Fix unic RustSec advisory via patched piet#1519
Open
jsturtevant wants to merge 3 commits into
Open
Conversation
Patch piet to the upstream commit that replaces the unmaintained unic-bidi dependency with icu_properties. Bump Rust toolchain references to 1.92 because the upstream piet fix requires it, and refresh Cargo.lock so the unic advisory crates are removed.\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: James Sturtevant <jsturtevant@gmail.com>
jsturtevant
requested review from
andreiltd,
danbugs,
dblnz,
devigned,
jprendes,
ludfjig,
simongdavies,
squillace and
syntactically
as code owners
jsturtevant
added
the
kind/dependencies
Contributor
There was a problem hiding this comment.
Pull request overview
This PR addresses RustSec advisories triggered by unmaintained unic-* crates pulled in via trace_dump -> piet-common -> piet, by pinning piet to an upstream git revision that replaces unic-bidi with icu_properties. It also updates the repository’s pinned Rust toolchain references accordingly.
Changes:
- Pin
pietvia a[patch.crates-io]override to upstream commit618083f…, removingunic-*crates from the lockfile dependency graph. - Bump Rust toolchain/MSRV references from 1.89 to 1.92 across
rust-toolchain.toml, workspacerust-version, and CI workflows. - Refresh
Cargo.lockto reflect the patchedpietsource and updated dependency set.
Reviewed changes
Copilot reviewed 17 out of 18 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| rust-toolchain.toml | Updates the pinned Rust toolchain channel to 1.92. |
| Cargo.toml | Bumps workspace rust-version and adds a [patch.crates-io] override for piet to eliminate unic-* deps. |
| Cargo.lock | Reflects the patched piet git source and removal of unic-*/matches packages. |
| .github/workflows/RustNightly.yml | Updates CI setup to use Rust 1.92. |
| .github/workflows/PrimeCaches.yml | Updates cache-priming workflow to use Rust 1.92. |
| .github/workflows/dep_update_guest_locks.yml | Updates guest lock update workflow to use Rust 1.92. |
| .github/workflows/dep_run_examples.yml | Updates examples workflow to use Rust 1.92. |
| .github/workflows/dep_fuzzing.yml | Updates fuzzing workflow to use Rust 1.92. |
| .github/workflows/dep_code_checks.yml | Updates code checks workflow to use Rust 1.92 (including MSRV verification step context). |
| .github/workflows/dep_build_test.yml | Updates build/test workflow to use Rust 1.92. |
| .github/workflows/dep_build_guests.yml | Updates guest build workflow to use Rust 1.92. |
| .github/workflows/dep_benchmarks.yml | Updates benchmarks workflow to use Rust 1.92. |
| .github/workflows/CreateRelease.yml | Updates release workflow to use Rust 1.92. |
| .github/workflows/CreateDevcontainerImage.yml | Updates devcontainer image workflow default Rust toolchain to 1.92. |
| .github/workflows/Coverage.yml | Updates coverage workflow to use Rust 1.92. |
| .github/workflows/copilot-setup-steps.yml | Updates Copilot setup workflow to use Rust 1.92. |
| .github/workflows/CargoPublish.yml | Updates publish workflow to use Rust 1.92. |
| .github/workflows/CargoAudit.yml | Updates audit workflow toolchain to Rust 1.92. |
Restore the workspace and CI toolchains to Rust 1.89 while leaving the patched piet dependency scoped to trace_dump. Document trace_dump's Rust 1.92 requirement locally. Signed-off-by: James Sturtevant <jsturtevant@gmail.com> Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
syntactically
left a comment
syntactically
left a comment
Member
There was a problem hiding this comment.
Even though piet is only used in the trace_dump crate, does having the patch in the workspace Cargo.toml prevent publishing to crates.io? Does it work to put the patch section in the src/trace_dump/Cargo.toml, since I don't think we were publishing the trace_dump crate to crates.io anyway?
Use the fixed upstream piet commit directly from trace_dump instead of a workspace-level crates.io patch. This keeps the dependency override next to the only package that needs it while preserving removal of the unic advisory crates.\n\nCo-authored-by: Copilot <223556219+Copilot@users.noreply.github.com> Signed-off-by: James Sturtevant <jsturtevant@gmail.com>
Contributor
Author
Makes sense. updated! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
The
unic-*crates pulled in throughtrace_dump->piet-common->pietare unmaintained and trigger a set of RustSec advisories. This pointstrace_dump'spiet-commondependency at upstreamlinebender/pietcommit618083f8a6671c7ab8c198724487348d2ccf9a8f, which replacesunic-bidiwithicu_properties. (linebender/piet#600)The fixed upstream
pietcommit requires Rust 1.92, but only the non-publishedtrace_dumptool consumes it. To avoid raising MSRV for the workspace crates, this keeps the workspace/toolchain/CI Rust version at 1.89 and setstrace_dump's packagerust-versionto 1.92.Fixes: #1490
Fixes: #1491
Fixes: #1492
Fixes: #1493
Fixes: #1494
Fixes: #1495