fix(deps): drop vergen-gix; fixes 7 gix-family CVEs + remove unused anstream#5
Merged
Conversation
anstream was declared in Cargo.toml but never used in src/ — only anstyle is imported (src/output.rs). Dropping it removes a transitive chain (anstream + anstyle-parse 0.2.x + anstyle-query + utf8parse + is_terminal_polyfill old versions) without touching any code. /deps scan: every in-major candidate (serde_json 1.0.150, gix-trace 0.1.20, gix-utils 0.3.3, jiff 0.2.27, log 0.4.30, autocfg 1.5.1) is inside the 7-day cooldown and held.
vergen-gix 9.1.0 pulled gix 0.77.0, which is below the patched versions for 7 RustSec advisories (6 high + 1 medium) covering .gitmodules path traversal, symlink worktree escape, gix-pack DoS, and credential leakage in gix-transport HTTP. vergen-gix is build-only so the shipped binary never carried gix code, but every cargo build pulled and compiled the affected versions. Replacement is a 50-line build.rs that emits the same two env vars (`VERGEN_GIT_SHA`, `VERGEN_BUILD_TIMESTAMP`) via `git rev-parse HEAD` and `SystemTime::now()`. `--version` output is unchanged. Cargo.lock: 2278 -> 940 lines, 218 -> 103 dep count. cargo audit: clean. cargo test: 61 passed.
Three pre-existing semgrep findings escalated to blocking on the PR
quality gate:
1. .github/workflows/package.yml: indirect `inputs.tag` through env:
instead of direct ${{ }} interpolation in run: block
2. .github/workflows/cross-build.yml: same fix for the `Pick tag`
step (covers github.event_name, inputs.tag, github.ref_name)
3. packaging/templates/uninstall.sh: replace global `IFS=:` with a
heredoc + `tr ':' '\\n'` to feed lines into `while read`
Surfaced because semgrep runs only on pull_request events, not push;
findings were sitting on main quietly until PR #5 triggered the gate.
No runtime behaviour change.
catinspace-au
added a commit
that referenced
this pull request
May 27, 2026
Three pre-existing semgrep findings escalated to blocking on the PR
quality gate:
1. .github/workflows/package.yml: indirect `inputs.tag` through env:
instead of direct ${{ }} interpolation in run: block
2. .github/workflows/cross-build.yml: same fix for the `Pick tag`
step (covers github.event_name, inputs.tag, github.ref_name)
3. packaging/templates/uninstall.sh: replace global `IFS=:` with a
heredoc + `tr ':' '\\n'` to feed lines into `while read`
Surfaced because semgrep runs only on pull_request events, not push;
findings were sitting on main quietly until PR #5 triggered the gate.
No runtime behaviour change.
catinspace-au
added a commit
that referenced
this pull request
May 27, 2026
Cuts a release containing the gix-family CVE fixes (drop vergen-gix build-dep) and the anstream removal from PR #5. Publish: true
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two changes from a
/depscheck against the 7-day cooldown rule.1. Drop
vergen-gixbuild-dep (fixes 7 GHSA)GitHub reported 7 open Dependabot alerts (6 high + 1 medium) in the
gixfamily, all reachable throughvergen-gix 9.1.0 -> gix 0.77.0:vergen-gix is a build-dependency only — the shipped binary never carried gix code, but every
cargo builddid. Upstream fixes land ingix >= 0.83, which is only reachable viavergen-gix 10.0.0-betaN(pre-release).Rather than depend on a beta build-tool for two env vars, replaced
vergen-gixwith a 50-linebuild.rsthat emits the same outputs viagit rev-parse HEADandSystemTime::now().--versionis identical.Cargo.lock: 2278 -> 940 lines. dep count: 218 -> 103.
2. Drop unused
anstreamdepDeclared in
Cargo.tomlbut never imported insrc/— onlyanstyleis used. Removing it drops the parallelanstream/anstyle-parse 0.2.xchain.Frozen by 7-day cooldown (held for next /deps cycle)
Test plan
cargo build --releasecargo test --release(61 passed)cargo audit(0 advisories)./target/release/macbash --version(correct sha + RFC3339 timestamp)