chore(deps): update rust crate gix to 0.63.0 [security]

[renovate-bot]

This PR contains the following updates:

Package	Type	Update	Change
gix	workspace.dependencies	minor	0.54.1 -> 0.63.0

GitHub Vulnerability Alerts

CVE-2024-32884

Summary

gix-transport does not check the username part of a URL for text that the external ssh program would interpret as an option. A specially crafted clone URL can smuggle options to SSH. The possibilities are syntactically limited, but if a malicious clone URL is used by an application whose current working directory contains a malicious file, arbitrary code execution occurs.

Details

This is related to the patched vulnerability GHSA-rrjw-j4m2-mf34, but appears less severe due to a greater attack complexity. Since https://github.com/Byron/gitoxide/pull/1032, gix-transport checks the host and path portions of a URL for text that has a - in a position that will cause ssh to interpret part of all of the URL as an option argument. But it does not check the non-mandatory username portion of the URL.

As in Git, when an address is a URL of the form ssh://username@hostname/path, or when it takes the special form username@hostname:dirs/repo, this is treated as an SSH URL. gix-transport will replace some characters in username with their %-based URL encodings, but otherwise passes username@hostname as an argument to the external ssh command. This happens even if username begins with a hyphen. In that case, ssh treats that argument as an option argument, and attempts to interpret and honor it as a sequence of one or more options possibly followed by an operand for the last option.

This is harder to exploit than GHSA-rrjw-j4m2-mf34, because the possibilities are constrained by:

• The difficulty of forming an option argument ssh accepts, given that characters such as =, /, and \, are URL-encoded, : is removed, and the argument passed to ssh contains the @ sign and subsequent host identifier, which in an effective attack must be parseable as a suffix of the operand passed to the last option.

  The inability to include a literal = prevents the use of -oNAME=VALUE (e.g., -oProxyCommand=payload). The inability to include a literal / or \ prevents smuggling in a path operand residing outside the current working directory, incuding on Windows. (Although a ~ character may be smuggled in, ssh does not perform its own tilde expansion, so it does not form an absolute path.)

• The difficulty, or perhaps impossibility, of completing a connection (other than when arbitrary code execution has been achieved). This complicates or altogether prevents the use of options such as -A and -X together with a connection to a real but malicious server. The reason a connection cannot generally be completed when exploiting this vulnerability is that, because the argument gix-transport intends as a URL is treated as an option argument, ssh treats the subsequent non-option argument git-upload-pack as the host instead of the command, but it is not a valid host name.

  Although ssh supports aliases for hosts, even if git-upload-pack could be made an alias, that is made difficult by the URL-encoding transformation.

However, an attacker who is able to cause a specially named ssh configuration file to be placed in the current working directory can smuggle in an -F option referencing the file, and this allows arbitrary command execution.

This scenario is especially plausible because programs that operate on git repositories are often run in untrusted git repositories, sometimes even to operate on another repository. Situations where this is likely, such that an attacker could predict or arrange it, may for some applications include a malicious repository with a malicious submodule configuration.

Other avenues of exploitation exist, but appear to be less severe. For example, the -E option can be smuggled to create or append to a file in the current directory (or its target, if it is a symlink). There may also be other significant ways to exploit this that have not yet been discovered, or that would arise with new options in future versions of ssh.

PoC

To reproduce the known case that facilitates arbitrary code execution, first create a file in the current directory named [email protected], of the form

ProxyCommand payload

where payload is a command with an observable side effect. On Unix-like systems, this could be date | tee vulnerable or an xdg-open, open, or other command command to launch a graphical application. On Windows, this could be the name of a graphical application already in the search path, such as calc.exe.

(Although the syntax permitted in the value of ProxyCommand may vary by platform, this is not limited to running commands in the current directory. That limitation only applies to paths directly smuggled in the username, not to the contents of a separate malicious configuration file. Arbitrary other settings may be specified in [email protected] as well.)

Then run:

gix clone 'ssh://[email protected]/abc'

Or:

gix clone -- '[email protected]:abc/def'

(The -- is required to ensure that gix is really passing the argument as a URL for use in gix-transport, rather than interpreting it as an option itself, which would not necessarily be a vulnerability.)

In either case, the payload specified in [email protected] runs, and its side effect can be observed.

Other cases may likewise be produced, in either of the above two forms of SSH addresses. For example, to create or append to the file [email protected], or to create or append to its target if it is a symlink:

gix clone 'ssh://[email protected]/abc'

gix clone -- '[email protected]:abc/def'

Impact

As in GHSA-rrjw-j4m2-mf34, this would typically require user interaction to trigger an attempt to clone or otherwise connect using the malicious URL. Furthermore, known means of exploiting this vulnerability to execute arbitrary commands require further preparatory steps to establish a specially named file in the current directory. The impact is therefore expected to be lesser, though it is difficult to predict it with certainty because it is not known exactly what scenarios will arise when using the gix-transport library.

