Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update Rust crate sqlx to 0.8 [SECURITY] #16791

Merged
merged 4 commits into from
Aug 29, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Aug 24, 2024

This PR contains the following updates:

Package Type Update Change
sqlx dev-dependencies minor 0.7 -> 0.8
sqlx dependencies minor 0.7 -> 0.8

GitHub Vulnerability Alerts

GHSA-xmrp-424f-vfpx

The following presentation at this year's DEF CON was brought to our attention on the SQLx Discord:

SQL Injection isn't Dead: Smuggling Queries at the Protocol Level
http://web.archive.org/web/20240812130923/https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn't%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf
(Archive link for posterity.)

Essentially, encoding a value larger than 4GiB can cause the length prefix in the protocol to overflow,
causing the server to interpret the rest of the string as binary protocol commands or other data.

It appears SQLx does perform truncating casts in a way that could be problematic,
for example: https://github.com/launchbadge/sqlx/blob/6f2905695b9606b5f51b40ce10af63ac9e696bb8/sqlx-postgres/src/arguments.rs#L163

This code has existed essentially since the beginning,
so it is reasonable to assume that all published versions <= 0.8.0 are affected.

Mitigation

As always, you should make sure your application is validating untrustworthy user input.
Reject any input over 4 GiB, or any input that could encode to a string longer than 4 GiB.
Dynamically built queries are also potentially problematic if it pushes the message size over this 4 GiB bound.

Encode::size_hint()
can be used for sanity checks, but do not assume that the size returned is accurate.
For example, the Json<T> and Text<T> adapters have no reasonable way to predict or estimate the final encoded size,
so they just return size_of::<T>() instead.

For web application backends, consider adding some middleware that limits the size of request bodies by default.

Resolution

Work has started on a branch to add #[deny] directives for the following Clippy lints:

and to manually audit the code that they flag.

A fix is expected to be included in the 0.8.1 release (still WIP as of writing).


Release Notes

launchbadge/sqlx (sqlx)

v0.8.1

Compare Source

16 pull requests were merged this release cycle.

This release contains a fix for RUSTSEC-2024-0363.

Postgres users are advised to upgrade ASAP as a possible exploit has been demonstrated:
#​3440 (comment)

MySQL and SQLite do not appear to be exploitable, but upgrading is recommended nonetheless.

Added
  • [#​3421]: correct spelling of MySqlConnectOptions::no_engine_substitution() [[@​kolinfluence]]
    • Deprecates MySqlConnectOptions::no_engine_subsitution() (oops) in favor of the correctly spelled version.
Changed
  • [#​3376]: doc: hide spec_error module [[@​abonander]]
    • This is a helper module for the macros and was not meant to be exposed.
    • It is not expected to receive any breaking changes for the 0.8.x release, but is not designed as a public API.
      Use at your own risk.
  • [#​3382]: feat: bumped to libsqlite3-sys=0.30.1 to support sqlite 3.46 [[@​CommanderStorm]]
  • [#​3385]: chore(examples):Migrated the pg-chat example to ratatui [[@​CommanderStorm]]
  • [#​3399]: Upgrade to rustls 0.23 [[@​djc]]
    • RusTLS now has pluggable cryptography providers: ring (the existing implementation),
      and aws-lc-rs which has optional FIPS certification.
    • The existing features activating RusTLS (runtime-tokio-rustls, runtime-async-std-rustls, tls-rustls)
      enable the ring provider of RusTLS to match the existing behavior so this should not be a breaking change.
    • Switch to the tls-rustls-aws-lc-rs feature to use the aws-lc-rs provider.
      • If using runtime-tokio-rustls or runtime-async-std-rustls,
        this will necessitate switching to the appropriate non-legacy runtime feature:
        runtime-tokio or runtime-async-std
    • See the RusTLS README for more details: https://github.com/rustls/rustls?tab=readme-ov-file#cryptography-providers
Fixed

v0.8.0

Compare Source

70 pull requests were merged this release cycle.

#​2697 was merged the same day as release 0.7.4 and so was missed by the automatic CHANGELOG generation.

Breaking
  • [#​2697]: fix(macros): only enable chrono when time is disabled [[@​saiintbrisson]]
  • [#​2973]: Generic Associated Types in Database, replacing HasValueRef, HasArguments, HasStatement [[@​nitn3lav]]
  • [#​2482]: chore: bump syn to 2.0 [[@​saiintbrisson]]
    • Deprecated type ascription syntax in the query macros was removed.
  • [#​2736]: Fix describe on PostgreSQL views with rules [[@​tsing]]
    • Potentially breaking: nullability inference changes for Postgres.
  • [#​2869]: Implement PgHasArrayType for all references [[@​tylerhawkes]]
    • Conflicts with existing manual implementations.
  • [#​2940]: fix: Decode and Encode derives (#​1031) [[@​benluelo]]
    • Changes lifetime obligations for field types.
  • [#​3064]: Sqlite explain graph [[@​tyrelr]]
    • Potentially breaking: nullability inference changes for SQLite.
  • [#​3123]: Reorder attrs in sqlx::test macro [[@​bobozaur]]
    • Potentially breaking: attributes on #[sqlx::test] usages are applied in the correct order now.
  • [#​3126]: Make Encode return a result [[@​FSMaxB]]
  • [#​3130]: Add version information for failed cli migration (#​3129) [[@​FlakM]]
    • Breaking changes to MigrateError.
  • [#​3181]: feat: no tx migration [[@​cleverjam]]
    • (Postgres only) migrations that should not run in a transaction can be flagged by adding -- no-transaction to the beginning.
    • Breaking change: added field to Migration
  • [#​3184]: [BREAKING} fix(sqlite): always use i64 as intermediate when decoding [[@​abonander]]
    • integer decoding will now loudly error on overflow instead of silently truncating.
    • some usages of the query!() macros might change an i32 to an i64.
  • [#​3252]: fix #[derive(sqlx::Type)] in Postgres [[@​abonander]]
    • Manual implementations of PgHasArrayType for enums will conflict with the generated one. Delete the manual impl or add #[sqlx(no_pg_array)] where conflicts occur.
    • Type equality for PgTypeInfo is now schema-aware.
  • [#​3329]: fix: correct handling of arrays of custom types in Postgres [[@​abonander]]
    • Potential breaking change: PgTypeInfo::with_name() infers types that start with _ to be arrays of the un-prefixed type. Wrap type names in quotes to bypass this behavior.
  • [#​3356]: breaking: fix name collision in FromRow, return Error::ColumnDecode for TryFrom errors [[@​abonander]]
    • Breaking behavior change: errors with #[sqlx(try_from = "T")] now return Error::ColumnDecode instead of Error::ColumnNotFound.
    • Breaking because #[sqlx(default)] on an individual field or the struct itself would have previously suppressed the error.
      This doesn't seem like good behavior as it could result in some potentially very difficult bugs.
      • Instead, create a wrapper implementing From and apply the default explicitly.
  • [#​3337]: allow rename with rename_all (close #​2896) [[@​DirectorX]]
    • Changes the precedence of #[sqlx(rename)] and #[sqlx(rename_all)] to match the expected behavior (rename wins).
  • [#​3285]: fix: use correct names for sslmode options [[@​lily-mosquitoes]]
    • Changes the output of ConnectOptions::to_url_lossy() to match what parsing expects.
Added
Changed
Fixed

v0.7.4

Compare Source

38 pull requests were merged this release cycle.

This is officially the last release of the 0.7.x release cycle.

As of this release, development of 0.8.0 has begun on main and only high-priority bugfixes may be backported.

Added
  • [#​2891]: feat: expose getters for connect options fields [[@​saiintbrisson]]
  • [#​2902]: feat: add to_url_lossy to connect options [[@​lily-mosquitoes]]
  • [#​2927]: Support query! for cargo-free systems [[@​kshramt]]
  • [#​2997]: doc(FAQ): add entry explaining prepared statements [[@​abonander]]
  • [#​3001]: Update README to clarify MariaDB support [[@​iangilfillan]]
  • [#​3004]: feat(logging): Add numeric elapsed time field elapsed_secs [[@​iamjpotts]]
  • [#​3007]: feat: add raw_sql API [[@​abonander]]
    • This hopefully makes it easier to find how to execute statements which are not supported by the default
      prepared statement interfaces query*() and query!().
    • Improved documentation across the board for the query*() functions.
    • Deprecated: execute_many() and fetch_many() on interfaces that use prepared statements.
      • Multiple SQL statements in one query string were only supported by SQLite because its prepared statement
        interface is the only way to execute SQL. All other database flavors forbid multiple statements in
        one prepared statement string as an extra defense against SQL injection.
      • The new raw_sql API retains this functionality because it explicitly does not use prepared statements.
        Raw or text-mode query interfaces generally allow multiple statements in one query string, and this is
        supported by all current databases. Due to their nature, however, one cannot use bind parameters with them.
      • If this change affects you, an issue is open for discussion: https://github.com/launchbadge/sqlx/issues/3108
  • [#​3011]: Added support to IpAddr with MySQL/MariaDB. [[@​Icerath]]
  • [#​3013]: Add default implementation for PgInterval [[@​pawurb]]
  • [#​3018]: Add default implementation for PgMoney [[@​pawurb]]
  • [#​3026]: Update docs to reflect support for MariaDB data types [[@​iangilfillan]]
  • [#​3037]: feat(mysql): allow to connect with mysql driver without default behavor [[@​darkecho731]]
Changed
Fixed

v0.7.3

38 pull requests were merged this release cycle.

Added
Changed
Fixed

Configuration

📅 Schedule: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

Release Notes:

