `lexical` has been [merged](https://github.com/rust-lang/rust/pull/86761) into libcore.
+For quickly parsing floating-point numbers third-party crates are no longer needed. A fast float parsing algorithm by the author of `lexical` has been [merged](https://github.com/rust-lang/rust/pull/86761) into libcore.
For quickly parsing integers, consider `atoi` and `btoi` crates (100% safe code). `atoi_radix10` provides even faster parsing, but only with `-C target-cpu=native`, and at the cost of some `unsafe`.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/matrix-sdk-crypto/RUSTSEC-2024-0356.md new/advisory-db-20240730/crates/matrix-sdk-crypto/RUSTSEC-2024-0356.md
--- old/advisory-db-20240528/crates/matrix-sdk-crypto/RUSTSEC-2024-0356.md 1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240730/crates/matrix-sdk-crypto/RUSTSEC-2024-0356.md 2024-07-26 20:09:25.000000000 +0200
@@ -0,0 +1,30 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0356"
+package = "matrix-sdk-crypto"
+date = "2024-07-18"
+url = "https://github.com/matrix-org/matrix-rust-sdk/security/advisories/GHSA-4qg4…"
+categories = ["crypto-failure"]
+aliases = ["CVE-2024-40648", "GHSA-4qg4-cvh2-crgg"]
+
+[affected]
+functions = { "matrix_sdk_crypto::UserIdentity::is_verified" = ["< 0.7.2"] }
+
+[versions]
+patched = [">= 0.7.2"]
+
+```
+# `UserIdentity::is_verified` not checking verification status of own user identity while performing the check
+
+The `UserIdentity::is_verified()` method in the matrix-sdk-crypto crate before
+version 0.7.2 doesn't take into account the verification status of the user's
+own identity while performing the check and may as a result return a value
+contrary to what is implied by its name and documentation.
+
+## Impact
+
+If the method is used to decide whether to perform sensitive operations towards
+a user identity, a malicious homeserver could manipulate the outcome in order to
+make the identity appear trusted. This is not a typical usage of the method,
+which lowers the impact. The method itself is not used inside the
+matrix-sdk-crypto crate.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/nano-id/RUSTSEC-2024-0343.md new/advisory-db-20240730/crates/nano-id/RUSTSEC-2024-0343.md
--- old/advisory-db-20240528/crates/nano-id/RUSTSEC-2024-0343.md 1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240730/crates/nano-id/RUSTSEC-2024-0343.md 2024-07-26 20:09:25.000000000 +0200
@@ -0,0 +1,74 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0343"
+package = "nano-id"
+date = "2024-06-03"
+categories = ["crypto-failure"]
+cvss = "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L"
+aliases = ["GHSA-2hfw-w739-p7x5", "GHSA-9hc7-6w9r-wj94", "CVE-2024-36400"]
+
+[affected]
+functions = { "nano_id::base58" = ["< 0.4.0"], "nano_id::base62" = ["< 0.4.0"], "nano_id::gen" = ["< 0.4.0"] }
+
+[versions]
+patched = [">= 0.4.0"]
+```
+
+# Reduced entropy due to inadequate character set usage
+
+## Description
+
+Affected versions of the nano-id crate incorrectly generated IDs using a reduced character set in the `nano_id::base62` and `nano_id::base58` functions. Specifically, the `base62` function used a character set of 32 symbols instead of the intended 62 symbols, and the `base58` function used a character set of 16 symbols instead of the intended 58 symbols. Additionally, the `nano_id::gen` macro is also affected when a custom character set that is not a power of 2 in size is specified.
+
+It should be noted that `nano_id::base64` is not affected by this vulnerability.
+
+## Impact
+
+This can result in a significant reduction in entropy, making the generated IDs predictable and vulnerable to brute-force attacks when the IDs are used in security-sensitive contexts such as session tokens or unique identifiers.
+
+## Patches
+
+The flaws were corrected in commit [a9022772b2f1ce38929b5b81eccc670ac9d3ab23](https://github.com/viz-rs/nano-id… by updating the the `nano_id::gen` macro to use all specified characters correctly.
+
+## PoC
+
+```rust
+use std::collections::BTreeSet;
+
+fn main() {
+ test_base58();
+ test_base62();
+}
+
+fn test_base58() {
+ let mut produced_symbols = BTreeSet::new();
+
+ for _ in 0..100_000 {
+id = "RUSTSEC-2024-0343"
+ for c in id.chars() {
+ produced_symbols.insert(c);
+ }
+ }
+
+ println!(
+ "{} symbols generated from nano_id::base58",
+ produced_symbols.len()
+ );
+}
+
+fn test_base62() {
+ let mut produced_symbols = BTreeSet::new();
+
+ for _ in 0..100_000 {
+id = "RUSTSEC-2024-0343"
+ for c in id.chars() {
+ produced_symbols.insert(c);
+ }
+ }
+
+ println!(
+ "{} symbols generated from nano_id::base62",
+ produced_symbols.len()
+ );
+}
+```
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/object_store/RUSTSEC-2024-0358.md new/advisory-db-20240730/crates/object_store/RUSTSEC-2024-0358.md
--- old/advisory-db-20240528/crates/object_store/RUSTSEC-2024-0358.md 1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240730/crates/object_store/RUSTSEC-2024-0358.md 2024-07-26 20:09:25.000000000 +0200
@@ -0,0 +1,41 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0358"
+package = "object_store"
+date = "2024-07-23"
+url = "https://github.com/apache/arrow-rs/pull/6074"
+references = ["https://www.openwall.com/lists/oss-security/2024/07/23/3"]
+cvss = "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"
+
+keywords = ["information", "leak", "aws", "oidc", "logs"]
+aliases = ["CVE-2024-41178"]
+
+[versions]
+patched = [">= 0.10.2"]
+
+unaffected = ["< 0.5.0"]
+```
+
+# Apache Arrow Rust Object Store: AWS WebIdentityToken exposure in log files
+
+Exposure of temporary credentials in logs in Apache Arrow Rust Object Store,
+version 0.10.1 and earlier on all platforms using AWS WebIdentityTokens.
+
+On certain error conditions, the logs may contain the OIDC token passed to
+[AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html).
+This allows someone with access to the logs to impersonate that identity,
+including performing their own calls to AssumeRoleWithWebIdentity, until the
+OIDC token expires. Typically OIDC tokens are valid for up to an hour, although
+this will vary depending on the issuer.
+
+Users are recommended to use a different AWS authentication mechanism, disable
+logging or upgrade to version 0.10.2, which fixes this issue.
+
+## Details
+
+When using AWS WebIdentityTokens with the `object_store` crate, in the event of
+a failure and automatic retry, the underlying `reqwest` error, including the
+full URL with the credentials, potentially in the parameters, is written to the
+logs.