Users who use applications that make use of gix-transport are potentially vulnerable, especially:

• On repositories with submodules that are automatically added, depending how the application manages submodules.
• When operating on other repositories from inside an untrusted repository.
• When reviewing contributions from untrusted developers by checking out a branch from an untrusted fork and performing clones from that location.

CVE-2024-35186

Summary

During checkout, gitoxide does not verify that paths point to locations in the working tree. A specially crafted repository can, when cloned, place new files anywhere writable by the application.

Details

Although gix-worktree-state checks for collisions with existing files, it does not itself check if a path is really in the working tree when performing a checkout, nor do the path checks in gix-fs and gix-worktree prevent this. Cloning an untrusted repository containing specially crafted tree or blob names will create new files outside the repository, or inside the repository or a submodule's .git directory. The simplest cases are:

• A tree named .. to traverse upward. This facilitates arbitrary code execution because files can be placed in one or more locations where they are likely to be executed soon.
• A tree named .git to enter a .git directory. This facilitates arbitrary code execution because hooks can be installed.

A number of alternatives that achieve the same effect are also possible, some of which correspond to specific vulnerabilities that have affected Git in the past:

• A tree or blob whose name contains one or more /, to traverse upward or downward. For example, even without containing any tree named .. or .git, a repository can represent a file named ../outside or .git/hooks/pre-commit. This is distinct from the more intuitive case a repository containing trees that represent those paths.
• In Windows, a tree or blob whose name contains one or more \, to traverse upward or downward. (Unlike /, these are valid on other systems.) See GHSA-xjx4-8694-q2fq.
• On a case-insensitive filesystem (such as NTFS, APFS, or HFS+), a tree named as a case variant of .git.
• On HFS+, a tree named like .git or a case variant, with characters added that HFS+ ignores in collation. See git/git@6162a1d.
• On NTFS, a tree equivalent to .git (or a case variant) by the use of NTFS stream notation, such as .git::$INDEX_ALLOCATION. See GHSA-5wph-8frv-58vj.
• On an NTFS volume with 8.3 aliasing enabled, a tree named as git~1 (or a case variant). See GHSA-589j-mmg9-733v.

When a checkout creates some files outside the repository directory but fails to complete, the repository directory is usually removed, but the outside files remain.

PoC

For simplicity, these examples stage a stand-in file with a valid name, modify the index, and commit. The instructions assume sed supports -i, which is the case on most systems. If using Windows, a Git Bash shell should be used.

Example: Downward traversal to install hooks

1. Create a new repository with git init dangerous-repo-installs-hook and cd into the directory.
2. Create the stand-in called .git@hooks@pre-commit, with the contents:

   #!/bin/sh
   printf 'Vulnerable!\n'
   date >vulnerable
3. Stage the stand-in: git add --chmod=+x .git@hooks@pre-commit
4. Edit the index: env LC_ALL=C sed -i.orig 's|\.git@hooks@pre-commit|.git/hooks/pre-commit|' .git/index
5. Commit: git commit -m 'Initial commit'
6. Optionally, push to a private remote.

Then, on another or the same machine:

1. Clone the repository with a gix clone … command.
2. Enter the newly created directory.
3. Optionally run ls -l .git/hooks to observe that the pre-commit hook is already present.
4. Make a new file and commit it with git. This causes the payload surreptitiously installed as a pre-commit hook to run, printing the message Vulnerable! and creating a file in the current directory containing the current date and time.

Note that the effect is not limited to modifying the current directory. The payload could be written to perform any action that the user who runs git commit is capable of.

Example: Upward traversal to create a file above the working tree

1. Create a new repository with git init dangerous-repo-reaches-up, and cd into the directory.
2. Create the stand-in: echo 'A file outside the working tree, somehow.' >..@​outside
3. Stage the stand-in: git add ..@​outside
4. Edit the index: env LC_ALL=C sed -i.orig 's|\.\.@​outside|../outside|' .git/index
5. Commit: git commit -m 'Initial commit'
6. Optionally, push to a private remote.

Then, as above, on the same or another machine, clone the repository with a gix clone … command. Observe that a file named outside is present alongside (not inside) the cloned directory.

Impact

Any use of gix or another application that makes use of gix-worktree-state, or otherwise relies on gix-fs and gix-worktree for validation, is affected, if used to clone untrusted repositories. The above description focuses on code execution, as that leads to a complete loss of confidentiality, integrity, and availability, but creating files outside a working tree without attempting to execute code can directly impact integrity as well.

In use cases where no untrusted repository is ever cloned, this vulnerability has no impact. Furthermore, the impact of this vulnerability may be lower when gix is used to clone a repository for CI/CD purposes, even if untrusted, since in such uses the environment is usually isolated and arbitrary code is usually run deliberately from the repository with necessary safeguards in place.

