Skip to content

nushell/0.109.1-r1: cve remediation #78322

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
octo-sts wants to merge 1 commit into
base: main
Choose a base branch
from
Open

nushell/0.109.1-r1: cve remediation #78322

octo-sts wants to merge 1 commit into from

Conversation

@octo-sts
Copy link
Contributor

@octo-sts octo-sts bot commented Jan 16, 2026

nushell/0.109.1-r1: fix GHSA-rhfx-m35p-ff5j

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/nushell.advisories.yaml

"Breadcrumbs" for this automated service

Inspected git repositories:

@octo-sts
Copy link
Contributor Author

octo-sts bot commented Jan 16, 2026

🔢 Build Failed: Dependency Version Mismatch

failed to select a version for the requirement lru = "^0.12.0" candidate versions found which didn't match: 0.16.3 location searched: crates.io index required by package ratatui v0.29.0 ... which satisfies dependency ratatui = "^0.29" (locked to 0.29.0) of package nu-explore v0.109.1 (/home/build/crates/nu-explore)

Build Details

Category Details
Build System cargo
Failure Point cargobump --run-update=false --bump-file ./cargobump-deps.yaml

Root Cause Analysis 🔍

Version incompatibility between dependency requirements. The package ratatui v0.29.0 requires lru ^0.12.0, but cargobump is trying to update lru to version 0.16.3. The semantic versioning constraint ^0.12.0 only allows versions 0.12.x, making 0.16.3 incompatible. This is a dependency version conflict where the updated version exceeds the compatible range required by other packages in the dependency tree.

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: Cargo.toml

  • modification at line unknown (dependencies section)
    Original:
sed -i 's/lru = "0\.12"/lru = "0.16.3"/' Cargo.toml

Replacement:

# Remove the manual lru dependency bump - let cargobump handle version updates within compatible ranges

Content:

Remove the sed command that manually bumps lru from 0.12 to 0.16.3

File: melange.yaml

  • removal at line 30-32 (pipeline section)
    Original:
  - name: "bump some rust dependencies before running cargobump"
    runs: |
      sed -i 's/lru = "0\.12"/lru = "0.16.3"/' Cargo.toml

Content:

Remove the entire step that manually bumps lru dependency version
Click to expand fix analysis

Analysis

No similar build failures were provided in the context, so pattern analysis is based on the current error. The root cause is a dependency version conflict where ratatui v0.29.0 requires lru ^0.12.0 (versions 0.12.x only), but the manual dependency bump to lru 0.16.3 violates this constraint. This is a classic semantic versioning compatibility issue where a major version bump (0.12 to 0.16) introduces breaking changes.

Click to expand fix explanation

Explanation

The suggested fix addresses the root cause by removing the manual dependency version bump that violates semantic versioning constraints. The error occurs because ratatui v0.29.0 specifically requires lru ^0.12.0, which means it's compatible only with versions 0.12.x (patch releases). By manually forcing lru to version 0.16.3, we create an incompatible dependency tree since 0.16.x represents a major version change with potential breaking changes that ratatui wasn't designed to handle. Removing this manual bump allows the natural dependency resolution to work correctly, and cargobump will handle version updates within compatible semantic version ranges. This approach respects the dependency constraints specified by the package authors and maintains build stability.

Click to expand alternative approaches

Alternative Approaches

  • Update ratatui to a newer version that supports lru 0.16.x if such a version exists upstream
  • Use cargo tree and cargo update commands to identify compatible version ranges for all dependencies before making manual changes
  • Pin lru to a specific 0.12.x version (like 0.12.4) that satisfies ratatui's requirements while getting security fixes
  • Check if there's a newer nushell version that uses updated dependencies with compatible version ranges

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.

@octo-sts octo-sts bot added the ai/skip-comment Stop AI from commenting on PR label Jan 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

ai/skip-comment Stop AI from commenting on PR automated pr GHSA-rhfx-m35p-ff5j p:nushell request-cve-remediation rust/cargobump

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant