Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: Bump ptree to update config dependency #304

Merged
merged 1 commit into from
Oct 21, 2024

Conversation

joonas
Copy link
Contributor

@joonas joonas commented Oct 21, 2024

Bumping ptree to 0.5.0 in order to pull in config 0.14.0, which addresses some outstanding security issues:

Before:

Scanned old.spdx.json as SPDX SBOM and found 490 packages
╭─────────────────────────────────────┬──────┬───────────┬──────────────┬─────────┬───────────────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE      │ VERSION │ SOURCE            │
├─────────────────────────────────────┼──────┼───────────┼──────────────┼─────────┼───────────────────┤
│ https://osv.dev/RUSTSEC-2021-0139   │      │ crates.io │ ansi_term    │ 0.12.1  │ all-old.spdx.json │
│ https://osv.dev/RUSTSEC-2021-0145   │      │ crates.io │ atty         │ 0.2.14  │ all-old.spdx.json │
│ https://osv.dev/GHSA-g98v-hv3f-hcfr │      │           │              │         │                   │
│ https://osv.dev/RUSTSEC-2024-0375   │      │ crates.io │ atty         │ 0.2.14  │ all-old.spdx.json │
│ https://osv.dev/GHSA-wq9x-qwcq-mmgf │ 8.9  │ crates.io │ diesel       │ 2.1.6   │ all-old.spdx.json │
│ https://osv.dev/RUSTSEC-2024-0365   │      │ crates.io │ diesel       │ 2.1.6   │ all-old.spdx.json │
│ https://osv.dev/GHSA-2326-pfpj-vx3h │      │ crates.io │ lexical-core │ 0.7.6   │ all-old.spdx.json │
│ https://osv.dev/RUSTSEC-2023-0086   │      │ crates.io │ lexical-core │ 0.7.6   │ all-old.spdx.json │
│ https://osv.dev/RUSTSEC-2024-0373   │ 8.7  │ crates.io │ quinn-proto  │ 0.11.6  │ all-old.spdx.json │
│ https://osv.dev/GHSA-vr26-jcq5-fjj8 │      │           │              │         │                   │
│ https://osv.dev/RUSTSEC-2024-0320   │      │ crates.io │ yaml-rust    │ 0.4.5   │ all-old.spdx.json │
╰─────────────────────────────────────┴──────┴───────────┴──────────────┴─────────┴───────────────────╯

After:

Scanned new.spdx.json as SPDX SBOM and found 499 packages
╭─────────────────────────────────────┬──────┬───────────┬─────────────┬─────────┬───────────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE     │ VERSION │ SOURCE        │
├─────────────────────────────────────┼──────┼───────────┼─────────────┼─────────┼───────────────┤
│ https://osv.dev/RUSTSEC-2021-0139   │      │ crates.io │ ansi_term   │ 0.12.1  │ all.spdx.json │
│ https://osv.dev/RUSTSEC-2021-0145   │      │ crates.io │ atty        │ 0.2.14  │ all.spdx.json │
│ https://osv.dev/GHSA-g98v-hv3f-hcfr │      │           │             │         │               │
│ https://osv.dev/RUSTSEC-2024-0375   │      │ crates.io │ atty        │ 0.2.14  │ all.spdx.json │
│ https://osv.dev/GHSA-wq9x-qwcq-mmgf │ 8.9  │ crates.io │ diesel      │ 2.1.6   │ all.spdx.json │
│ https://osv.dev/RUSTSEC-2024-0365   │      │ crates.io │ diesel      │ 2.1.6   │ all.spdx.json │
│ https://osv.dev/RUSTSEC-2024-0373   │ 8.7  │ crates.io │ quinn-proto │ 0.11.6  │ all.spdx.json │
│ https://osv.dev/GHSA-vr26-jcq5-fjj8 │      │           │             │         │               │
│ https://osv.dev/RUSTSEC-2024-0320   │      │ crates.io │ yaml-rust   │ 0.4.5   │ all.spdx.json │
╰─────────────────────────────────────┴──────┴───────────┴─────────────┴─────────┴───────────────╯

This also sets the stage to pull in a newer version of ptree to get rid of atty in case I can convince the author to merge changes for getting rid of it: https://gitlab.com/Noughmad/ptree/-/merge_requests/10

@macovedj macovedj merged commit 19339f1 into bytecodealliance:main Oct 21, 2024
6 checks passed
@joonas joonas deleted the chore/bump-ptree branch October 21, 2024 20:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants