nushell/0.109.1-r1: cve remediation

[octo-sts]

nushell/0.109.1-r1: fix GHSA-g59m-gf8j-gjf5

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/nushell.advisories.yaml

---

"Breadcrumbs" for this automated service

• Source Code: https://go/cve-remedy-automation-source
• Logs: https://go/cve-remedy-automation-logs
• Docs: (not provided yet)

Inspected git repositories:

[octo-sts]

🔢 Build Failed: Dependency Version Mismatch

error: failed to select a version for aws-smithy-runtime. versions that meet the requirements ^1.7.3 are: 1.7.3, 1.9.8, 1.9.5, 1.9.4, 1.9.3, 1.9.2, 1.9.1, 1.9.0, 1.8.6, 1.8.5, 1.8.4, 1.8.3, 1.8.1, 1.8.0, 1.7.8, 1.7.7, 1.7.6, 1.7.5, 1.7.4 all possible versions conflict with previously selected packages

Build Details

Category	Details
Build System	Cargo (Rust)
Failure Point	cargobump command attempting to update aws-sdk-sts from version 1.50.0 to 1.91.0

Root Cause Analysis 🔍

Dependency version conflict where aws-smithy-runtime versions that satisfy aws-config requirements conflict with the existing mockito v1.7.0 package. The version upgrade created incompatible dependency constraints that Cargo's resolver cannot satisfy.

---

🔍 Build failure fix suggestions

Found similar build failures that have been fixed in the past and analyzed them to suggest a fix:

Suggested Changes

File: Cargo.toml

• addition (dependencies section, after the existing lru dependency bump)
  Original:

sed -i 's/lru = "0\.12"/lru = "0.16.3"/' Cargo.toml

Replacement:

sed -i 's/lru = "0\.12"/lru = "0.16.3"/' Cargo.toml
      sed -i 's/mockito = "1\.7\.0"/mockito = "1.8.0"/' Cargo.toml || sed -i '/\[dependencies\]/a mockito = "1.8.0"' Cargo.toml

Content:

Add mockito version constraint to resolve aws-smithy-runtime conflict

Click to expand fix analysis

Analysis

No similar build failures were provided for analysis. However, the current error indicates a Rust dependency version conflict where aws-smithy-runtime versions that satisfy aws-config requirements are incompatible with the existing mockito v1.7.0 package. This is a classic Cargo dependency resolution issue that occurs when cargobump attempts to upgrade aws-sdk-sts from 1.50.0 to 1.91.0, creating incompatible dependency constraints.

Click to expand fix explanation

Explanation

The build failure occurs because cargobump is trying to upgrade aws-sdk-sts from 1.50.0 to 1.91.0, which requires aws-smithy-runtime ^1.7.3. However, the existing mockito v1.7.0 package creates a dependency conflict with the available aws-smithy-runtime versions. By upgrading mockito to v1.8.0 (or a compatible version), we resolve the dependency constraint conflict that prevents Cargo from selecting a valid version of aws-smithy-runtime. This approach follows the same pattern as the existing lru dependency bump in the pipeline - proactively updating problematic dependencies before running cargobump to avoid version conflicts.

Click to expand alternative approaches

Alternative Approaches

• Pin aws-sdk-sts to a specific compatible version before running cargobump to avoid the version conflict entirely
• Use cargo update --package mockito specifically to update only the conflicting dependency
• Add explicit version constraints for aws-smithy-runtime in Cargo.toml to force a compatible version selection
• Disable the problematic dependency update by excluding aws-sdk-sts from the cargobump process if it's not critical

---

Was this comment helpful? Please use 👍 or 👎 reactions on this comment.