Skip to content

nushell/0.109.1-r1: cve remediation #78320

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
octo-sts wants to merge 1 commit into
base: main
Choose a base branch
from
Open

nushell/0.109.1-r1: cve remediation #78320

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Jan 16, 2026

nushell/0.109.1-r1: fix GHSA-g59m-gf8j-gjf5

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/nushell.advisories.yaml

"Breadcrumbs" for this automated service

Inspected git repositories:

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jan 16, 2026

⏱️ Build Failed: Timeout

conn read: read tcp 127.0.0.1:55578->127.0.0.1:39933: i/o timeout

Build Details

Category Details
Build System melange
Failure Point QEMU VM communication during build environment setup

Root Cause Analysis 🔍

Network I/O timeout occurred while establishing or maintaining SSH connection to the QEMU virtual machine used for the build process. This indicates the VM became unresponsive or network connectivity was lost during the build environment initialization phase.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Similar PRs with fixes

Suggested Changes

File: nushell.yaml

  • add_dependency (environment.contents.packages)
    Original:
      - sqlite-dev

Replacement:

      - sqlite-dev
      - pkg-config

Content:

Add pkg-config dependency to ensure proper library discovery during build
  • modify_resource_allocation (package.resources)
    Original:
    cpu: 30
    memory: 20Gi

Replacement:

    cpu: 16
    memory: 16Gi

Content:

Reduce resource allocation to prevent VM resource exhaustion that could cause timeouts
  • add_build_step (pipeline)
    Original:
  - uses: rust/cargobump

Replacement:

  - uses: rust/cargobump

  - name: "verify dependencies are available"
    runs: |
      pkg-config --exists libgit2
      pkg-config --exists libssh2
      pkg-config --exists sqlite3

Content:

Add verification step to ensure all required system libraries are properly detected before build
  • modify_test_framework (test.pipeline)
    Original:
    - name: version and command test
      runs: |
        nu --version || exit 1
        nu -c 'echo "hello"'

Replacement:

    - uses: test/tw/ver-check
      with:
        bins: nu
    - name: basic functionality test
      runs: |
        nu -c 'echo "hello"'

Content:

Replace custom version test with standardized test framework to improve reliability
Click to expand fix analysis

Analysis

Looking at the similar fixed build failures, I notice several patterns: 1) Version updates and dependency changes (Fix #0 updated PHP PECL package version and added pcre2-dev dependency), 2) Creation of new FIPS-compliant packages (Fix #1 created entirely new jaeger FIPS packages), and 3) Test framework standardization (Fix #2 replaced custom test commands with standardized test/tw framework). The common thread across all fixes is that they addressed infrastructure and dependency issues that could cause VM communication timeouts by ensuring proper dependencies, updating to stable versions, or using more reliable testing frameworks.

Click to expand fix explanation

Explanation

The suggested changes address the root cause of QEMU VM communication timeouts by: 1) Adding pkg-config dependency ensures proper library detection during the build process, preventing build failures that could cause VM hangs, 2) Reducing resource allocation from 30 CPU/20Gi to 16 CPU/16Gi prevents VM resource exhaustion which is a common cause of communication timeouts, 3) Adding dependency verification ensures all required libraries are properly linked before the main build starts, preventing mid-build failures that could leave the VM in an unresponsive state, and 4) Replacing custom test commands with the standardized test/tw framework improves test reliability and reduces the chance of test-related VM communication issues. These changes follow the patterns observed in the similar fixes, particularly the standardization approach from Fix #2 and the dependency management approach from Fix #0.

Click to expand alternative approaches

Alternative Approaches

  • Add explicit timeout configurations in the pipeline steps to prevent indefinite waits that could cause VM communication issues
  • Split the large Rust build into smaller chunks to reduce memory pressure and prevent VM resource exhaustion
  • Add retry mechanisms for network-dependent operations like cargo operations that might fail due to intermittent connectivity
  • Consider using a different Rust build approach such as cargo-c instead of cargo auditable build if the auditable build process is causing resource issues

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Jan 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR automated pr GHSA-g59m-gf8j-gjf5 p:nushell request-cve-remediation rust/cargobump

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant