Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update gix to version 0.62 #443

Merged
merged 1 commit into from
Apr 15, 2024
Merged

Update gix to version 0.62 #443

merged 1 commit into from
Apr 15, 2024

Conversation

blinxen
Copy link
Contributor

@blinxen blinxen commented Apr 15, 2024

This update contains a security fix for
https://rustsec.org/advisories/RUSTSEC-2024-0335.html

@jpgrayson
Copy link
Collaborator

Thanks for the PR, @blinxen.

I'll note that StGit does not use the affected gix-transport API directly, or AFAIK indirectly.

StGit does not actually do any transport operations anymore (stg clone used to be a command, but was removed a while back).

So my off the cuff opinion is that there is no exploit vector for this via StGit.

@blinxen
Copy link
Contributor Author

blinxen commented Apr 15, 2024

That is true, however this change is motivated by the gitoxide update in Fedora. Because the project (gitoxide) consists of around 70 crates, we can't support multiple versions of it. That is why I would like to update all Fedora packages that require gitoxide to use the new version. This makes the life of package maintainers easier :D.

@blinxen
Copy link
Contributor Author

blinxen commented Apr 15, 2024

I would appreciate it if this could get merged however it doesn't really have a big priority right now.

@jpgrayson jpgrayson merged commit 05977c6 into stacked-git:master Apr 15, 2024
10 checks passed
@jpgrayson
Copy link
Collaborator

Merged. I generally keep dependencies updated, so this kind of update is appreciated.

I mostly wanted to document that StGit does not inherit the referenced security vulnerability in case someone sees the rustsec reference.

Thanks again!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants