Skip to content

build(deps): bump zip from 2.2.3 to 2.3.0 in the cargo group across 1 directory #1891

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 18, 2025
Merged

build(deps): bump zip from 2.2.3 to 2.3.0 in the cargo group across 1 directory #1891

merged 1 commit into from
Mar 18, 2025

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Mar 18, 2025
edited
Loading

Bumps the cargo group with 1 update in the / directory: zip.

Updates zip from 2.2.3 to 2.3.0

Release notes

Sourced from zip's releases.

v2.3.0

🚀 Features

  • Add support for NTFS extra field (#279)

🐛 Bug Fixes

  • (test) Conditionalize a zip64 doctest (#308)
  • fix failing tests, remove symlink loop check
  • Canonicalize output path to avoid false negatives
  • Symlink handling in stream extraction
  • Canonicalize output paths and symlink targets, and ensure they descend from the destination

⚙️ Miscellaneous Tasks

  • Fix clippy and cargo fmt warnings (#310)
Changelog

Sourced from zip's changelog.

2.3.0 - 2025-03-16

🚀 Features

  • Add support for NTFS extra field (#279)

🐛 Bug Fixes

  • (test) Conditionalize a zip64 doctest (#308)
  • fix failing tests, remove symlink loop check
  • Canonicalize output path to avoid false negatives
  • Symlink handling in stream extraction
  • Canonicalize output paths and symlink targets, and ensure they descend from the destination

⚙️ Miscellaneous Tasks

  • Fix clippy and cargo fmt warnings (#310)
Commits
  • 6eab5f5 chore: release v2.3.0 (#300)
  • e4aee20 implement ZipFile::options + refactor options normalization (#305)
  • ea8a7bb fix(test): Conditionalize a zip64 doctest (#308)
  • 365c81a Use xz2 crate instead of a custom implementation (#306)
  • ae94b34 chore: Fix clippy and cargo fmt warnings (#310)
  • a2e062f Merge commit from fork
  • 0199ac2 Simplify handling for symlink targets
  • 977bb94 fix failing tests, remove symlink loop check
  • 3cb29e7 Partial fix for tests
  • 2182b07 Refactor
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will merge this PR once CI passes on it, as requested by @EliahKagan.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot bot added dependencies Pull requests that update a dependency file rust Pull requests that update Rust code labels Mar 18, 2025
EliahKagan
EliahKagan approved these changes Mar 18, 2025
View reviewed changes
Copy link
Member

@EliahKagan EliahKagan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fixes the symlink traversal vulnerability CVE-2025-29787 in the zip dependency. I believe it does not yet have a RUSTSEC advisory, which is why cargo deny advisories has not yet said anything. For software that uses zip in an affected way, it's fairly serious. Fortunately, it looks like we are only using it to create archives, and not to extract them:

> git grep -En 'use.*[^.]\bzip\b|\bzip::'
gix-archive/src/write.rs:135:        let mut ar = zip::write::ZipWriter::new(out);
gix-archive/src/write.rs:140:        let mtime = zip::DateTime::from_date_and_time(
gix-archive/src/write.rs:172:    ar: &mut zip::write::ZipWriter<W>,
gix-archive/src/write.rs:175:    mtime: zip::DateTime,
gix-archive/src/write.rs:179:    let file_opts = zip::write::FileOptions::<'_, ()>::default()
gix-archive/src/write.rs:180:        .compression_method(zip::CompressionMethod::Deflated)
gix-archive/tests/archive.rs:174:                let mut ar = zip::ZipArchive::new(std::io::Cursor::new(buf.as_slice()))?;

If I am right about that, then we don't need to release new binaries for the updated dependency. Either way, I think it's a good idea to take this update now--then it won't be a concern when using a --locked build or in cargo deny.

@EliahKagan
Copy link
Member

@dependabot rebase

@EliahKagan
Copy link
Member

@dependabot merge

@dependabot
build(deps): bump zip in the cargo group across 1 directory
00d1a00 
Bumps the cargo group with 1 update in the / directory: [zip](https://github.com/zip-rs/zip2).


Updates `zip` from 2.2.3 to 2.3.0
- [Release notes](https://github.com/zip-rs/zip2/releases)
- [Changelog](https://github.com/zip-rs/zip2/blob/master/CHANGELOG.md)
- [Commits](zip-rs/zip2@v2.2.3...v2.3.0)

---
updated-dependencies:
- dependency-name: zip
  dependency-type: direct:production
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/cargo/cargo-e1feb93277 branch from ea7ff1d to 00d1a00 Compare March 18, 2025 00:31
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Mar 18, 2025

One of your CI runs failed on this pull request, so Dependabot won't merge it.

Dependabot will still automatically merge this pull request if you amend it and your tests pass.

@EliahKagan
Copy link
Member

The failure is due to #1816, which causes that test to fail intermittently. I'll rerun that whole workflow just to be safe.

@EliahKagan
Copy link
Member

@dependabot merge

@dependabot dependabot bot merged commit 339bdf8 into main Mar 18, 2025
34 of 39 checks passed
@dependabot dependabot bot deleted the dependabot/cargo/cargo-e1feb93277 branch March 18, 2025 01:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@EliahKagan EliahKagan EliahKagan approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update Rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@EliahKagan