Skip to content

chore: update cargo toml for release v2.4.0 #1385

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 22, 2025
Merged

chore: update cargo toml for release v2.4.0 #1385

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Cargo.lock
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 3 additions & 3 deletions Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[package]
name = "parseable"
version = "2.3.5"
version = "2.4.0"
authors = ["Parseable Team <[email protected]>"]
edition = "2024"
rust-version = "1.88.0"
Expand Down Expand Up @@ -149,8 +149,8 @@ arrow = "54.0.0"
temp-dir = "0.1.14"

[package.metadata.parseable_ui]
assets-url = "https://parseable-prism-build.s3.us-east-2.amazonaws.com/v2.3.5/build.zip"
assets-sha1 = "3e703ef8bedf8ae55fd31713f6267ad14ad3d29d"
assets-url = "https://parseable-prism-build.s3.us-east-2.amazonaws.com/v2.4.0/build.zip"
assets-sha1 = "04632472a2174328cfea7a91a175f6f3795d7152"
Comment on lines 151 to +153
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Verification agent

🧩 Analysis chain

Stop using SHA-1 for release-artifact integrity; switch to SHA-256
SHA-1 has been considered broken for over a decade. Prefer a SHA-256 (or stronger) checksum to avoid collision attacks and to align with modern supply-chain security guidance. Example:

-assets-sha1 = "04632472a2174328cfea7a91a175f6f3795d7152"
+# SHA-256 of the v2.4.0 build.zip
+assets-sha256 = "<paste sha256 here>"

If the build script currently hard-codes assets-sha1, add parallel support for assets-sha256 or migrate entirely.

🏁 Script executed:

#!/bin/bash
# Search for hard-coded SHA-1 usage in the repository
rg -n "assets-sha1"

# Check for any existing SHA-256 support
rg -n "assets-sha256"

# Locate code that reads the parseable_ui metadata
rg -n "parseable_ui"

# Inspect references to the Cargo metadata section
rg -n "metadata.parseable_ui"

Length of output: 1105

Switch to SHA-256 for parseable_ui assets integrity

The build script and Cargo metadata currently only support SHA-1, which is considered insecure. You’ll need to:

  • Update Cargo.toml to replace assets-sha1 with assets-sha256 (or add parallel support):
    • File: Cargo.toml (lines 151–153)
  • Modify build.rs to:
    • Read metadata["assets-sha256"] instead of assets-sha1 (currently at lines 104 and 127)
    • Compute the checksum with SHA-256 (e.g., using the sha2 crate) rather than Sha1::hexdigest()
    • Write out a .sha256 file instead of .sha1 (update the checksum_path logic around line 72)

Suggested diff in Cargo.toml:

 [package.metadata.parseable_ui]
-assets-url = "https://…/v2.4.0/build.zip"
-assets-sha1 = "04632472a2174328cfea7a91a175f6f3795d7152"
+# URL for v2.4.0 build.zip
+assets-url    = "https://…/v2.4.0/build.zip"
+# SHA-256 of v2.4.0 build.zip
+assets-sha256 = "<paste sha256 here>"

And in build.rs (pseudocode):

- let checksum_path = out_dir.join("parseable_ui.sha1");
+ let checksum_path = out_dir.join("parseable_ui.sha256");- let checksum = Sha1::from(&parseable_ui_bytes).hexdigest();
+ let checksum = Sha256::digest(&parseable_ui_bytes)
+     .iter()
+     .map(|b| format!("{:02x}", b))
+     .collect::<String>();- if checksum == metadata["assets-sha1"].as_str().unwrap() {
+ if checksum == metadata["assets-sha256"].as_str().unwrap() {

These changes will bring artifact validation in line with modern supply-chain security practices.

Committable suggestion skipped: line range outside the PR's diff.

🤖 Prompt for AI Agents 
In Cargo.toml around lines 151 to 153, replace the key `assets-sha1` with
`assets-sha256` to reflect the use of SHA-256 for asset integrity. Then, in
build.rs at lines 72, 104, and 127, update the code to read the `assets-sha256`
metadata instead of `assets-sha1`, compute the checksum using the SHA-256
algorithm (for example, via the `sha2` crate), and change the output checksum
file extension from `.sha1` to `.sha256`. This involves modifying the checksum
calculation logic and the path where the checksum file is written to ensure
compatibility with SHA-256 validation.


[features]
debug = []
Expand Down
Loading