  • N/A

Copy link
Contributor Author

renovate bot commented Aug 24, 2024

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock
Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path crates/collab/Cargo.toml --workspace
    Updating git repository `https://github.com/tree-sitter/tree-sitter`
From https://github.com/tree-sitter/tree-sitter
 * [new ref]           7f4a57817d58a2f134fe863674acad6bbf007228 -> refs/commit/7f4a57817d58a2f134fe863674acad6bbf007228
 * [new tag]           0.14.0     -> 0.14.0
 * [new tag]           0.14.0-beta1 -> 0.14.0-beta1
 * [new tag]           0.14.0-beta2 -> 0.14.0-beta2
 * [new tag]           0.14.0-beta3 -> 0.14.0-beta3
 * [new tag]           0.14.0-beta4 -> 0.14.0-beta4
 * [new tag]           0.14.1     -> 0.14.1
 * [new tag]           0.14.2     -> 0.14.2
 * [new tag]           0.14.3     -> 0.14.3
 * [new tag]           0.14.4     -> 0.14.4
 * [new tag]           0.14.5     -> 0.14.5
 * [new tag]           0.15.0     -> 0.15.0
 * [new tag]           0.15.1     -> 0.15.1
 * [new tag]           0.15.10    -> 0.15.10
 * [new tag]           0.15.11    -> 0.15.11
 * [new tag]           0.15.12    -> 0.15.12
 * [new tag]           0.15.13    -> 0.15.13
 * [new tag]           0.15.14    -> 0.15.14
 * [new tag]           0.15.2     -> 0.15.2
 * [new tag]           0.15.3     -> 0.15.3
 * [new tag]           0.15.4     -> 0.15.4
 * [new tag]           0.15.5     -> 0.15.5
 * [new tag]           0.15.6     -> 0.15.6
 * [new tag]           0.15.7     -> 0.15.7
 * [new tag]           0.15.8     -> 0.15.8
 * [new tag]           0.15.9     -> 0.15.9
 * [new tag]           0.16.0     -> 0.16.0
 * [new tag]           0.16.1     -> 0.16.1
 * [new tag]           0.16.2     -> 0.16.2
 * [new tag]           0.16.3     -> 0.16.3
 * [new tag]           0.16.4     -> 0.16.4
 * [new tag]           0.16.5     -> 0.16.5
 * [new tag]           0.16.6     -> 0.16.6
 * [new tag]           0.16.7     -> 0.16.7
 * [new tag]           0.16.8     -> 0.16.8
 * [new tag]           0.16.9     -> 0.16.9
 * [new tag]           0.17.0     -> 0.17.0
 * [new tag]           0.17.1     -> 0.17.1
 * [new tag]           0.17.2     -> 0.17.2
 * [new tag]           0.17.3     -> 0.17.3
 * [new tag]           0.18.0     -> 0.18.0
 * [new tag]           v0.18.1    -> v0.18.1
 * [new tag]           v0.18.2    -> v0.18.2
 * [new tag]           v0.19.0    -> v0.19.0
 * [new tag]           v0.19.1    -> v0.19.1
 * [new tag]           v0.19.2    -> v0.19.2
 * [new tag]           v0.19.3    -> v0.19.3
 * [new tag]           v0.19.4    -> v0.19.4
 * [new tag]           v0.19.5    -> v0.19.5
 * [new tag]           v0.20.0    -> v0.20.0
 * [new tag]           v0.20.1    -> v0.20.1
 * [new tag]           v0.20.2    -> v0.20.2
 * [new tag]           v0.20.3    -> v0.20.3
 * [new tag]           v0.20.4    -> v0.20.4
 * [new tag]           v0.20.5    -> v0.20.5
 * [new tag]           v0.20.6    -> v0.20.6
 * [new tag]           v0.20.7    -> v0.20.7
 * [new tag]           v0.20.8    -> v0.20.8
 * [new tag]           v0.20.9    -> v0.20.9
 * [new tag]           v0.21.0    -> v0.21.0
 * [new tag]           v0.22.0    -> v0.22.0
 * [new tag]           v0.22.1    -> v0.22.1
 * [new tag]           v0.22.2    -> v0.22.2
 * [new tag]           v0.22.4    -> v0.22.4
 * [new tag]           v0.22.5    -> v0.22.5
 * [new tag]           v0.22.6    -> v0.22.6
    Updating crates.io index
    Updating git repository `https://github.com/kvark/blade`
From https://github.com/kvark/blade
 * [new ref]         7f54ddfc001edc48225e6602d3c38ebb855421aa -> refs/commit/7f54ddfc001edc48225e6602d3c38ebb855421aa
 * [new tag]         0.2        -> 0.2
 * [new tag]         asset-0.1  -> asset-0.1
 * [new tag]         asset-0.2  -> asset-0.2
 * [new tag]         egui-0.1   -> egui-0.1
 * [new tag]         egui-0.2   -> egui-0.2
 * [new tag]         egui-0.3   -> egui-0.3
 * [new tag]         graphics-0.2 -> graphics-0.2
 * [new tag]         graphics-0.3 -> graphics-0.3
 * [new tag]         graphics-0.4 -> graphics-0.4
 * [new tag]         macros-0.2 -> macros-0.2
 * [new tag]         macros-0.2.1 -> macros-0.2.1
 * [new tag]         render-0.1 -> render-0.1
 * [new tag]         render-0.2 -> render-0.2
 * [new tag]         render-0.3 -> render-0.3
    Updating git repository `https://github.com/pop-os/cosmic-text`
From https://github.com/pop-os/cosmic-text
 * [new ref]         542b20ca4376a3b5de5fa629db1a4ace44e18e0c -> refs/commit/542b20ca4376a3b5de5fa629db1a4ace44e18e0c
 * [new tag]         0.1.0      -> 0.1.0
 * [new tag]         0.1.1      -> 0.1.1
 * [new tag]         0.1.2      -> 0.1.2
 * [new tag]         0.1.3      -> 0.1.3
 * [new tag]         0.1.4      -> 0.1.4
 * [new tag]         0.1.5      -> 0.1.5
 * [new tag]         0.10.0     -> 0.10.0
 * [new tag]         0.11.0     -> 0.11.0
 * [new tag]         0.11.1     -> 0.11.1
 * [new tag]         0.11.2     -> 0.11.2
 * [new tag]         0.2.0      -> 0.2.0
 * [new tag]         0.2.1      -> 0.2.1
 * [new tag]         0.2.2      -> 0.2.2
 * [new tag]         0.3.0      -> 0.3.0
 * [new tag]         0.4.0      -> 0.4.0
 * [new tag]         0.4.1      -> 0.4.1
 * [new tag]         0.5.0      -> 0.5.0
 * [new tag]         0.5.1      -> 0.5.1
 * [new tag]         0.5.2      -> 0.5.2
 * [new tag]         0.5.3      -> 0.5.3
 * [new tag]         0.5.4      -> 0.5.4
 * [new tag]         0.5.5      -> 0.5.5
 * [new tag]         0.5.6      -> 0.5.6
 * [new tag]         0.6.0      -> 0.6.0
 * [new tag]         0.7.0      -> 0.7.0
 * [new tag]         0.8.0      -> 0.8.0
 * [new tag]         0.9.0      -> 0.9.0
    Updating git repository `https://github.com/zed-industries/font-kit`
From https://github.com/zed-industries/font-kit
 * [new ref]         40391b7c0041d8a8572af2afa3de32ae088f0120 -> refs/commit/40391b7c0041d8a8572af2afa3de32ae088f0120
    Updating git repository `https://github.com/npmania/xim-rs`
From https://github.com/npmania/xim-rs
 * [new ref]         27132caffc5b9bc9c432ca4afad184ab6e7c16af -> refs/commit/27132caffc5b9bc9c432ca4afad184ab6e7c16af
    Updating git repository `https://github.com/ConradIrwin/xkbcommon-rs`
From https://github.com/ConradIrwin/xkbcommon-rs
 * [new ref]         fcbb4612185cc129ceeff51d22f7fb51810a03b2 -> refs/commit/fcbb4612185cc129ceeff51d22f7fb51810a03b2
 * [new tag]         v0.1.0     -> v0.1.0
 * [new tag]         v0.2.0     -> v0.2.0
 * [new tag]         v0.2.1     -> v0.2.1
 * [new tag]         v0.2.2     -> v0.2.2
 * [new tag]         v0.2.3     -> v0.2.3
 * [new tag]         v0.3.0     -> v0.3.0
 * [new tag]         v0.4.0     -> v0.4.0
 * [new tag]         v0.5.0     -> v0.5.0
 * [new tag]         v0.5.0-beta.0 -> v0.5.0-beta.0
 * [new tag]         v0.5.1     -> v0.5.1
 * [new tag]         v0.6.0     -> v0.6.0
 * [new tag]         v0.7.0     -> v0.7.0
    Updating git repository `https://github.com/phoenixframework/tree-sitter-heex`
From https://github.com/phoenixframework/tree-sitter-heex
 * [new ref]         6dd0303acf7138dd2b9b432a229e16539581c701 -> refs/commit/6dd0303acf7138dd2b9b432a229e16539581c701
 * [new tag]         v0.1.0     -> v0.1.0
 * [new tag]         v0.2.0     -> v0.2.0
 * [new tag]         v0.2.1     -> v0.2.1
 * [new tag]         v0.3.0     -> v0.3.0
 * [new tag]         v0.3.1     -> v0.3.1
 * [new tag]         v0.4.0     -> v0.4.0
 * [new tag]         v0.4.1     -> v0.4.1
 * [new tag]         v0.5.0     -> v0.5.0
 * [new tag]         v0.6.0     -> v0.6.0
    Updating git repository `https://github.com/zed-industries/tree-sitter-markdown`
From https://github.com/zed-industries/tree-sitter-markdown
 * [new ref]         e3855e37f8f2c71aa7513c18a9c95fb7461b1b10 -> refs/commit/e3855e37f8f2c71aa7513c18a9c95fb7461b1b10
 * [new tag]         v0.1.3     -> v0.1.3
 * [new tag]         v0.1.4     -> v0.1.4
 * [new tag]         v0.1.5     -> v0.1.5
 * [new tag]         v0.1.6     -> v0.1.6
 * [new tag]         v0.1.7     -> v0.1.7
 * [new tag]         v0.2.1     -> v0.2.1
 * [new tag]         v0.2.2     -> v0.2.2
 * [new tag]         v0.2.3     -> v0.2.3
    Updating git repository `https://github.com/zed-industries/async-pipe-rs`
From https://github.com/zed-industries/async-pipe-rs
 * [new ref]         82d00a04211cf4e1236029aa03e6b6ce2a74c553 -> refs/commit/82d00a04211cf4e1236029aa03e6b6ce2a74c553
 * [new tag]         v0.1.0     -> v0.1.0
 * [new tag]         v0.1.1     -> v0.1.1
 * [new tag]         v0.1.2     -> v0.1.2
 * [new tag]         v0.1.3     -> v0.1.3
    Updating git repository `https://github.com/zed-industries/lsp-types`
From https://github.com/zed-industries/lsp-types
 * [new ref]         72357d6f6d212bdffba3b5ef4b31d8ca856058e7 -> refs/commit/72357d6f6d212bdffba3b5ef4b31d8ca856058e7
 * [new tag]         0.11.1     -> 0.11.1
 * [new tag]         v0.1.0     -> v0.1.0
 * [new tag]         v0.10.0    -> v0.10.0
 * [new tag]         v0.13.0    -> v0.13.0
 * [new tag]         v0.14.0    -> v0.14.0
 * [new tag]         v0.15.0    -> v0.15.0
 * [new tag]         v0.16.0    -> v0.16.0
 * [new tag]         v0.17.0    -> v0.17.0
 * [new tag]         v0.18.0    -> v0.18.0
 * [new tag]         v0.19.0    -> v0.19.0
 * [new tag]         v0.20.0    -> v0.20.0
 * [new tag]         v0.21.0    -> v0.21.0
 * [new tag]         v0.22.0    -> v0.22.0
 * [new tag]         v0.23.0    -> v0.23.0
 * [new tag]         v0.24.0    -> v0.24.0
 * [new tag]         v0.26.0    -> v0.26.0
 * [new tag]         v0.27.0    -> v0.27.0
 * [new tag]         v0.28.0    -> v0.28.0
 * [new tag]         v0.29.0    -> v0.29.0
 * [new tag]         v0.30.0    -> v0.30.0
 * [new tag]         v0.31.0    -> v0.31.0
 * [new tag]         v0.32.0    -> v0.32.0
 * [new tag]         v0.33.0    -> v0.33.0
 * [new tag]         v0.34.0    -> v0.34.0
 * [new tag]         v0.35.0    -> v0.35.0
 * [new tag]         v0.36.0    -> v0.36.0
 * [new tag]         v0.37.0    -> v0.37.0
 * [new tag]         v0.38.0    -> v0.38.0
 * [new tag]         v0.39.0    -> v0.39.0
 * [new tag]         v0.40.0    -> v0.40.0
 * [new tag]         v0.41.0    -> v0.41.0
 * [new tag]         v0.42.0    -> v0.42.0
 * [new tag]         v0.43.0    -> v0.43.0
 * [new tag]         v0.44.0    -> v0.44.0
 * [new tag]         v0.45.0    -> v0.45.0
 * [new tag]         v0.47.0    -> v0.47.0
 * [new tag]         v0.48.0    -> v0.48.0
 * [new tag]         v0.48.1    -> v0.48.1
 * [new tag]         v0.49.0    -> v0.49.0
 * [new tag]         v0.50.0    -> v0.50.0
 * [new tag]         v0.51.0    -> v0.51.0
 * [new tag]         v0.51.1    -> v0.51.1
 * [new tag]         v0.53.0    -> v0.53.0
 * [new tag]         v0.53.1    -> v0.53.1
 * [new tag]         v0.54.0    -> v0.54.0
 * [new tag]         v0.55.0    -> v0.55.0
 * [new tag]         v0.55.1    -> v0.55.1
 * [new tag]         v0.55.2    -> v0.55.2
 * [new tag]         v0.55.3    -> v0.55.3
 * [new tag]         v0.55.4    -> v0.55.4
 * [new tag]         v0.56.0    -> v0.56.0
 * [new tag]         v0.57.0    -> v0.57.0
 * [new tag]         v0.57.1    -> v0.57.1
 * [new tag]         v0.57.2    -> v0.57.2
 * [new tag]         v0.58.0    -> v0.58.0
 * [new tag]         v0.58.1    -> v0.58.1
 * [new tag]         v0.59.0    -> v0.59.0
 * [new tag]         v0.64.0    -> v0.64.0
 * [new tag]         v0.65.0    -> v0.65.0
 * [new tag]         v0.66.0    -> v0.66.0
 * [new tag]         v0.67.0    -> v0.67.0
 * [new tag]         v0.67.1    -> v0.67.1
 * [new tag]         v0.68.0    -> v0.68.0
 * [new tag]         v0.68.1    -> v0.68.1
 * [new tag]         v0.76.1    -> v0.76.1
 * [new tag]         v0.77.0    -> v0.77.0
 * [new tag]         v0.78.0    -> v0.78.0
 * [new tag]         v0.79.0    -> v0.79.0
 * [new tag]         v0.8.0     -> v0.8.0
 * [new tag]         v0.81.0    -> v0.81.0
 * [new tag]         v0.82.0    -> v0.82.0
 * [new tag]         v0.83.0    -> v0.83.0
 * [new tag]         v0.83.1    -> v0.83.1
 * [new tag]         v0.84.0    -> v0.84.0
 * [new tag]         v0.85.0    -> v0.85.0
 * [new tag]         v0.86.0    -> v0.86.0
 * [new tag]         v0.87.0    -> v0.87.0
 * [new tag]         v0.88.0    -> v0.88.0