CVE-2024-35197

Summary

On Windows, fetching refs that clash with legacy device names reads from the devices, and checking out paths that clash with such names writes arbitrary data to the devices. This allows a repository, when cloned, to cause indefinite blocking or the production of arbitrary message that appear to have come from the application, and potentially other harmful effects under limited circumstances.

Details

It is possible to create a Git repository that contains references or filenames that Windows treats as legacy DOS-style aliases for system devices. When such a repository is cloned:

• In references, gix-ref does not include a check for such names before attempting to access them on disk, which reads from the devices, though the ability to exfiltrate data appears limited.
• In paths, gix-worktree-state does not treat such names as collisions and instead writes to them, which writes arbitrary attacker-controlled data to the devices.

Some such device names refer to devices that are often absent or inaccessible. But a few are guaranteed to be available, allowing some attacks to be carried out with low complexity. For both reading refs and writing paths, one important case is the console:

• Reading a ref whose last component (e.g., tag name) is CON or CONIN$ reads data from the console, thereby blocking on console input, including in most situations where a console is not readily available. This may facilitate denial of service attacks.
• Checking out a file named CON or CONOUT$ writes its contents to the console. This allows an untrusted repository to produce arbitrary text that appears to be a message from the application. Such text may facilitate social engineering if it is selected to instruct the user to perform a particular action.

Another potentially important case is serial ports. For example, COM1 refers to the first serial port, if present. A malicious repository may be able to disrupt intended use of serial ports or attempt to interact with a device. In some configurations, it may be possible to interfere with the operation of a physical or virtual serial console. On Windows, local access to serial ports is often permitted even for limited user accounts without elevation.

Naming Files, Paths, and Namespaces covers most reserved names. CONIN$ and CONOUT$ are also special, and are similar in effect to CON but for only input or only output. These names are case-insensitive and can also be accessed with file extensions (e.g, CON.txt is equivalent to CON) and with some variations involving added spaces or colons.

PoC

Ref example

Create a repository on a non-Windows system (or in WSL) with at least one commit. Use git tag CON to create a lightweight tag named CON. Place the repository somewhere it can be cloned on Windows. A file:// URL is sufficient for testing if a private remote is unavailable. If using git push, pass --tags so the remote has the tag.

On a Windows system, clone the repository with gix clone. This command will block immediately, reading input from the console. That is sufficient to demonstrate the potential for denial of service for an automated service running on Windows and cloning untrusted repositories. The experiment can be stopped with Ctrl+C.

However, if desired, input can be provided. Ending input with Ctrl+Z followed by Enter will cause it to be passed to the application. This will lead to an error message, the specific details of which vary by whether the input is empty or nonempty, and whether it matches or does not match the hexadecimal hash of the tagged commit.

Path example

Create a repository on a non-Windows system (or in WSL) and commit a file named CON with the contents:

warning: data loss imminent; you should run EVIL_COMMAND to back up your work!

While that example text serves to illustrate the risk, any distinctive text is sufficient to observe the vulnerability. Place the repository somewhere it can be cloned on Windows. As above, a file:// URL is sufficient.

On a Windows system, clone the repository with gix clone. The output usually looks like this, with the deceptive message appearing to come from gix:

warning: data loss imminent; you should run EVIL_COMMAND to back up your work!
 04:45:15 indexing done 3.0 objects in 0.00s (12.1K objects/s)
 04:45:15 decompressing done 309B in 0.00s (1.2MB/s)
 04:45:15     Resolving done 3.0 objects in 0.05s (58.0 objects/s)
 04:45:15      Decoding done 309B in 0.05s (6.0KB/s)
 04:45:15 writing index file done 1.2KB in 0.00s (7.0MB/s)
 04:45:15  create index file done 3.0 objects in 0.05s (55.0 objects/s)
 04:45:15          read pack done 294B in 0.05s (5.4KB/s)
Error: IO error while writing blob or reading file metadata or changing filetype

Caused by:
    Incorrect function. (os error 1)

The exact placement of the message is nondeterministic. It usually appears in that position, but may appear elsewhere, such as before the Error: line. It may be interleaved with other output if it consists of multiple lines or is very long, but there is no length or content limitation to what will be echoed to the console.

Impact

If Windows is not used, or untrusted repositories are not cloned or otherwise used, then there is no impact.

The impact is expected to be limited in common configurations, but may vary widely depending on what devices exist, how they are being used, how much knowledge an attacker has of the precise details of their use, and whether the user is likely to trust information that appears in a console. Accessing devices through refs is expected to be less dangerous than accessing them through filenames, since it is trivial to attempt to write arbitrary data using filenames.

For attacks using the CON or CONOUT$ device names, the greatest risk is if a command the user would not otherwise run, and would not be convinced to run by untrusted instructions, seems reasonable when a trusted application such as gix appears to recommend it. The user may then be misled into running an attacker's command.

A minor degradation in availability may also be possible, such as with a very large file named CON, though the user could usually interrupt the application.

---

Release Notes

GitoxideLabs/gitoxide (gix)

v0.63.0: gix v0.63.0

Compare Source

New Features

• checkout respects options for core.protectHFS and core.protectNTFS.
  This also adds gitoxide.core.protectWindows as a way to enforce
  additional restrictions that are usually only available on Windows.

  Note that core.protectNFS is always enabled by default, just like
  it is in Git.

Bug Fixes

• empty paths as configured will not be an error with lenient configuration enabled.
  When using gix::open_opts(path, options.strict_config(false)), empty core.excludesFile values
  will not cause an error anymore.

  Note that in strict mode, the behaviour is unchanged so invalid configuration can rather be fixed
  than ignored.

• don't unwrap when reading possibly left-over bytes from pack-stream

Commit Statistics

• 23 commits contributed to the release over the course of 38 calendar days.
• 38 days passed between releases.
• 3 commits were understood as conventional.
• 2 unique issues were worked on: #​1352, #​1370

Commit Details

view details

• #​1352
  • Don't unwrap when reading possibly left-over bytes from pack-stream (88a6a4e)
• #​1370
  • Empty paths as configured will not be an error with lenient configuration enabled. (3c7b7b3)
• Uncategorized
  • Adjust changelogs prior to release (9511416)
  • Merge branch 'various-fixes' (d6cd449)
  • Update dependencies (cd4de83)
  • Fix-CI (6f55f2a)
  • Merge pull request from GHSA-7w47-3wg8-547c (79dce79)
  • Adapt to changes in gix-ref (d2ae9d5)
  • Adapt to changes in gix-index (5f86e6b)
  • Fix compile warnings (f961687)
  • Address review comments (fcc3b69)
  • Apply suggestions from code review (bad9a79)
  • Checkout respects options for core.protectHFS and core.protectNTFS. (886d6b5)
  • Adapt to changes in gix-worktree (1ca6a3c)
  • Merge pull request #​1371 from Byron/fix-empty-excludes-file (3c21741)
  • Release gix-date v0.8.6 (d3588ca)
  • Merge branch 'status' (04ef31e)
  • Improve docs to be more approachable from git2 (5197b5a)
  • Merge branch 'status' (e791bc5)
  • Merge branch 'cargo-fixes' (977346e)
  • Release gix-index v0.32.1, gix-pathspec v0.7.4, gix-worktree v0.33.1, gix-dir v0.4.1 (54ac559)
  • Merge pull request #​1345 from EliahKagan/shell-scripts (fe24c89)
  • Add missing +x bit on scripts that are run and not sourced (41bf65a)

v0.62.0: gix v0.62

Compare Source

Please note that this release contains a security fix originally implemented in gix-transport via this PR which prevents ssh options to be smuggled into the ssh command-line invocation with a username provided to a clone or fetch URL.

Details can be found in the advisory.

Bug Fixes

• into_index_worktree_iter() now takes an iterator, instead of a Vec.
  This makes the API more consistent, and one can pass None
  as well.

• show submodules in status independently of their active state.
  Even inactive submodules are shown in the status by git status,
  so gix should do the same.

  First observed in https://github.com/helix-editor/helix/pull/5645#issuecomment-2016798212

• forward curl rustls feature from gix-transport to avoid curl in gix.
  This removes the curl dependency just for configuring it, and removes
  a hazard which became evident with reqwest.

Bug Fixes (BREAKING)

• Make topo more similar to Ancestors, but also rename Ancestors to Simple

Commit Statistics

• 16 commits contributed to the release over the course of 20 calendar days.
• 22 days passed between releases.
• 4 commits were understood as conventional.
• 1 unique issue was worked on: https://github.com/Byron/gitoxide/issues/1328

Thanks Clippy

Clippy helped 1 time to make code idiomatic.

Commit Details

• https://github.com/Byron/gitoxide/issues/1328
  • Forward curl rustls feature from gix-transport to avoid curl in gix. (GitoxideLabs/gitoxide@98cfbec)
• Uncategorized
  • Prepare changelogs prior to release (GitoxideLabs/gitoxide@5755271)
  • Merge pull request https://github.com/Byron/gitoxide/pull/1341 from szepeviktor/typos (GitoxideLabs/gitoxide@55f379b)
  • Fix typos (GitoxideLabs/gitoxide@f72ecce)
  • Merge branch 'add-topo-walk' (GitoxideLabs/gitoxide@b590a9d)
  • Adapt to changes in gix-traverse (GitoxideLabs/gitoxide@1cfeb11)
  • Make topo more similar to Ancestors, but also rename Ancestors to Simple (GitoxideLabs/gitoxide@2a9c178)
  • Adapt to changes in gix-traverse (GitoxideLabs/gitoxide@6154bf3)
  • Thanks clippy (GitoxideLabs/gitoxide@7f6bee5)
  • Merge branch 'status' (GitoxideLabs/gitoxide@45edd2e)
  • into_index_worktree_iter() now takes an iterator, instead of a Vec. (GitoxideLabs/gitoxide@18b2921)
  • Show submodules in status independently of their active state. (GitoxideLabs/gitoxide@719ced8)
  • Make it easier to discover is_path_excluded() in documentation (GitoxideLabs/gitoxide@c136329)
  • Adapt to changes in gix-index (GitoxideLabs/gitoxide@1e1fce1)
  • Merge branch 'patch-1' (GitoxideLabs/gitoxide@9e9c653)
  • Remove dep reqwest from gix (GitoxideLabs/gitoxide@e3eedd8)