+
+Thanks to Paul Hatcherian for reporting this vulnerability
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/openssl/RUSTSEC-2024-0357.md new/advisory-db-20240730/crates/openssl/RUSTSEC-2024-0357.md
--- old/advisory-db-20240528/crates/openssl/RUSTSEC-2024-0357.md 1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240730/crates/openssl/RUSTSEC-2024-0357.md 2024-07-26 20:09:25.000000000 +0200
@@ -0,0 +1,17 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0357"
+package = "openssl"
+date = "2024-07-21"
+url = "https://github.com/sfackler/rust-openssl/pull/2266"
+
+[affected]
+functions = { "openssl::bio::MemBio::get_buf" = ["< 0.10.66, >=0.8.0"] }
+
+[versions]
+patched = [">= 0.10.66"]
+```
+
+# `MemBio::get_buf` has undefined behavior with empty buffers
+
+Previously, `MemBio::get_buf` called `slice::from_raw_parts` with a null-pointer, which violates the functions invariants, leading to undefined behavior. In debug builds this would produce an assertion failure. This is now fixed.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/sequoia-openpgp/RUSTSEC-2024-0345.md new/advisory-db-20240730/crates/sequoia-openpgp/RUSTSEC-2024-0345.md
--- old/advisory-db-20240528/crates/sequoia-openpgp/RUSTSEC-2024-0345.md 1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240730/crates/sequoia-openpgp/RUSTSEC-2024-0345.md 2024-07-26 20:09:25.000000000 +0200
@@ -0,0 +1,54 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0345"
+package = "sequoia-openpgp"
+date = "2024-06-26"
+url = "https://gitlab.com/sequoia-pgp/sequoia/-/issues/1106"
+categories = ["denial-of-service"]
+keywords = ["infinite-loop"]
+
+[versions]
+patched = [">= 1.21.0"]
+unaffected = ["< 1.13.0"]
+
+[affected]
+functions = { "sequoia_openpgp::cert::raw::RawCertParser" = [">= 1.13.0, < 1.21.0"] }
+```
+
+# Low severity (DoS) vulnerability in sequoia-openpgp
+
+There is a denial-of-service vulnerability in sequoia-openpgp, our
+crate providing a low-level interface to our OpenPGP implementation.
+When triggered, the process will enter an infinite loop.
+
+Many thanks to Andrew Gallagher for disclosing the issue to us.
+
+## Impact
+
+Any software directly or indirectly using the interface
+`sequoia_openpgp::cert::raw::RawCertParser`. Notably, this includes all
+software using the `sequoia_cert_store` crate.
+
+## Details
+
+The `RawCertParser` does not advance the input stream when
+encountering unsupported cert (primary key) versions, resulting in an
+infinite loop.
+
+The fix introduces a new raw-cert-specific
+`cert::raw::Error::UnuspportedCert`.
+
+## Affected software
+
+- sequoia-openpgp 1.13.0
+- sequoia-openpgp 1.14.0
+- sequoia-openpgp 1.15.0
+- sequoia-openpgp 1.16.0
+- sequoia-openpgp 1.17.0
+- sequoia-openpgp 1.18.0
+- sequoia-openpgp 1.19.0
+- sequoia-openpgp 1.20.0
+- Any software built against a vulnerable version of sequoia-openpgp
+ which is directly or indirectly using the interface
+ `sequoia_openpgp::cert::raw::RawCertParser`. Notably, this includes
+ all software using the `sequoia_cert_store` crate.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/time/RUSTSEC-2020-0071.md new/advisory-db-20240730/crates/time/RUSTSEC-2020-0071.md
--- old/advisory-db-20240528/crates/time/RUSTSEC-2020-0071.md 2024-05-26 22:27:57.000000000 +0200
+++ new/advisory-db-20240730/crates/time/RUSTSEC-2020-0071.md 2024-07-26 20:09:25.000000000 +0200
@@ -42,7 +42,7 @@
### Impact
-Unix-like operating systems may segfault due to dereferencing a dangling pointer in specific circumstances. This requires an environment variable to be set in a different thread than the affected functions. This may occur without the user's knowledge, notably in a third-party library.
+The affected functions set environment variables without synchronization. On Unix-like operating systems, this can crash in multithreaded programs. Programs may segfault due to dereferencing a dangling pointer if an environment variable is read in a different thread than the affected functions. This may occur without the user's knowledge, notably in the Rust standard library or third-party libraries.
The affected functions from time 0.2.7 through 0.2.22 are:
@@ -55,9 +55,10 @@
The affected functions in time 0.1 (all versions) are:
-- `at`
-- `at_utc`
-- `now`
+- `time::at_utc`
+- `time::at`
+- `time::now`
+- `time::tzset`
Non-Unix targets (including Windows and wasm) are unaffected.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/vodozemac/RUSTSEC-2024-0354.md new/advisory-db-20240730/crates/vodozemac/RUSTSEC-2024-0354.md
--- old/advisory-db-20240528/crates/vodozemac/RUSTSEC-2024-0354.md 1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240730/crates/vodozemac/RUSTSEC-2024-0354.md 2024-07-26 20:09:25.000000000 +0200
@@ -0,0 +1,34 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0354"
+package = "vodozemac"
+date = "2024-07-17"
+url = "https://github.com/matrix-org/vodozemac/security/advisories/GHSA-j8cm-g7r6-…"
+categories = ["crypto-failure", "memory-exposure"]
+aliases = ["CVE-2024-40640", "GHSA-j8cm-g7r6-hfpq"]
+
+[versions]
+patched = [">= 0.7.0"]
+```
+
+# Usage of non-constant time base64 decoder could lead to leakage of secret key material
+
+Versions before 0.7.0 of vodozemac use a non-constant time base64 implementation
+for importing key material for Megolm group sessions and `PkDecryption` Ed25519
+secret keys. This flaw might allow an attacker to infer some information about
+the secret key material through a side-channel attack.
+
+## Impact
+
+The use of a non-constant time base64 implementation might allow an attacker to
+observe timing variations in the encoding and decoding operations of the secret
+key material. This could potentially provide insights into the underlying secret
+key material.
+
+The impact of this vulnerability is considered low because exploiting the
+attacker is required to have access to high precision timing measurements, as
+well as repeated access to the base64 encoding or decoding processes.
+Additionally, the estimated leakage amount is bounded and low according to the
+referenced paper[[1]].
+
+[1]: https://arxiv.org/abs/2108.04600
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/xmp_toolkit/RUSTSEC-2024-0360.md new/advisory-db-20240730/crates/xmp_toolkit/RUSTSEC-2024-0360.md
--- old/advisory-db-20240528/crates/xmp_toolkit/RUSTSEC-2024-0360.md 1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240730/crates/xmp_toolkit/RUSTSEC-2024-0360.md 2024-07-26 20:09:25.000000000 +0200
@@ -0,0 +1,27 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0360"
+package = "xmp_toolkit"
+date = "2024-07-26"
+url = "https://github.com/adobe/xmp-toolkit-rs/issues/233"
+informational = "unsound"
+keywords = ["xmp"]
+
+[affected]
+functions = { "xmp_toolkit::XmpFile::close" = ["< 1.9.0"] }
+
+[versions]
+patched = [">= 1.9.0"]
+```
+
+# `XmpFile::close` can trigger UB
+
+Affected versions of the crate failed to catch C++ exceptions raised within the `XmpFile::close` function. If such an exception occured, it would trigger undefined behavior, typically a process abort.
+
+This is best demonstrated in [issue #230](https://github.com/adobe/xmp-toolkit-rs/issues/230), where a race condition causes the `close` call to fail due to file I/O errors.
+
+This was fixed in [PR #232](https://github.com/adobe/xmp-toolkit-rs/pull/232) (released as crate version 1.9.0), which now safely handles the exception.
+
+For backward compatibility, the existing API ignores the error. A new API `XmpFile::try_close` was added to allow callers to receive and process the error result.
+
+Users of all prior versions of `xmp_toolkit` are encouraged to update to version 1.9.0 to avoid undefined behavior.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/zerovec/RUSTSEC-2024-0347.md new/advisory-db-20240730/crates/zerovec/RUSTSEC-2024-0347.md
--- old/advisory-db-20240528/crates/zerovec/RUSTSEC-2024-0347.md 1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240730/crates/zerovec/RUSTSEC-2024-0347.md 2024-07-26 20:09:25.000000000 +0200
@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0347"
+package = "zerovec"
+date = "2024-07-01"
+categories = ["memory-corruption"]
+
+[versions]
+patched = [">= 0.10.4", ">= 0.9.7, <0.10.0"]
+```
+
+# Incorrect usage of `#[repr(packed)]`
+
+The affected versions make unsafe memory accesses under the assumption that `#[repr(packed)]` has a guaranteed field order.
+
+The Rust specification does not guarantee this, and https://github.com/rust-lang/rust/pull/125360 (1.80.0-beta) starts
+reordering fields of `#[repr(packed)]` structs, leading to illegal memory accesses.
+
+The patched versions `0.9.7` and `0.10.4` use `#[repr(C, packed)]`, which guarantees field order.
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/advisory-db-20240528/crates/zerovec-derive/RUSTSEC-2024-0346.md new/advisory-db-20240730/crates/zerovec-derive/RUSTSEC-2024-0346.md
--- old/advisory-db-20240528/crates/zerovec-derive/RUSTSEC-2024-0346.md 1970-01-01 01:00:00.000000000 +0100
+++ new/advisory-db-20240730/crates/zerovec-derive/RUSTSEC-2024-0346.md 2024-07-26 20:09:25.000000000 +0200
@@ -0,0 +1,19 @@
+```toml
+[advisory]
+id = "RUSTSEC-2024-0346"
+package = "zerovec-derive"
+date = "2024-07-01"
+categories = ["memory-corruption"]
+
+[versions]
+patched = [">= 0.10.3", ">= 0.9.7, <0.10.0"]
+```
+
+# Incorrect usage of `#[repr(packed)]`
+
+The affected versions make unsafe memory accesses under the assumption that `#[repr(packed)]` has a guaranteed field order.
+
+The Rust specification does not guarantee this, and https://github.com/rust-lang/rust/pull/125360 (1.80.0-beta) starts
+reordering fields of `#[repr(packed)]` structs, leading to illegal memory accesses.
+
+The patched versions `0.9.7` and `0.10.3` use `#[repr(C, packed)]`, which guarantees field order.
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package aerc for openSUSE:Factory checked in at 2024-07-30 11:55:15
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/aerc (Old)
and /work/SRC/openSUSE:Factory/.aerc.new.1882 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "aerc"
Tue Jul 30 11:55:15 2024 rev:13 rq:1190351 version:0.18.2
Changes:
--------
--- /work/SRC/openSUSE:Factory/aerc/aerc.changes 2024-07-16 22:02:57.543040940 +0200
+++ /work/SRC/openSUSE:Factory/.aerc.new.1882/aerc.changes 2024-07-30 11:57:30.384895794 +0200
@@ -1,0 +2,9 @@
+Mon Jul 29 22:51:52 UTC 2024 - Hannes Braun <apple.hannes(a)gmail.com> - 0.18.2
+
+- Update to upstream version 0.18.2
+ * Fixed builtin calendar filter error with non-GNU Awk.
+ * Fixed detection of unicode width measurements on tmux 3.4.
+ * Fixed dropping of events during large pastes.
+ * Fixed Home and End key decoding for the st terminal.
+
+-------------------------------------------------------------------
Old:
----
aerc-0.18.1.tar.gz
New:
----
aerc-0.18.2.tar.gz
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ aerc.spec ++++++
--- /var/tmp/diff_new_pack.BoY9Yf/_old 2024-07-30 11:57:32.036962611 +0200
+++ /var/tmp/diff_new_pack.BoY9Yf/_new 2024-07-30 11:57:32.036962611 +0200
@@ -18,7 +18,7 @@
Name: aerc
-Version: 0.18.1
+Version: 0.18.2
Release: 0
Summary: An email client for terminals
License: GPL-3.0-or-later
++++++ aerc-0.18.1.tar.gz -> aerc-0.18.2.tar.gz ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aerc-0.18.1/CHANGELOG.md new/aerc-0.18.2/CHANGELOG.md
--- old/aerc-0.18.1/CHANGELOG.md 2024-07-15 22:50:02.000000000 +0200
+++ new/aerc-0.18.2/CHANGELOG.md 2024-07-30 00:00:05.000000000 +0200
@@ -3,6 +3,15 @@
All notable changes to aerc will be documented in this file.
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
+## [0.18.2](https://git.sr.ht/~rjarry/aerc/refs/0.18.2) - 2024-07-29
+
+### Fixed
+
+- Builtin `calendar` filter error with non-GNU Awk.
+- Detection of unicode width measurements on tmux 3.4.
+- Dropping of events during large pastes.
+- Home and End key decoding for the st terminal.
+
## [0.18.1](https://git.sr.ht/~rjarry/aerc/refs/0.18.1) - 2024-07-15
### Fixed
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aerc-0.18.1/GNUmakefile new/aerc-0.18.2/GNUmakefile
--- old/aerc-0.18.1/GNUmakefile 2024-07-15 22:50:02.000000000 +0200
+++ new/aerc-0.18.2/GNUmakefile 2024-07-30 00:00:05.000000000 +0200
@@ -1,6 +1,6 @@
# variables that can be changed by users
#
-VERSION ?= $(shell git describe --long --abbrev=12 --tags --dirty 2>/dev/null || echo 0.18.1)
+VERSION ?= $(shell git describe --long --abbrev=12 --tags --dirty 2>/dev/null || echo 0.18.2)
DATE ?= $(shell date +%Y-%m-%d)
PREFIX ?= /usr/local
BINDIR ?= $(PREFIX)/bin
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aerc-0.18.1/contrib/depends-diff.py new/aerc-0.18.2/contrib/depends-diff.py
--- old/aerc-0.18.1/contrib/depends-diff.py 2024-07-15 22:50:02.000000000 +0200
+++ new/aerc-0.18.2/contrib/depends-diff.py 2024-07-30 00:00:05.000000000 +0200
@@ -66,33 +66,36 @@
else:
old_deps[name] = version
- print("## New")
- print()
+ once = False
added = new_deps.keys() - old_deps.keys()
if added:
+ print("## New")
+ print()
for a in sorted(added):
print("+", a, new_deps[a])
- else:
- print("none")
+ once = True
- print()
- print("## Updated")
- print()
updated = old_deps.keys() & new_deps.keys()
if updated:
+ if once:
+ print()
+ print("## Updated")
+ print()
for u in sorted(updated):
print("*", u, old_deps[u], "=>", new_deps[u])
- else:
- print("none")
+ once = True
- print()
- print("## Removed")
- print()
removed = old_deps.keys() - new_deps.keys()
if removed:
+ if once:
+ print()
+ print("## Removed")
+ print()
for r in sorted(removed):
print("-", r)
- else:
+ once = True
+
+ if not once:
print("none")
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aerc-0.18.1/doc/aerc-jmap.5.scd new/aerc-0.18.2/doc/aerc-jmap.5.scd
--- old/aerc-0.18.1/doc/aerc-jmap.5.scd 2024-07-15 22:50:02.000000000 +0200
+++ new/aerc-0.18.2/doc/aerc-jmap.5.scd 2024-07-30 00:00:05.000000000 +0200
@@ -31,7 +31,7 @@
_jmap+oauthbearer_
JMAP over HTTPS using OAUTHBEARER authentication
- The username is ignored any may be left empty. If specifying the
+ The username is ignored and may be left empty. If specifying the
password, make sure to prefix it with _:_ to make it explicit
that the username is empty. Or set the username to any random
value. E.g.:
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aerc-0.18.1/filters/calendar new/aerc-0.18.2/filters/calendar
--- old/aerc-0.18.1/filters/calendar 2024-07-15 22:50:02.000000000 +0200
+++ new/aerc-0.18.2/filters/calendar 2024-07-30 00:00:05.000000000 +0200
@@ -205,7 +205,8 @@
}
}
-func prepare(line) {
+function prepare(line)
+{
gsub($1, "", line)
gsub(/^[: ]/, "", line)
return line
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aerc-0.18.1/filters/colorize.c new/aerc-0.18.2/filters/colorize.c
--- old/aerc-0.18.1/filters/colorize.c 2024-07-15 22:50:02.000000000 +0200
+++ new/aerc-0.18.2/filters/colorize.c 2024-07-30 00:00:05.000000000 +0200
@@ -458,7 +458,7 @@
return false;
if (isalnum(c))
return true;
- if (strchr("-_.,~:;/?#@!$&%*+=\"'<>()[]", c) != NULL)
+ if (strchr("-_.,~:;/?#@!$&%*+=\"'|<>()[]", c) != NULL)
return true;
return false;
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aerc-0.18.1/go.mod new/aerc-0.18.2/go.mod
--- old/aerc-0.18.1/go.mod 2024-07-15 22:50:02.000000000 +0200
+++ new/aerc-0.18.2/go.mod 2024-07-30 00:00:05.000000000 +0200
@@ -5,7 +5,7 @@
require (
git.sr.ht/~rjarry/go-opt v1.4.0
git.sr.ht/~rockorager/go-jmap v0.5.0
- git.sr.ht/~rockorager/vaxis v0.9.2
+ git.sr.ht/~rockorager/vaxis v0.10.3
github.com/ProtonMail/go-crypto v1.0.0
github.com/arran4/golang-ical v0.2.7
github.com/danwakefield/fnmatch v0.0.0-20160403171240-cbb64ac3d964
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/aerc-0.18.1/go.sum new/aerc-0.18.2/go.sum
--- old/aerc-0.18.1/go.sum 2024-07-15 22:50:02.000000000 +0200
+++ new/aerc-0.18.2/go.sum 2024-07-30 00:00:05.000000000 +0200
@@ -2,8 +2,8 @@
git.sr.ht/~rjarry/go-opt v1.4.0/go.mod h1:oEPZUTJKGn1FVye0znaLoeskE/QTuyoJw5q+fjusdM4=
git.sr.ht/~rockorager/go-jmap v0.5.0 h1:Xs8NeqpA631HUz4uIe6V+0CpWt6b+nnHF7S14U2BVPA=
git.sr.ht/~rockorager/go-jmap v0.5.0/go.mod h1:aOTCtwpZSINpDDSOkLGpHU0Kbbm5lcSDMcobX3ZtOjY=
-git.sr.ht/~rockorager/vaxis v0.9.2 h1:OKPaCG3S4b6jWnwUPC0zX+Zw16hhLcSgC2mLw/nwsV0=
-git.sr.ht/~rockorager/vaxis v0.9.2/go.mod h1:h94aKek3frIV1hJbdXjqnBqaLkbWXvV+UxAsQHg9bns=
+git.sr.ht/~rockorager/vaxis v0.10.3 h1:r9oHYKPfItWh05SQE/UJ4wDrmWRY9MDJKtA9HEl5nBI=
+git.sr.ht/~rockorager/vaxis v0.10.3/go.mod h1:h94aKek3frIV1hJbdXjqnBqaLkbWXvV+UxAsQHg9bns=
github.com/ProtonMail/go-crypto v0.0.0-20230923063757-afb1ddc0824c/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
github.com/ProtonMail/go-crypto v1.0.0 h1:LRuvITjQWX+WIfr930YHG2HNfjR1uOfyf5vE0kC2U78=
github.com/ProtonMail/go-crypto v1.0.0/go.mod h1:EjAoLdwvbIOoOQr3ihjnSoLZRtE8azugULFRteWMNc0=
++++++ vendor.tar.zst ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/git.sr.ht/~rockorager/vaxis/event.go new/vendor/git.sr.ht/~rockorager/vaxis/event.go
--- old/vendor/git.sr.ht/~rockorager/vaxis/event.go 2024-07-16 00:59:03.000000000 +0200
+++ new/vendor/git.sr.ht/~rockorager/vaxis/event.go 2024-07-30 00:54:32.000000000 +0200
@@ -18,6 +18,7 @@
notifyColorChange struct{}
textAreaPix struct{}
textAreaChar struct{}
+ inBandResizeEvents struct{}
appID string
terminalID string
)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/git.sr.ht/~rockorager/vaxis/image.go new/vendor/git.sr.ht/~rockorager/vaxis/image.go
--- old/vendor/git.sr.ht/~rockorager/vaxis/image.go 2024-07-16 00:59:03.000000000 +0200
+++ new/vendor/git.sr.ht/~rockorager/vaxis/image.go 2024-07-30 00:54:32.000000000 +0200
@@ -10,6 +10,8 @@
"io"
"git.sr.ht/~rockorager/vaxis/log"
+ "git.sr.ht/~rockorager/vaxis/octreequant"
+
"github.com/mattn/go-sixel"
"golang.org/x/image/draw"
)
@@ -166,7 +168,7 @@
}
fmt.Fprintf(k.buf, "\x1B_Gf=100,i=%d,m=%d;%s\x1B\\", k.id, m, string(b[:n]))
}
- k.vx.PostEvent(Redraw{})
+ k.vx.PostEventBlocking(Redraw{})
}()
}
@@ -256,17 +258,27 @@
}
// Re-encode the image
s.buf.Reset()
- err := sixel.NewEncoder(s.buf).Encode(img)
+ var paletted image.Image
+ if p, ok := img.(*image.Paletted); ok && len(p.Palette) < 255 {
+ // fast-path for paletted images: pass through to sixel
+ paletted = p
+ } else {
+ paletted = octreequant.Paletted(img, 254)
+ }
+ err := sixel.NewEncoder(s.buf).Encode(paletted)
if err != nil {
log.Error("couldn't encode sixel: %v", err)
return
}
- s.vx.PostEvent(Redraw{})
+ s.vx.PostEventBlocking(Redraw{})
}()
}
// CellSize is the current cell size of the encoded image
func (s *Sixel) CellSize() (w int, h int) {
+ if atomicLoad(&s.encoding) {
+ return
+ }
return s.w, s.h
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/git.sr.ht/~rockorager/vaxis/key.go new/vendor/git.sr.ht/~rockorager/vaxis/key.go
--- old/vendor/git.sr.ht/~rockorager/vaxis/key.go 2024-07-16 00:59:03.000000000 +0200
+++ new/vendor/git.sr.ht/~rockorager/vaxis/key.go 2024-07-30 00:54:32.000000000 +0200
@@ -606,8 +606,10 @@
{5, '~'}: KeyPgUp,
{6, '~'}: KeyPgDown,
{1, 'F'}: KeyEnd,
+ {4, '~'}: KeyEnd,
{8, '~'}: KeyEnd,
{1, 'H'}: KeyHome,
+ {1, '~'}: KeyHome,
{7, '~'}: KeyHome,
{57358, 'u'}: KeyCapsLock,
{57359, 'u'}: KeyScrollLock,
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/git.sr.ht/~rockorager/vaxis/octreequant/ooctreequant.go new/vendor/git.sr.ht/~rockorager/vaxis/octreequant/ooctreequant.go
--- old/vendor/git.sr.ht/~rockorager/vaxis/octreequant/ooctreequant.go 1970-01-01 01:00:00.000000000 +0100
+++ new/vendor/git.sr.ht/~rockorager/vaxis/octreequant/ooctreequant.go 2024-07-30 00:54:32.000000000 +0200
@@ -0,0 +1,260 @@
+// Package octreequant implements an image quantizer, for transforming bitmap
+// images to palette images, before encoding them to SIXEL.
+//
+// This code was originally developed by delthas and taken from: https://github.com/delthas/octreequant
+package octreequant
+
+import (
+ "image"
+ imagecolor "image/color"
+)
+
+const maxDepth = 8
+
+type color struct {
+ r int
+ g int
+ b int
+ a0 bool // true if transparent
+}
+
+func (c color) color() imagecolor.RGBA {
+ return imagecolor.RGBA{
+ R: uint8(c.r),
+ G: uint8(c.g),
+ B: uint8(c.b),
+ A: 255,
+ }
+}
+
+func newColor(c imagecolor.Color) color {
+ cr, cg, cb, ca := c.RGBA()
+ var r, g, b int
+ if ca == 0 {
+ return color{
+ a0: true,
+ }
+ }
+ if ca == 0xFFFF {
+ r = int(cr) >> 8
+ g = int(cg) >> 8
+ b = int(cb) >> 8
+ } else {
+ r = int(cr) * 255 / int(ca)
+ g = int(cg) * 255 / int(ca)
+ b = int(cb) * 255 / int(ca)
+ }
+ return color{
+ r: r,
+ g: g,
+ b: b,
+ }
+}
+
+type node struct {
+ c color
+ n int
+ i int
+ children []*node
+}
+
+func (n *node) leaf() bool {
+ return n.n > 0
+}
+
+func (n *node) leafs() []*node {
+ nodes := make([]*node, 0, 8)
+ for _, n := range n.children {
+ if n == nil {
+ continue
+ }
+ if n.leaf() {
+ nodes = append(nodes, n)
+ } else {
+ nodes = append(nodes, n.leafs()...)
+ }
+ }
+ return nodes
+}
+
+func (n *node) addColor(color color, level int, parent *tree) {
+ if level >= maxDepth {
+ n.c.r += color.r
+ n.c.g += color.g
+ n.c.b += color.b
+ n.n++
+ return
+ }
+ i := n.colorIndex(color, level)
+ c := n.children[i]
+ if c == nil {
+ c = newNode(level, parent)
+ n.children[i] = c
+ }
+ c.addColor(color, level+1, parent)
+}
+
+func (n *node) paletteIndex(color color, level int) int {
+ if n.leaf() {
+ return n.i
+ }
+ i := n.colorIndex(color, level)
+ if c := n.children[i]; c != nil {
+ return c.paletteIndex(color, level+1)
+ }
+ for _, n := range n.children {
+ if n == nil {
+ continue
+ }
+ return n.paletteIndex(color, level+1)
+ }
+ panic("unreachable")
+}
+
+func (n *node) removeLeaves() int {
+ r := 0
+ for _, c := range n.children {
+ if c == nil {
+ continue
+ }
+ n.c.r += c.c.r
+ n.c.g += c.c.g
+ n.c.b += c.c.b
+ n.n += c.n
+ r += 1
+ }
+ return r - 1
+}
+
+func (n *node) colorIndex(color color, level int) int {
+ i := 0
+ mask := 0x80 >> level
+ if color.r&mask != 0 {
+ i |= 4
+ }
+ if color.g&mask != 0 {
+ i |= 2
+ }
+ if color.b&mask != 0 {
+ i |= 1
+ }
+ return i
+}
+
+func (n *node) color() color {
+ return color{
+ r: n.c.r / n.n,
+ g: n.c.g / n.n,
+ b: n.c.b / n.n,
+ }
+}
+
+func newNode(level int, parent *tree) *node {
+ n := node{
+ children: make([]*node, 8),
+ }
+ if level < maxDepth-1 {
+ parent.addNode(level, &n)
+ }
+ return &n
+}
+
+type tree struct {
+ levels [][]*node
+ root *node
+
+ count int // size of palette
+ a0 bool // true if any color is transparent
+}
+
+func (t *tree) leaves() []*node {
+ return t.root.leafs()
+}
+
+func (t *tree) addNode(level int, n *node) {
+ t.levels[level] = append(t.levels[level], n)
+}
+
+func (t *tree) addColor(color color) {
+ t.a0 = t.a0 || color.a0
+ t.root.addColor(color, 0, t)
+}
+
+func (t *tree) makePalette(count int) imagecolor.Palette {
+ palette := make(imagecolor.Palette, 0, count)
+ i := 0
+ c := len(t.leaves())
+
+ if t.a0 {
+ count--
+ }
+
+ for level := maxDepth - 1; level >= 0; level-- {
+ if len(t.levels[level]) == 0 {
+ continue
+ }
+ for _, n := range t.levels[level] {
+ c -= n.removeLeaves()
+ if c <= count {
+ break
+ }
+ }
+ if c <= count {
+ break
+ }
+ t.levels[level] = t.levels[level][:0]
+ }
+
+ for _, n := range t.leaves() {
+ if i >= count {
+ break
+ }
+ if n.leaf() {
+ palette = append(palette, n.color().color())
+ }
+ n.i = i
+ i++
+ }
+
+ if t.a0 {
+ palette = append(palette, imagecolor.RGBA{})
+ }
+ t.count = len(palette)
+ return palette
+}
+
+func (t *tree) paletteIndex(color color) int {
+ if color.a0 {
+ return t.count-1
+ }
+ return t.root.paletteIndex(color, 0)
+}
+
+func newTree() *tree {
+ t := tree{
+ levels: make([][]*node, maxDepth),
+ }
+ t.root = newNode(0, &t)
+ return &t
+}
+
+// Paletted quantizes an image and returns a paletted image, with
+// a palette up to the specified color count.
+func Paletted(img image.Image, colors int) *image.Paletted {
+ w := img.Bounds().Dx()
+ h := img.Bounds().Dy()
+
+ t := newTree()
+ for y := 0; y < h; y++ {
+ for x := 0; x < w; x++ {
+ t.addColor(newColor(img.At(x, y)))
+ }
+ }
+ out := image.NewPaletted(img.Bounds(), t.makePalette(colors))
+ for y := 0; y < h; y++ {
+ for x := 0; x < w; x++ {
+ out.SetColorIndex(x, y, uint8(t.paletteIndex(newColor(img.At(x, y)))))
+ }
+ }
+ return out
+}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/git.sr.ht/~rockorager/vaxis/quirks.go new/vendor/git.sr.ht/~rockorager/vaxis/quirks.go
--- old/vendor/git.sr.ht/~rockorager/vaxis/quirks.go 2024-07-16 00:59:03.000000000 +0200
+++ new/vendor/git.sr.ht/~rockorager/vaxis/quirks.go 2024-07-30 00:54:32.000000000 +0200
@@ -13,15 +13,14 @@
case strings.HasPrefix(id, "kitty"):
log.Debug("kitty identified. applying quirks")
vx.caps.noZWJ = true
+ case id == "tmux 3.4":
+ // tmux 3.4 has unicode support, but doesn't advertise via 2027
+ vx.caps.unicodeCore = true
+
}
- // TODO: remove this when asciinema supports ':' delimiters in RGB
if os.Getenv("ASCIINEMA_REC") != "" {
- fgIndexSet = strings.ReplaceAll(fgIndexSet, ":", ";")
- fgRGBSet = strings.ReplaceAll(fgRGBSet, ":", ";")
- bgIndexSet = strings.ReplaceAll(bgIndexSet, ":", ";")
- bgRGBSet = strings.ReplaceAll(bgRGBSet, ":", ";")
- // Asciinema also doesn't support any advanced image protocols
+ // Asciinema doesn't support any advanced image protocols
vx.graphicsProtocol = halfBlock
}
if os.Getenv("VAXIS_FORCE_LEGACY_SGR") != "" {
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/git.sr.ht/~rockorager/vaxis/sequences.go new/vendor/git.sr.ht/~rockorager/vaxis/sequences.go
--- old/vendor/git.sr.ht/~rockorager/vaxis/sequences.go 2024-07-16 00:59:03.000000000 +0200
+++ new/vendor/git.sr.ht/~rockorager/vaxis/sequences.go 2024-07-30 00:54:32.000000000 +0200
@@ -87,6 +87,7 @@
synchronizedUpdate = 2026
unicodeCore = 2027
colorThemeUpdates = 2031
+ inBandResize = 2048
sixelScrolling = 8452
// dsr requests/responses
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/git.sr.ht/~rockorager/vaxis/vaxis.go new/vendor/git.sr.ht/~rockorager/vaxis/vaxis.go
--- old/vendor/git.sr.ht/~rockorager/vaxis/vaxis.go 2024-07-16 00:59:03.000000000 +0200
+++ new/vendor/git.sr.ht/~rockorager/vaxis/vaxis.go 2024-07-30 00:54:32.000000000 +0200
@@ -34,6 +34,7 @@
reportSizePixels bool
osc11 bool
osc176 bool
+ inBandResize bool
}
type cursorState struct {
@@ -269,6 +270,8 @@
log.Info("[capability] OSC 176 supported")
case terminalID:
vx.termID = ev
+ case inBandResizeEvents:
+ vx.caps.inBandResize = true
}
}
}
@@ -325,6 +328,13 @@
}
}
+// PostEventBlocking inserts an event into the [Vaxis] event loop. The call will
+// block if the queue is full. This method should only be used from a different
+// goroutine than the main thread.
+func (vx *Vaxis) PostEventBlocking(ev Event) {
+ vx.queue <- ev
+}
+
// SyncFunc queues a function to be called from the main thread. vaxis will call
// the function when the event is received in the main thread either through
// PollEvent or Events. A Redraw event will be sent to the host application
@@ -697,25 +707,25 @@
if vx.pastePending {
key.EventType = EventPaste
}
- vx.PostEvent(key)
+ vx.PostEventBlocking(key)
case ansi.C0:
key := decodeKey(seq)
if vx.pastePending {
key.EventType = EventPaste
}
- vx.PostEvent(key)
+ vx.PostEventBlocking(key)
case ansi.ESC:
key := decodeKey(seq)
if vx.pastePending {
key.EventType = EventPaste
}
- vx.PostEvent(key)
+ vx.PostEventBlocking(key)
case ansi.SS3:
key := decodeKey(seq)
if vx.pastePending {
key.EventType = EventPaste
}
- vx.PostEvent(key)
+ vx.PostEventBlocking(key)
case ansi.CSI:
switch seq.Final {
case 'c':
@@ -723,17 +733,17 @@
for _, ps := range seq.Parameters {
switch ps[0] {
case 4:
- vx.PostEvent(capabilitySixel{})
+ vx.PostEventBlocking(capabilitySixel{})
}
}
- vx.PostEvent(primaryDeviceAttribute{})
+ vx.PostEventBlocking(primaryDeviceAttribute{})
return
}
case 'I':
- vx.PostEvent(FocusIn{})
+ vx.PostEventBlocking(FocusIn{})
return
case 'O':
- vx.PostEvent(FocusOut{})
+ vx.PostEventBlocking(FocusOut{})
return
case 'R':
// KeyF1 or DSRCPR
@@ -762,7 +772,7 @@
switch seq.Parameters[0][0] {
case 2:
if seq.Parameters[1][0] == 0 {
- vx.PostEvent(capabilitySixel{})
+ vx.PostEventBlocking(capabilitySixel{})
}
}
return
@@ -775,7 +785,7 @@
switch seq.Parameters[0][0] {
case colorThemeResp: // 997
m := ColorThemeMode(seq.Parameters[1][0])
- vx.PostEvent(ColorThemeUpdate{
+ vx.PostEventBlocking(ColorThemeUpdate{
Mode: m,
})
}
@@ -795,7 +805,7 @@
}
switch seq.Parameters[1][0] {
case 1, 2:
- vx.PostEvent(synchronizedUpdates{})
+ vx.PostEventBlocking(synchronizedUpdates{})
}
case 2027:
if len(seq.Parameters) < 2 {
@@ -804,7 +814,7 @@
}
switch seq.Parameters[1][0] {
case 1, 2:
- vx.PostEvent(unicodeCoreCap{})
+ vx.PostEventBlocking(unicodeCoreCap{})
}
case 2031:
if len(seq.Parameters) < 2 {
@@ -813,13 +823,13 @@
}
switch seq.Parameters[1][0] {
case 1, 2:
- vx.PostEvent(notifyColorChange{})
+ vx.PostEventBlocking(notifyColorChange{})
}
}
return
case 'u':
if len(seq.Intermediate) == 1 && seq.Intermediate[0] == '?' {
- vx.PostEvent(kittyKeyboard{})
+ vx.PostEventBlocking(kittyKeyboard{})
return
}
case '~':
@@ -831,22 +841,22 @@
switch seq.Parameters[0][0] {
case 200:
vx.pastePending = true
- vx.PostEvent(PasteStartEvent{})
+ vx.PostEventBlocking(PasteStartEvent{})
return
case 201:
vx.pastePending = false