 * [new tag]         v0.89.0    -> v0.89.0
 * [new tag]         v0.89.1    -> v0.89.1
 * [new tag]         v0.89.2    -> v0.89.2
 * [new tag]         v0.9.0     -> v0.9.0
 * [new tag]         v0.90.0    -> v0.90.0
 * [new tag]         v0.90.1    -> v0.90.1
 * [new tag]         v0.91.0    -> v0.91.0
 * [new tag]         v0.91.1    -> v0.91.1
 * [new tag]         v0.91.2    -> v0.91.2
 * [new tag]         v0.92.0    -> v0.92.0
 * [new tag]         v0.92.1    -> v0.92.1
 * [new tag]         v0.93.0    -> v0.93.0
 * [new tag]         vv0.60.0   -> vv0.60.0
 * [new tag]         vv0.61.0   -> vv0.61.0
 * [new tag]         vv0.62.0   -> vv0.62.0
 * [new tag]         vv0.63.0   -> vv0.63.0
 * [new tag]         vv0.63.1   -> vv0.63.1
 * [new tag]         vv0.69.0   -> vv0.69.0
 * [new tag]         vv0.70.0   -> vv0.70.0
 * [new tag]         vv0.70.1   -> vv0.70.1
 * [new tag]         vv0.70.2   -> vv0.70.2
 * [new tag]         vv0.71.0   -> vv0.71.0
 * [new tag]         vv0.72.0   -> vv0.72.0
 * [new tag]         vv0.73.0   -> vv0.73.0
 * [new tag]         vv0.74.0   -> vv0.74.0
 * [new tag]         vv0.74.1   -> vv0.74.1
 * [new tag]         vv0.74.2   -> vv0.74.2
 * [new tag]         vv0.75.0   -> vv0.75.0
 * [new tag]         vv0.76.0   -> vv0.76.0
    Updating git repository `https://github.com/camdencheek/tree-sitter-go-mod`
From https://github.com/camdencheek/tree-sitter-go-mod
 * [new ref]         1f55029bacd0a6a11f6eb894c4312d429dcf735c -> refs/commit/1f55029bacd0a6a11f6eb894c4312d429dcf735c
 * [new tag]         v1.0.0     -> v1.0.0
 * [new tag]         v1.0.1     -> v1.0.1
 * [new tag]         v1.0.2     -> v1.0.2
    Updating git repository `https://github.com/d1y/tree-sitter-go-work`
From https://github.com/d1y/tree-sitter-go-work
 * [new ref]         dcbabff454703c3a4bc98a23cf8778d4be46fd22 -> refs/commit/dcbabff454703c3a4bc98a23cf8778d4be46fd22
    Updating git repository `https://github.com/alacritty/alacritty`
From https://github.com/alacritty/alacritty
 * [new ref]           91d034ff8b53867143c005acfaa14609147c9a2c -> refs/commit/91d034ff8b53867143c005acfaa14609147c9a2c
 * [new tag]           binaries   -> binaries
 * [new tag]           v0.1.1     -> v0.1.1
 * [new tag]           v0.2.0     -> v0.2.0
 * [new tag]           v0.2.1     -> v0.2.1
 * [new tag]           v0.2.2     -> v0.2.2
 * [new tag]           v0.2.3     -> v0.2.3
 * [new tag]           v0.2.4     -> v0.2.4
 * [new tag]           v0.2.4-conpty -> v0.2.4-conpty
 * [new tag]           v0.2.5     -> v0.2.5
 * [new tag]           v0.2.6     -> v0.2.6
 * [new tag]           v0.2.7     -> v0.2.7
 * [new tag]           v0.2.8     -> v0.2.8
 * [new tag]           v0.2.9     -> v0.2.9
 * [new tag]           v0.3.0     -> v0.3.0
 * [new tag]           v0.3.0-rc1 -> v0.3.0-rc1
 * [new tag]           v0.3.0-rc2 -> v0.3.0-rc2
 * [new tag]           v0.3.0-rc3 -> v0.3.0-rc3
 * [new tag]           v0.3.1     -> v0.3.1
 * [new tag]           v0.3.2     -> v0.3.2
 * [new tag]           v0.3.3     -> v0.3.3
 * [new tag]           v0.3.3-rc1 -> v0.3.3-rc1
 * [new tag]           v0.3.3-rc2 -> v0.3.3-rc2
    Updating git repository `https://github.com/KillTheMule/nvim-rs`
From https://github.com/KillTheMule/nvim-rs
 * [new ref]         69500bae73b8b3f02a05b7bee621a0d0e633da6c -> refs/commit/69500bae73b8b3f02a05b7bee621a0d0e633da6c
 * [new tag]         v0.1.0     -> v0.1.0
 * [new tag]         v0.2.0     -> v0.2.0
 * [new tag]         v0.3.0     -> v0.3.0
 * [new tag]         v0.3.1     -> v0.3.1
 * [new tag]         v0.4.0     -> v0.4.0
 * [new tag]         v0.5.0     -> v0.5.0
 * [new tag]         v0.6.0     -> v0.6.0
error: failed to select a version for `libsqlite3-sys`.
    ... required by package `sqlx-sqlite v0.8.0`
    ... which satisfies dependency `sqlx-sqlite = "=0.8.0"` of package `sqlx v0.8.0`
    ... which satisfies dependency `sqlx = "^0.8"` of package `collab v0.44.0 (/tmp/renovate/repos/github/zed-industries/zed/crates/collab)`
versions that meet the requirements `^0.28.0` are: 0.28.0

