4 Apr
2024
4 Apr
'24
17:07
On 2024-04-04 15:47, Ben Greiner wrote:
[ben@skylab:…on:jupyter/python-pycrdt]% head Cargo.lock
This Cargo.lock is one that is inside the vendor. Inserting this file in the vendor tarball is a decision from the obs cargo_vendor service, not from cargo vendor. This file should be present in the upstream tarball. In this case, the security issue seems to be in the pycrdt project, that does not provide the expected Cargo.lock, so it is not integrated in the pycrdt-0.8.17.tar.xz, that is where it should be. [1] https://github.com/openSUSE/obs-service-cargo_vendor?tab=readme-ov-file#what... [2] https://github.com/jupyter-server/pycrdt