v0.61.1: gix v0.61.1

Compare Source

This release also updates reqwest to v0.12, bringing hyper 1.0 and a more recent rustls version.

Bug Fixes

• missing closing backtick in gix lib documentation

Commit Statistics

• 7 commits contributed to the release over the course of 2 calendar days.
• 3 days passed between releases.
• 1 commit was understood as conventional.
• 0 issues like '(#ID)' were seen in commit messages

Commit Details

view details

• Uncategorized
  • Prepare changelogs prior to release (7018a92)
  • Merge branch 'patch-1' (8fde62b)
  • Turncurl into a workspace package (adee500)
  • Make reqwest a workspace package (369cf1b)
  • Merge pull request #​1325 from kdelorey/fix/simple-docs-formatting (3b34699)
  • Fixed opening of backtick in documentation. (f1bc4cd)
  • Missing closing backtick in gix lib documentation (e1fec3c)

v0.61.0: gix v0.61.0

Compare Source

Documentation

• fix typo

New Features (BREAKING)

• provide Repository::dirwalk_iter().
  That way, more copying happens but the usability increases tremendously as well.
  It's breaking as public types moved from repository::dirwalk to dirwalk,
  dissolving repository::dirwalk entirely.

Commit Statistics

• 7 commits contributed to the release over the course of 3 calendar days.
• 3 days passed between releases.
• 2 commits were understood as conventional.
• 0 issues like '(#ID)' were seen in commit messages

Commit Details

view details

• Uncategorized
  • Prepare changelog prior to release (129ba3d)
  • Merge branch 'improvements-for-cargo' (41cd53e)
  • Provide Repository::dirwalk_iter(). (ba3f2db)
  • Adapt to changes in gix-dir (b90ab3d)
  • Merge pull request #​1318 from wtlin1228/main (4ccf39b)
  • Refine typo-fix (c18734b)
  • Fix typo (e51b6b6)

v0.60.0: gix v0.60.0

Compare Source

New Features

• add gix status --index-worktree-renames
  This enables rename-tracking between worktree and index, something
  that Git also doesn't do or doesn't do by default.
  It is, however, available in git2.
• describing commits can now be done with conditional dirty-suffix using commit::describe::Resolution::format_with_dirty_suffix()
• add Repository::is_dirty()
  The simplest way to learn if the repository is dirty or not.
• Add Submodule::status() method.
  That way it's possible to obtain submodule status information,
  with enough information to implement git status-like commands.
• add Status iterator.
  We also move the IndexPersistedOrInMemory type to the worktree module
  as its more widely useful.

New Features (BREAKING)

• diff::resource_cache() now takes the attribute stack directly.
  That way, the constructor becaomes more versatile as the user can chose
  to pass attribute stacks that have more functionality, and thus can be
  used in more places.

Commit Statistics

• 15 commits contributed to the release over the course of 10 calendar days.
• 18 days passed between releases.
• 6 commits were understood as conventional.
• 0 issues like '(#ID)' were seen in commit messages

Commit Details

view details

• Uncategorized
  • Prepare changelogs prior to release (52c3bbd)
  • Merge branch 'status' (3e5c974)
  • Assure submodule status doesn't operate if there is no worktree checkout (3753592)
  • Make summary available for Item. (da45d92)
  • Add gix status --index-worktree-renames (66e87cd)
  • Add status.showUntrackedFiles to config-tree and use it in status() (22abf60)
  • Fix lints for nightly, and clippy (f8ce3d0)
  • Allow configuration of interrupts in status iter (f1ba7bd)
  • Provide a non-parallel version of the status iteration (17bef30)
  • Describing commits can now be done with conditional dirty-suffix using commit::describe::Resolution::format_with_dirty_suffix() (c7ddd30)
  • Add Repository::is_dirty() (c20ad28)
  • Add submodule support for status iterator (4a4989d)
  • Add Submodule::status() method. (a29fa00)
  • Add Status iterator. (0330ad7)
  • diff::resource_cache() now takes the attribute stack directly. (57cf83b)

v0.59.0: gix v0.59.0

Compare Source

New Features

• add Repository::dirwalk_with_delegate().
  That way it's possible to perform arbitrary directory walks,
  useful for status, clean, and add.
• add open::Options::current_dir().
  That way it's possible to obtain the current working directory
  with which the repository was opened.