the package `libsqlite3-sys` links to the native library `sqlite3`, but it conflicts with a previous package which links to `sqlite3` as well:
package `libsqlite3-sys v0.26.0`
    ... which satisfies dependency `libsqlite3-sys = "^0.26"` of package `sqlez v0.1.0 (/tmp/renovate/repos/github/zed-industries/zed/crates/sqlez)`
    ... which satisfies path dependency `sqlez` (locked to 0.1.0) of package `db v0.1.0 (/tmp/renovate/repos/github/zed-industries/zed/crates/db)`
    ... which satisfies path dependency `db` (locked to 0.1.0) of package `zed v0.151.0 (/tmp/renovate/repos/github/zed-industries/zed/crates/zed)`
Only one package in the dependency graph may specify the same links value. This helps ensure that only one copy of a native library is linked in the final binary. Try to adjust your dependencies so that only one package uses the `links = "sqlite3"` value. For more information, see https://doc.rust-lang.org/cargo/reference/resolver.html#links.

failed to select a version for `libsqlite3-sys` which could resolve this conflict

@cla-bot cla-bot bot added the cla-signed The user has signed the Contributor License Agreement label Aug 24, 2024
@zed-industries-bot
Copy link

zed-industries-bot commented Aug 24, 2024

Messages
📖

This PR includes links to the following GitHub Issues: #launchbadge/sqlx#3108
If this PR aims to close an issue, please include a Closes #ISSUE line at the top of the PR body.

Generated by 🚫 dangerJS against d6f8378

Copy link
Contributor Author

renovate bot commented Aug 29, 2024

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@mikayla-maki mikayla-maki self-assigned this Aug 29, 2024
@mikayla-maki mikayla-maki merged commit 760e1a6 into main Aug 29, 2024
9 checks passed
@mikayla-maki mikayla-maki deleted the renovate/crate-sqlx-vulnerability branch August 29, 2024 04:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
cla-signed The user has signed the Contributor License Agreement
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants