Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update to 0.1.1 #3

Merged
merged 2 commits into from
Jul 9, 2024
Merged

Update to 0.1.1 #3

merged 2 commits into from
Jul 9, 2024

Conversation

wavefnx
Copy link
Owner

@wavefnx wavefnx commented Jul 9, 2024

Roller v0.1.1

Description

According to RUSTSEC-2024-0346 the transitive/indirect dependencies zerovec and zerovec-derive were assuming that #[repr(packed)] guarantees field order (rust-lang/rust#125360 (comment)) although that's not guaranteed by the Rust spec and could lead to illegal memory access.

The updated version (unicode-org/icu4x#5196) seems to use #[repr(C, packed)] which does guarantee field order.

Although, after updating all the package's transitive dependencies, it seems like both zerovec and zerovec-derive have been completely removed from the .lock and therefor not a dependency anymore, even indirect.

File changes

  • Cargo.lock: Updated transitive dependencies, zerovec and zerovec-derive removal, package bump to 0.1.1
  • Cargo.toml: Package bump to 0.1.1

@wavefnx wavefnx added the release label Jul 9, 2024
@wavefnx wavefnx merged commit 630ede4 into main Jul 9, 2024
1 check passed
@wavefnx wavefnx deleted the wavefnx/dep-zerovec-update branch July 11, 2024 22:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant