Clam 2436 no clap no atty 1.0.4 #1035

micahsnyder · 2023-09-26T02:18:10Z

Backport of #1021 for 1.0.4

After some fussing, I was able to figure out how to update with this command to prevent updating so far as to require a newer version of cargo/rust.
cargo update -p tempfile --precise 3.4.0

So the MSRV will remain at 1.61 for 1.0.4, for now.

atty is unmaintained but is still used by clap. Disabling the default features for cbindgen removes the clap dependency and thus removes atty. Resolves: https://github.com/Cisco-Talos/clamav/security/dependabot/2

The build is running a different link.exe than the MSVC linker, possibly the one provided by bash. Fix by deleting /usr/bin/link.exe See: https://yncat.github.io/2022/02/18/github-actions%E3%81%A7-msvc-%E3%81%AE-link-%E3%81%8C%E4%BD%BF%E3%81%88%E3%81%AA%E3%81%8F%E3%81%AA%E3%82%8B%E8%A9%B1.html

micahsnyder added the 🍒cherry-picked fix (backport) label Sep 26, 2023

micahsnyder added 2 commits October 20, 2023 17:42

Cargo: Eliminate security warning about unused atty dependency

465bcc6

atty is unmaintained but is still used by clap. Disabling the default features for cbindgen removes the clap dependency and thus removes atty. Resolves: https://github.com/Cisco-Talos/clamav/security/dependabot/2

micahsnyder force-pushed the CLAM-2436-no-clap-no-atty-1.0.4 branch from bc297fa to 590b2c5 Compare October 20, 2023 22:43

micahsnyder merged commit 7913c21 into Cisco-Talos:dev/1.0.4 Oct 23, 2023
6 of 24 checks passed

micahsnyder deleted the CLAM-2436-no-clap-no-atty-1.0.4 branch October 23, 2023 19:02

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Clam 2436 no clap no atty 1.0.4 #1035

Clam 2436 no clap no atty 1.0.4 #1035

micahsnyder commented Sep 26, 2023

Clam 2436 no clap no atty 1.0.4 #1035

Clam 2436 no clap no atty 1.0.4 #1035

Conversation

micahsnyder commented Sep 26, 2023