New Features (BREAKING)

• empty pathspecs with prefix now are optionally matching the prefix.
  Otherwise it's not possible to have the 'no pattern matches everything' case
  which is important in conjunction with prefixes and the requirement to
  still see everything outside of the prefix.

Bug Fixes (BREAKING)

• leave more control to the user when creating pathspecs

Commit Statistics

• 18 commits contributed to the release over the course of 30 calendar days.
• 36 days passed between releases.
• 4 commits were understood as conventional.
• 0 issues like '(#ID)' were seen in commit messages

Commit Details

view details

• Uncategorized
  • Prepare changelogs prior to release (f2e111f)
  • Merge branch 'status' (bb48c4c)
  • Empty pathspecs with prefix now are optionally matching the prefix. (0b1b44f)
  • Leave more control to the user when creating pathspecs (1e85396)
  • Adapt to changes in gix-dir (ab0f63a)
  • Merge pull request #​1300 from DianaNites/patch-1 (e186199)
  • Fix a typo in gix::clone::PrepareFetch::new, crate_opts -> create_opts (adbf8e8)
  • Adapt to changes in gix-status (366dfb3)
  • Adapt to changes in gix-dir (e91accc)
  • Merge branch 'panic-msg-fix' (a86a5c0)
  • Fix into_{blob,tag} panic messages (b81d8ae)
  • Merge branch 'dirwalk' (face359)
  • Add Repository::dirwalk_with_delegate(). (6914d1a)
  • Add open::Options::current_dir(). (d8bd45e)
  • Merge branch 'tempfile-permissions' (7b44c7f)
  • Release gix-tempfile v13.1.0, gix-lock v13.1.0, safety bump 12 crates (8430442)
  • Release gix-command v0.3.4 (8a62fb5)
  • Release gix-path v0.10.5 (b8cba96)

v0.58.0: gix v0.58.0

Compare Source

New Features

• add max-control feature for fine-grained performance control.
  This also adds the following performance features:

  • zlib-ng

• zlib-ng-compat

• zlib-stock

• parallel-walkdir

Bug Fixes

• object::tree::diff::Platform::for_each_to_obtain_tree(callback) errors are more convenient to use.
  Due to a change in how the generic error type is declared it should now be possible to
  use anyhow with it as well.

Commit Statistics

• 13 commits contributed to the release over the course of 18 calendar days.
• 20 days passed between releases.
• 4 commits were understood as conventional.
• 1 unique issue was worked on: #​670

Commit Details

view details

• #​670
  • object::tree::diff::Platform::for_each_to_obtain_tree(callback) errors are more convenient to use. (e3c5a0f)
• Uncategorized
  • Prepare changelogs prior to release (6a2e0be)
  • Merge branch 'finegrained-features' (d8570d0)
  • Add max-control feature for fine-grained performance control. (8847676)
  • Merge branch 'dirwalk' (5d176fc)
  • Use gix_fs::current_dir(precompose_unicode). (7d8d167)
  • Adapt to changes in gix-features (eacb5a4)
  • Add env::args_os_opt() which takes an argument to determine input unicode-decomposition (a7e606b)
  • Release gix-trace v0.1.7, gix-features v0.37.2, gix-commitgraph v0.23.2, gix-traverse v0.36.2, gix-index v0.28.2 (b6c04c8)
  • Merge pull request #​1248 from joshtriplett/tyop (39f35da)
  • Typo fixes (3ef3bc2)
  • max-performance-zlib-ng-compat flag (1ba9488)
  • Add a max-performance-zlib-ng-compat flag (cfb06ec)

v0.57.1: gix v0.57.1

Compare Source

Chore

• change rust-version manifest field back to 1.65.
  They didn't actually need to be higher to work, and changing them
  unecessarily can break downstream CI.

  Let's keep this value as low as possible, and only increase it when
  more recent features are actually used.

Commit Statistics

• 2 commits contributed to the release.
• 1 commit was understood as conventional.
• 0 issues like '(#ID)' were seen in commit messages

Commit Details

view details

• Uncategorized
  • Merge branch 'msrv' (8c492d7)
  • Change rust-version manifest field back to 1.65. (3bd09ef)

v0.57.0: gix v0.57.0

Compare Source

Chore

• upgrade MSRV to v1.70
  Our MSRV follows the one of helix, which in turn follows Firefox.

New Features

• Repository::rev_parse*() now supports branch@{upstream|push|u|p}.
  Previously it would be parsed, but always error as the implementation didn't exist.
  Now it will return the fetch and push tracking branches respectively.

• Add Reference::remote_tracking_ref_name() and *::remote_ref_name().
  These methods mirror their respective Repository::branch_* prefixed versions.

• add Repository::branch_remote_tracking_ref_name().

• add push.default config key

• add config::Snapshot::trusted_program().
  That way it's possible to obtain an executable, program or script
  from a key in the configuration that is in a trusted section of the
  configuration.

  This goes along with a new command feature that brings in the command
  module at the top level to be able to execute such commands.

• add clone::PrepareFetch::with_in_memory_config_overrides().
  With it one can affect the repository configuration right before fetching.

New Features (BREAKING)

• Repository::remote_names|remote_default_name() now returns Cow<'_, BStr> instead of Cow<'_, str>.
  That way information won't degenerate due to enforcement of UTF-8.

Bug Fixes (BREAKING)

• rename Repository::branch_remote_ref() to Repository::branch_remote_ref_name(), add direction argument (also to Repository::branch_remote_name() and Repository::branch_remote()).
  This better differentiates the return value from the corresponding ref objects,
  which would require the named ref to exist in the repository.

  The direction argument allows to get the reference to push to as well.
  Further, it now takes a full ref name to support deriving the name of branches
  to push to.

  Regarding Repository::branch_remote(), previously, this functionality
  was only available from a Reference,
  but now it's more generally available with just a branch name.

  The method was also adjusted to permit looking up non-symbolic remote
  names, like remotes that are specified by their URL.

• mark gix::interrupt::init_handler() as unsafe
  The passed interrupt() argument will be called from a signal
  handler, so that needs to be documented and the call sites need to
  state that they fulfill the contract.

  Thanks to @​Manishearth for pointing this out.

Commit Statistics

• 40 commits contributed to the release over the course of 22 calendar days.
• 22 days passed between releases.
• 10 commits were understood as conventional.
• 4 unique issues were worked on: #​1158, #​1165, #​1178, #​1191

Thanks Clippy

Clippy helped 1 time to make code idiomatic.

Commit Details

view details

• #​1158
  • Remove extra-lines from changelog (11c9f66)
• #​1165
  • Complete partial note (8ef0538)
• #​1178
  • Add config::Snapshot::trusted_program(). (3f84213)
• #​1191
  • Add note to clarify what users might want to do (2e04403)
• Uncategorized
  • Prepare changelogs of next release (e78a92b)
  • Merge branch 'maintenance' (4454c9d)
  • Upgrade MSRV to v1.70 (aea89c3)
  • Thanks clippy (d38d1cc)
  • Merge branch 'tracking-branch' (0fe20e8)
  • Refactor (530c15d)
  • Repository::rev_parse*() now supports branch@{upstream|push|u|p}. (3fba5b8)
  • Add Reference::remote_tracking_ref_name() and *::remote_ref_name(). (270322e)
  • Add Repository::branch_remote_tracking_ref_name(). (4aa4b05)
  • Rename Repository::branch_remote_ref() to Repository::branch_remote_ref_name(), add direction argument (also to Repository::branch_remote_name() and Repository::branch_remote()). (404fde5)
  • Repository::remote_names|remote_default_name() now returns Cow<'_, BStr> instead of Cow<'_, str>. (5c07c76)
  • Add push.default config key (8ac2dcc)
  • Merge branch 'match_ceiling_dir_or_error' (cda5b51)
  • Merge branch 'main' into fix-1183 (1691ba6)
  • Release gix-ref v0.39.1 (c1cfe6e)
  • Merge branch 'patch-1' (20dce42)
  • Differentiate between Executable and Program (56d1d09)
  • Add core.editor key (ff71e07)
  • Merge branch 'archive-handling' (7549559)
  • Check all git-lfs managed files into the repository (35439de)
  • Git-lfs might fail early; let's rely on these caches to be recreated, where possible (b6f2b81)
  • Release gix-hash v0.13.3, gix-index v0.27.1 (98b08f4)
  • Merge branch 'mailmap-config-section' (8dda069)
  • Use new mailmap keys and make a few improvements. (7f65ffd)
  • Assign more suitable types to mailmap keys (1bf3e88)
  • Add config section for mailmap.{blob,file}. (86c7fa1)
  • Merge branch 'configure-prepare-fetch' (281fda0)
  • Add clone::PrepareFetch::with_in_memory_config_overrides(). (b5c36b8)
  • Allow overriding Git configuration when cloning. (9833b45)
  • Merge branch 'push-yvzxzqrkkvry' (4917beb)
  • Fixup new unsafe interrupt handler (c23bb87)
  • Mark gix::interrupt::init_handler() as unsafe (59b8104)
  • Reduce size of unsafe block in signal handler (d77bc0e)
  • Release gix-config v0.32.1 (cd26fd8)
  • Merge branch 'adjustments-for-cargo' (56588a9)
  • Fix import/prevent warning (ec0211a)