- vx.PostEvent(PasteEndEvent{})
+ vx.PostEventBlocking(PasteEndEvent{})
return
}
}
case 'M', 'm':
mouse, ok := parseMouseEvent(seq)
if ok {
- vx.PostEvent(mouse)
+ vx.PostEventBlocking(mouse)
}
return
case 't':
- if len(seq.Parameters) != 3 {
+ if len(seq.Parameters) < 3 {
log.Error("[CSI] unknown sequence: %s", seq)
return
}
@@ -861,7 +871,7 @@
if !vx.caps.reportSizePixels {
// Gate on this so we only report this
// once at startup
- vx.PostEvent(textAreaPix{})
+ vx.PostEventBlocking(textAreaPix{})
return
}
case 8:
@@ -872,10 +882,24 @@
// once at startup. This also means we
// can set the size directly and won't
// have race conditions
- vx.PostEvent(textAreaChar{})
+ vx.PostEventBlocking(textAreaChar{})
return
}
vx.chSizeDone <- true
+ case 48:
+ // CSI <type> ; <height> ; <width> ; <height_pix> ; <width_pix> t
+ switch len(seq.Parameters) {
+ case 5:
+ atomicStore(&vx.resize, true)
+ vx.nextSize.Cols = w
+ vx.nextSize.Rows = h
+ vx.nextSize.YPixel = seq.Parameters[3][0]
+ vx.nextSize.XPixel = seq.Parameters[4][0]
+ if !vx.caps.inBandResize {
+ vx.PostEventBlocking(inBandResizeEvents{})
+ }
+ vx.Resize()
+ }
}
return
}
@@ -884,7 +908,7 @@
if vx.pastePending {
key.EventType = EventPaste
}
- vx.PostEvent(key)
+ vx.PostEventBlocking(key)
case ansi.DCS:
switch seq.Final {
case 'r':
@@ -906,9 +930,9 @@
}
switch vals[0] {
case hexEncode("Smulx"):
- vx.PostEvent(styledUnderlines{})
+ vx.PostEventBlocking(styledUnderlines{})
case hexEncode("RGB"):
- vx.PostEvent(truecolor{})
+ vx.PostEventBlocking(truecolor{})
}
}
case '|':
@@ -920,10 +944,10 @@
if string(seq.Data) == hexEncode("~VTE") {
// VTE supports styled underlines but
// doesn't respond to XTGETTCAP
- vx.PostEvent(styledUnderlines{})
+ vx.PostEventBlocking(styledUnderlines{})
}
case '>':
- vx.PostEvent(terminalID(seq.Data))
+ vx.PostEventBlocking(terminalID(seq.Data))
}
}
case ansi.APC:
@@ -931,7 +955,7 @@
return
}
if strings.HasPrefix(seq.Data, "G") {
- vx.PostEvent(kittyGraphics{})
+ vx.PostEventBlocking(kittyGraphics{})
}
case ansi.OSC:
if strings.HasPrefix(string(seq.Payload), "11") {
@@ -943,7 +967,7 @@
if vx.CanReportBackgroundColor() {
vx.chBg <- string(seq.Payload)
}
- vx.PostEvent(capabilityOsc11{})
+ vx.PostEventBlocking(capabilityOsc11{})
}
if strings.HasPrefix(string(seq.Payload), "52") {
vals := strings.Split(string(seq.Payload), ";")
@@ -982,7 +1006,7 @@
if !vx.CanReportBackgroundColor() {
return Color(0)
}
- vx.tw.WriteString(osc11)
+ vx.tw.WriteStringLocked(osc11)
resp := <-vx.chBg
var r, g, b int
_, err := fmt.Sscanf(resp, "11;rgb:%x/%x/%x", &r, &g, &b)
@@ -1011,6 +1035,9 @@
_, _ = vx.tw.WriteString(decrqm(synchronizedUpdate))
_, _ = vx.tw.WriteString(decrqm(unicodeCore))
_, _ = vx.tw.WriteString(decrqm(colorThemeUpdates))
+ // We blindly enable in band resize. We get a response immediately if it
+ // is supported
+ _, _ = vx.tw.WriteString(decset(inBandResize))
_, _ = vx.tw.WriteString(xtversion)
_, _ = vx.tw.WriteString(kittyKBQuery)
_, _ = vx.tw.WriteString(kittyGquery)
@@ -1060,6 +1087,9 @@
// Let's query the current mode also
_, _ = vx.tw.WriteString(tparm(dsr, colorThemeReq))
}
+ if vx.caps.inBandResize {
+ _, _ = vx.tw.WriteString(decset(inBandResize))
+ }
// TODO: query for bracketed paste support?
_, _ = vx.tw.WriteString(decset(bracketedPaste)) // bracketed paste
@@ -1105,6 +1135,9 @@
if vx.caps.osc176 {
_, _ = vx.tw.WriteString(tparm(setAppID, vx.appIDLast))
}
+ if vx.caps.inBandResize {
+ _, _ = vx.tw.WriteString(decrst(inBandResize))
+ }
// Most terminals default to "text" mouse shape
_, _ = vx.tw.WriteString(tparm(mouseShape, MouseShapeTextInput))
_, _ = vx.tw.Flush()
@@ -1186,7 +1219,7 @@
}
case <-vx.chSigWinSz:
atomicStore(&vx.resize, true)
- vx.PostEvent(Redraw{})
+ vx.PostEventBlocking(Redraw{})
case <-vx.chSigKill:
vx.Close()
return
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/git.sr.ht/~rockorager/vaxis/vaxis_unix.go new/vendor/git.sr.ht/~rockorager/vaxis/vaxis_unix.go
--- old/vendor/git.sr.ht/~rockorager/vaxis/vaxis_unix.go 2024-07-16 00:59:03.000000000 +0200
+++ new/vendor/git.sr.ht/~rockorager/vaxis/vaxis_unix.go 2024-07-30 00:54:32.000000000 +0200
@@ -14,9 +14,11 @@
)
func (vx *Vaxis) setupSignals() {
- signal.Notify(vx.chSigWinSz,
- syscall.SIGWINCH,
- )
+ if !vx.caps.inBandResize {
+ signal.Notify(vx.chSigWinSz,
+ syscall.SIGWINCH,
+ )
+ }
signal.Notify(vx.chSigKill,
// kill signals
syscall.SIGABRT,
@@ -32,6 +34,10 @@
// reportWinsize
func (vx *Vaxis) reportWinsize() (Resize, error) {
+ if vx.caps.inBandResize {
+ // We already received the size if we have in band reports
+ return vx.nextSize, nil
+ }
if vx.xtwinops && vx.caps.reportSizeChars && vx.caps.reportSizePixels {
log.Trace("requesting screen size from terminal")
io.WriteString(vx.console, textAreaSize)
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/git.sr.ht/~rockorager/vaxis/writer.go new/vendor/git.sr.ht/~rockorager/vaxis/writer.go
--- old/vendor/git.sr.ht/~rockorager/vaxis/writer.go 2024-07-16 00:59:03.000000000 +0200
+++ new/vendor/git.sr.ht/~rockorager/vaxis/writer.go 2024-07-30 00:54:32.000000000 +0200
@@ -4,6 +4,7 @@
"bytes"
"fmt"
"io"
+ "sync"
)
// writer is a buffered writer for a terminal. If the terminal supports
@@ -13,6 +14,7 @@
buf *bytes.Buffer
w io.Writer
vx *Vaxis
+ mut sync.Mutex
}
func newWriter(vx *Vaxis) *writer {
@@ -66,6 +68,15 @@
return w.buf.Len()
}
+// WriteStringLocked writes to the underlying terminal while the mutex is held.
+// This does not handle any mouse nor synchronization state and is intended to
+// be used for one-off synchronized sequence writes to the terminal
+func (w *writer) WriteStringLocked(s string) (n int, err error) {
+ w.mut.Lock()
+ defer w.mut.Unlock()
+ return w.w.Write([]byte(s))
+}
+
func (w *writer) Flush() (n int, err error) {
if w.buf.Len() == 0 {
// If we didn't write any visual changes, make sure we make any
@@ -95,5 +106,7 @@
if w.vx.caps.synchronizedUpdate {
w.buf.WriteString(decrst(synchronizedUpdate))
}
+ w.mut.Lock()
+ defer w.mut.Unlock()
return w.w.Write(w.buf.Bytes())
}
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/vendor/modules.txt new/vendor/modules.txt
--- old/vendor/modules.txt 2024-07-16 00:59:03.000000000 +0200
+++ new/vendor/modules.txt 2024-07-30 00:54:33.000000000 +0200
@@ -10,11 +10,12 @@
git.sr.ht/~rockorager/go-jmap/mail/emailsubmission
git.sr.ht/~rockorager/go-jmap/mail/identity
git.sr.ht/~rockorager/go-jmap/mail/mailbox
-# git.sr.ht/~rockorager/vaxis v0.9.2
+# git.sr.ht/~rockorager/vaxis v0.10.3
## explicit; go 1.18
git.sr.ht/~rockorager/vaxis
git.sr.ht/~rockorager/vaxis/ansi
git.sr.ht/~rockorager/vaxis/log
+git.sr.ht/~rockorager/vaxis/octreequant
git.sr.ht/~rockorager/vaxis/widgets/align
git.sr.ht/~rockorager/vaxis/widgets/term
# github.com/ProtonMail/go-crypto v1.0.0
1
0
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package newsflash for openSUSE:Factory checked in at 2024-07-30 11:55:11
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/newsflash (Old)
and /work/SRC/openSUSE:Factory/.newsflash.new.1882 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "newsflash"
Tue Jul 30 11:55:11 2024 rev:9 rq:1190349 version:3.3.4
Changes:
--------
--- /work/SRC/openSUSE:Factory/newsflash/newsflash.changes 2024-07-15 19:47:26.647631091 +0200
+++ /work/SRC/openSUSE:Factory/.newsflash.new.1882/newsflash.changes 2024-07-30 11:57:19.708463989 +0200
@@ -1,0 +2,20 @@
+Mon Jul 29 21:16:02 UTC 2024 - Richard Rahl <rrahl0(a)opensuse.org>
+
+- update to 3.3.4:
+ * Avoid re-downloaing non-expired favicons
+ * Increase network-monitor changed signal timeout
+- update to 3.3.3:
+ * local rss: handle articles that are published with the same GUID by
+ multiple feeds (eg planet.gnome.org)
+ * local rss: use etags to skip downloading unchanged feeds
+ * local rss: avoid writing unchanged articles to the database (feed-rs fix)
+ * log running/successful database migrations
+ * improve favicon and thumbnail download logic
+ * fix drag and drop regression in feed list
+ * article list: load queue to avoid data races
+ * multiple ping urls for online checks
+ * online check: try to reach backend server before falling back to generic urls
+ * add back unread/starred database indices
+ * re-enable full text search in article plain text
+
+-------------------------------------------------------------------
Old:
----
newsflash-3.3.2.obscpio
New:
----
newsflash-3.3.4.obscpio
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ newsflash.spec ++++++
--- /var/tmp/diff_new_pack.0XZzoQ/_old 2024-07-30 11:57:30.136885763 +0200
+++ /var/tmp/diff_new_pack.0XZzoQ/_new 2024-07-30 11:57:30.136885763 +0200
@@ -19,7 +19,7 @@
%define _lto_cflags %{nil}
%define appname io.gitlab.news_flash.NewsFlash
Name: newsflash
-Version: 3.3.2
+Version: 3.3.4
Release: 0
Summary: The spiritual successor to FeedReader
License: GPL-3.0-only
@@ -50,7 +50,9 @@
BuildRequires: pkgconfig(openssl)
BuildRequires: pkgconfig(sqlite3)
BuildRequires: pkgconfig(webkitgtk-6.0)
+%ifarch aarch64
BuildRequires: typelib(ClapperGtk)
+%endif
%description
NewsFlash is a program designed to complement an already existing web-based RSS reader account.
++++++ _service ++++++
--- /var/tmp/diff_new_pack.0XZzoQ/_old 2024-07-30 11:57:30.168887058 +0200
+++ /var/tmp/diff_new_pack.0XZzoQ/_new 2024-07-30 11:57:30.168887058 +0200
@@ -3,7 +3,7 @@
<service name="obs_scm" mode="manual">
<param name="scm">git</param>
<param name="url">https://gitlab.com/news-flash/news_flash_gtk.git</param>
- <param name="revision">refs/tags/v.3.3.2</param>
+ <param name="revision">refs/tags/v.3.3.4</param>
<param name="versionformat">@PARENT_TAG@</param>
<param name="versionrewrite-pattern">v.(.*)</param>
<param name="changesgenerate">disable</param>
++++++ newsflash-3.3.2.obscpio -> newsflash-3.3.4.obscpio ++++++
/work/SRC/openSUSE:Factory/newsflash/newsflash-3.3.2.obscpio /work/SRC/openSUSE:Factory/.newsflash.new.1882/newsflash-3.3.4.obscpio differ: char 49, line 1
++++++ newsflash.obsinfo ++++++
--- /var/tmp/diff_new_pack.0XZzoQ/_old 2024-07-30 11:57:30.212888838 +0200
+++ /var/tmp/diff_new_pack.0XZzoQ/_new 2024-07-30 11:57:30.216888999 +0200
@@ -1,5 +1,5 @@
name: newsflash
-version: 3.3.2
-mtime: 1720781180
-commit: e1bd96775759a127a2598b4fe07ad4fd1f56625b
+version: 3.3.4
+mtime: 1722289270
+commit: ed5773bf225659e62f262dd08bbad6f9a5304a92
++++++ vendor.tar.zst ++++++
/work/SRC/openSUSE:Factory/newsflash/vendor.tar.zst /work/SRC/openSUSE:Factory/.newsflash.new.1882/vendor.tar.zst differ: char 845513, line 3544
1
0