Skip to content

Security update: upgrade to ruzstd v0.7.3 #396

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jan 2, 2025
Merged

Security update: upgrade to ruzstd v0.7.3 #396

merged 1 commit into from
Jan 2, 2025

Conversation

zuisong
Copy link
Contributor

@zuisong zuisong commented Jan 2, 2025

Security update
RUSTSEC-2024-0400: ruzstd uninit and out-of-bounds memory reads
KillingSpark/zstd-rs#75

@zuisong
Copy link
Contributor Author

zuisong commented Jan 2, 2025

#[expect] attribute stabilized in Rust 1.81
exclusive range patterns stabilized in Rust 1.80

Should we increase the MSRV to 1.81?
Alternatively, we could use ruzstd v0.7.3.

@zuisong
upgrade to ruzstd v0.7.3
8e7722f 
Security update
RUSTSEC-2024-0400: ruzstd uninit and out-of-bounds memory reads
KillingSpark/zstd-rs#75
@zuisong zuisong changed the title upgrade to ruzstd v0.8.0 Security update: upgrade to ruzstd v0.7.3 Jan 2, 2025
@ducaale ducaale merged commit 0d7d652 into ducaale:master Jan 2, 2025
9 checks passed
@zuisong zuisong deleted the ruzstd branch January 2, 2025 09:29
@ducaale
Copy link
Owner

ducaale commented Jan 2, 2025

Thanks @zuisong, this has now been released as xh v0.23.1

Should we increase the MSRV to 1.81?

I don't have strong opinions but I was thinking of holding off until one of our dependencies requires us to bump up our MSRV. What do you think @blyxxyz?

@blyxxyz
Copy link
Collaborator

blyxxyz commented Jan 2, 2025

For security fixes it's best not to bump the MSRV unless we have to, to make it as easy as possible for people to update.

I'm still not really sure what to do with MSRVs beyond that. If a dependency forces it then that's a good enough reason. It's nice that our current MSRV is supported by old Ubuntu releases but I don't know how many users that actually helps. I don't know any compelling reasons to bump it right now but maybe we don't have to be so strict about it, IDK.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@blyxxyz blyxxyz blyxxyz approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@zuisong @ducaale @blyxxyz