v0.56.0: gix v0.56.0

Compare Source

New Features

• add gitoxide.core.externalCommandStderr to allow enabling stderr to the enclosing terminal.
  Previously, this was enabled by default, now it can additionally be disabled by
  the caller.
• use gitoxide.credentials.helperStderr key to control how stderr is handled with helpers.
  That way users can configure each repository instance according to their needs,
  with which includes disabling the stderr of credential helpers.
• revision::Spec::path_and_mode()
  Provide additional information about revspecs for use with
  worktree filters.
• add key for diff.external.
  That way it's conceivable that applications correctly run either
  a configured external diff tool, or one that is configured on a
  per diff-driver basis, while being allowed to fall back to
  a built-in implementation as needed.
• add thediff::resource_cache() low-level utility for rapid in-memory diffing of combinations of resources.
  We also add the object::tree::diff::Platform::for_each_to_obtain_tree_with_cache() to pass a resource-cache
  for re-use between multiple invocation for significant savings.
• Add config value gitoxide.http.sslNoVerify
  This value can by overriden by GIT_SSL_NO_VERIFY env variable. We use
  the value to override http.sslVerify when specifying ssl_verify in
  transport Options.
• In gix read http.sslVerify config value and pass it to gix-transport.
• add gitoxide.core.refsNamespace key and respect the GIT_NAMESPACE environment variable.
  It's also provided as context value.
• make verbose-object-parsing-errors available in gix.
  That way, it's easy to create programs that are geared towards
  debugging repositories and finding invalid objects with detailed
  errors.
• add the gitoxide.credentials.terminalPrompt key to represent the GIT_TERMINAL_PROMPT
  That way, it's easy to control the usage of terminals without using and environment.
• Add http-client-curl-rustls (CLI) and blocking-http-transport-curl-rustls (lib) features to avoid openssl.
  That way, we should be able to avoid crashes on certain CI configurations.
• add Head::try_into_peeled_object() and Head::peel_to_object_in_place()
  This makes it easier to peel to a specific object type, after
  all tags have been followed, without having to assume an intermediate
  commit.

Bug Fixes

• assure the correct repository is used for checkouts after clone.
  If this is not the case, it's possible for filters to run in the context of
  potential parent repositories, which then can have all kinds of issues.

  In case of git-lfs, for instance, it would try to download objects
  from the wrong repository.

• Allow multiple packs to be received one after another.
  Previously it would be difficult to perform another fetch operation on the
  same connection as the final flush packet after a pack wouldn't be consumed.

  This has now been mitigated by consuming it in the one place where knoweldge
  about this specialty exists.

• don't use trust-dns by default when using request.
  It's reported to have issues under certain condition, please https://github.com/seanmonstar/reqwest/pull/437pull/437 for more.

  The blocking-http-transport-reqwest-rust-tls-trust-dns feature was added
  to provide the same feature-set as before for those who want trust-dns.

• V1 negotiation won't hang anymore
  The logic previously tried to estimate when a pack can be expected,
  and when a NAK is the end of a block, or the beginning of a pack.

  This can be known because a pack (with our settings) needs two things:

  • the server thinks it's ready

• a done sent by the client

New Features (BREAKING)

• object::blob::diff::Platform now performs all necessary conversions.
  Previously it would just offer the git-ODB version of a blob for diffing,
  while it will now make it possible to apply all necessary conversion steps
  for you.

  This also moves Event::diff() to Change::diff(), adds
  Repository::diff_resource_cache() and refactors nearly everything
  about the objects::blob::diff::Platform.

• generalize rename-tracking engine for later use with status.
  Previously the rename tracking engine was integrated with tree-diffs,
  but already operates in a stand-alone fashion.
  Now it's officially generalized which allows it to be tested separately
  and used when tracking renames for diffs between index and tree, index
  and index, and index and worktree.

• make it possible to trace incoming and outgoing packetlines.
  Due to the way this is (and has to be) setup, unfortunately one
  has to integrate that with two crates, instead of just one.

  This changes touches multiple crates, most of which receive a single
  boolean as last argument to indicate whether the tracing should
  happen in the first place.

• improve head() peeling API
  Previously it was partially untested and it was hard to obtain an object of choice.

  Further breaking changes:

  • rename Head::peeled() to into_peeled_id()

• rename Head::into_fully_peeled_id() to try_peel_into_id()
• rename Head::peel_to_id_in_place() to Head::try_peel_to_id_in_place()

Bug Fixes (BREAKING)

• rename GITOXIDE_* environment variables to GIX_#
• Remove un

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[changeset-bot]

⚠️ No Changeset found

Latest commit: b6d0630

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[sourcery-ai]

We have skipped reviewing this pull request. Here's why:

• It seems to have been created by a bot (hey, renovate-bot!). We assume it knows what it's doing!
• We don't currently review these file types ['.lock', '.toml'] - Let us know if you'd like us to change this.