From 98ae5be89081ef08b4b85d098cef8441111e0cb6 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Fri, 7 Mar 2025 17:08:01 +0000 Subject: [PATCH 1/2] build(deps): bump ring in the cargo group across 1 directory Bumps the cargo group with 1 update in the / directory: [ring](https://github.com/briansmith/ring). Updates `ring` from 0.17.8 to 0.17.13 - [Changelog](https://github.com/briansmith/ring/blob/main/RELEASES.md) - [Commits](https://github.com/briansmith/ring/commits) --- updated-dependencies: - dependency-name: ring dependency-type: indirect dependency-group: cargo ... Signed-off-by: dependabot[bot] --- Cargo.lock | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 54e7f1f8c6b..bdc7d23ac6a 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -474,9 +474,9 @@ dependencies = [ [[package]] name = "cc" -version = "1.2.1" +version = "1.2.16" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fd9de9f2205d5ef3fd67e685b0df337994ddd4495e2a28d185500d0e1edfea47" +checksum = "be714c154be609ec7f5dad223a33bf1482fff90472de28f7362806e6d4832b8c" dependencies = [ "jobserver", "libc", @@ -3641,7 +3641,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "4979f22fdb869068da03c9f7528f8297c6fd2606bc3a4affe42e6a823fdb8da4" dependencies = [ "cfg-if", - "windows-targets 0.52.6", + "windows-targets 0.48.5", ] [[package]] @@ -4471,15 +4471,14 @@ dependencies = [ [[package]] name = "ring" -version = "0.17.8" +version = "0.17.13" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c17fa4cb658e3583423e915b9f3acc01cceaee1860e33d59ebae66adc3a2dc0d" +checksum = "70ac5d832aa16abd7d1def883a8545280c20a60f523a370aa3a9617c2b8550ee" dependencies = [ "cc", "cfg-if", "getrandom", "libc", - "spin", "untrusted", "windows-sys 0.52.0", ] @@ -4900,12 +4899,6 @@ dependencies = [ "windows-sys 0.52.0", ] -[[package]] -name = "spin" -version = "0.9.8" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67" - [[package]] name = "stability" version = "0.2.1" From 1d9f7cdeaffdb8cfc42e2a95ae89a5d74eba342d Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Sat, 8 Mar 2025 04:02:35 -0500 Subject: [PATCH 2/2] Allow paste even though unmaintained, for now MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit https://rustsec.org/advisories/RUSTSEC-2024-0436.html now causes the `cargo deny advisories` check to fail (even if the separate and more important failure from `ring` is fixed by bumping the `ring` version, as in #1878). `paste` is mature and would be hard to remove as a transitive dependency at this time: > cargo tree --invert paste --no-dedupe --depth 3 paste v1.0.15 (proc-macro) └── ratatui v0.26.3 ├── crosstermion v0.14.0 │ ├── gitoxide v0.41.0 (C:\Users\ek\source\repos\gitoxide) │ └── prodash v29.0.0 ├── prodash v29.0.0 │ ├── gitoxide v0.41.0 (C:\Users\ek\source\repos\gitoxide) │ ├── gix v0.70.0 (C:\Users\ek\source\repos\gitoxide\gix) │ └── gix-features v0.40.0 (C:\Users\ek\source\repos\gitoxide\gix-features) └── tui-react v0.23.2 ├── crosstermion v0.14.0 └── prodash v29.0.0 As discussed in https://github.com/rustsec/advisory-db/pull/2215 and https://github.com/leptos-rs/leptos/issues/3685, `paste` is widely used and there is community interest in maintaining it. When the status changes or more information about the future of `paste` or its alternatives is available, `deny.toml` could be updated again (even if only with a comment). --- deny.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deny.toml b/deny.toml index 1cb36a1f799..a5557858263 100644 --- a/deny.toml +++ b/deny.toml @@ -8,7 +8,7 @@ # More documentation for the advisories section can be found here: # https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html [advisories] -ignore = [] +ignore = ["RUSTSEC-2024-0436"]