(auto merged) chore(deps): bump pathrs from 0.2.3 to 0.2.4 in the patch group

[dependabot]

Bumps the patch group with 1 update: pathrs.

Updates pathrs from 0.2.3 to 0.2.4

Release notes

Sourced from pathrs's releases.

libpathrs v0.2.4 -- "そう。神を生贄に捧げる！"

This release includes a series of bugfixes and important packaging improvements that were found to be necessary while preparing for making libpathrs a default dependency of runc.

Added

• New EXTRA_RUSTC_FLAGS and EXTRA_CARGO_FLAGS variables have been added to our Makefile, making it easier for packaging tools to adjust builds while still using make release.
• install.sh now accepts --rust-target and --rust-buildmode as parameters to make cross-compilation workflows easier to write (in particular, this is needed for runc's release scripts).
• We now produce signed release artefacts for our releases (though currently only in the form of signed source and cargo vendor tarballs). The accepted set of signing keys are available in libpathrs.keyring.

Changed

• The O_PATH resolver for procfs now has an additional bit of hardening (each component must be on a procfs -- previously we would check that it is on the same mount, which is an even stronger requirement but on older kernels it is possible to not have a mount ID to check against).

Fixed

• Previously, staticlib builds of libpathrs (i.e., libpathrs.a) inadvertently included symbol versioned symbols (@@LIBPATHRS_X.Y), which would cause linker errors when trying to compile programs statically against libpathrs.

  This has been resolved, but downstream users who build runc without using make release will need to take care to ensure they correctly set the LIBPATHRS_CAPI_BUILDMODE environment variable when building and build libpathrs.a and libpathrs.so in separate cargo build (or cargo rustc) invocations. This is mostly necessary due to [the lack of support for #[cfg(crate_type)]][rust-issue20267].

• go-pathrs now correctly builds on 32-bit architectures.

• When doing procfs operations, previously libpathrs would internally keep a handle to ProcfsBase open during the entire operation (due to Drop semantics in Rust) rather than closing the file descriptor as quickly as possible. The file descriptor would be closed soon afterwards (and thus was not a leak) but tools that search for file descriptor leaks (such as runc's test suite) could incorrectly classify this as a leak. We now close this ProcfsBase handle far more aggressively.

• RHEL 8 kernels have backports of the fd-based mount API (fsopen(2), open_tree(2), et al.) but some runc testing found that they have very bad (and very difficult to debug) performance issues. Thus, to avoid broken backports libpathrs will now explicitly refuse to use the fd-based mount API if the reported kernel version is pre-5.2 and will instead fallback to the less-secure open("/proc").

• libpathrs [0.2.0][] added some fdinfo-based hardening to the procfs resolver when openat2 is not available. Unfortunately, one aspect of this

... (truncated)

Changelog

Sourced from pathrs's changelog.

[0.2.4] - 2026-03-03

そう。神を生贄に捧げる！

Added

• New EXTRA_RUSTC_FLAGS and EXTRA_CARGO_FLAGS variables have been added to our Makefile, making it easier for packaging tools to adjust builds while still using make release.
• install.sh now accepts --rust-target and --rust-buildmode as parameters to make cross-compilation workflows easier to write (in particular, this is needed for runc's release scripts).
• We now produce signed release artefacts for our releases (though currently only in the form of signed source and cargo vendor tarballs). The accepted set of signing keys are available in libpathrs.keyring.

Changed

• The O_PATH resolver for procfs now has an additional bit of hardening (each component must be on a procfs -- previously we would check that it is on the same mount, which is an even stronger requirement but on older kernels it is possible to not have a mount ID to check against).

Fixed

• Previously, staticlib builds of libpathrs (i.e., libpathrs.a) inadvertently included symbol versioned symbols (@@LIBPATHRS_X.Y), which would cause linker errors when trying to compile programs statically against libpathrs.

  This has been resolved, but downstream users who build runc without using make release will need to take care to ensure they correctly set the LIBPATHRS_CAPI_BUILDMODE environment variable when building and build libpathrs.a and libpathrs.so in separate cargo build (or cargo rustc) invocations. This is mostly necessary due to [the lack of support for #[cfg(crate_type)]][rust-issue20267].

• go-pathrs now correctly builds on 32-bit architectures.

• When doing procfs operations, previously libpathrs would internally keep a handle to ProcfsBase open during the entire operation (due to Drop semantics in Rust) rather than closing the file descriptor as quickly as possible. The file descriptor would be closed soon afterwards (and thus was not a leak) but tools that search for file descriptor leaks (such as runc's test suite) could incorrectly classify this as a leak. We now close this ProcfsBase handle far more aggressively.

• RHEL 8 kernels have backports of the fd-based mount API (fsopen(2), open_tree(2), et al.) but some runc testing found that they have very bad (and very difficult to debug) performance issues. Thus, to avoid broken backports libpathrs will now explicitly refuse to use the fd-based mount API if the reported kernel version is pre-5.2 and will instead fallback to the less-secure open("/proc").

• libpathrs [0.2.0][] added some fdinfo-based hardening to the procfs resolver when openat2 is not available. Unfortunately, one aspect of this hardening had a hard requirement on [a kernel feature only added in Linux

... (truncated)

Commits

• dd498fd VERSION: release v0.2.4
• 2e1f130 merge #348 into cyphar/libpathrs:main
• 465ab4a merge #347 into cyphar/libpathrs:main
• 8b989b3 make: add signed release build script
• 2bc07ec keyring: add keyring file and management scripts
• 4c88545 MAINTAINERS: add maintainers file
• b65afad root: improve Root::create{,_file} docs
• fb56667 merge #341 into cyphar/libpathrs:main
• 2450406 procfs: opath: enforce fstype checks
• b0f6c34 procfs: use /proc/self/fd/$n symlink loop for loop tests
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions