Skip to content
This repository was archived by the owner on Jul 28, 2025. It is now read-only.

chore: Bump ptree to update config dependency#304

Merged
macovedj merged 1 commit intobytecodealliance:mainfrom
joonas:chore/bump-ptree
Oct 21, 2024
Merged

chore: Bump ptree to update config dependency#304
macovedj merged 1 commit intobytecodealliance:mainfrom
joonas:chore/bump-ptree

Conversation

@joonas
Copy link
Contributor

@joonas joonas commented Oct 21, 2024

Bumping ptree to 0.5.0 in order to pull in config 0.14.0, which addresses some outstanding security issues:

Before:

Scanned old.spdx.json as SPDX SBOM and found 490 packages
╭─────────────────────────────────────┬──────┬───────────┬──────────────┬─────────┬───────────────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE      │ VERSION │ SOURCE            │
├─────────────────────────────────────┼──────┼───────────┼──────────────┼─────────┼───────────────────┤
│ https://osv.dev/RUSTSEC-2021-0139   │      │ crates.io │ ansi_term    │ 0.12.1  │ all-old.spdx.json │
│ https://osv.dev/RUSTSEC-2021-0145   │      │ crates.io │ atty         │ 0.2.14  │ all-old.spdx.json │
│ https://osv.dev/GHSA-g98v-hv3f-hcfr │      │           │              │         │                   │
│ https://osv.dev/RUSTSEC-2024-0375   │      │ crates.io │ atty         │ 0.2.14  │ all-old.spdx.json │
│ https://osv.dev/GHSA-wq9x-qwcq-mmgf │ 8.9  │ crates.io │ diesel       │ 2.1.6   │ all-old.spdx.json │
│ https://osv.dev/RUSTSEC-2024-0365   │      │ crates.io │ diesel       │ 2.1.6   │ all-old.spdx.json │
│ https://osv.dev/GHSA-2326-pfpj-vx3h │      │ crates.io │ lexical-core │ 0.7.6   │ all-old.spdx.json │
│ https://osv.dev/RUSTSEC-2023-0086   │      │ crates.io │ lexical-core │ 0.7.6   │ all-old.spdx.json │
│ https://osv.dev/RUSTSEC-2024-0373   │ 8.7  │ crates.io │ quinn-proto  │ 0.11.6  │ all-old.spdx.json │
│ https://osv.dev/GHSA-vr26-jcq5-fjj8 │      │           │              │         │                   │
│ https://osv.dev/RUSTSEC-2024-0320   │      │ crates.io │ yaml-rust    │ 0.4.5   │ all-old.spdx.json │
╰─────────────────────────────────────┴──────┴───────────┴──────────────┴─────────┴───────────────────╯

After:

Scanned new.spdx.json as SPDX SBOM and found 499 packages
╭─────────────────────────────────────┬──────┬───────────┬─────────────┬─────────┬───────────────╮
│ OSV URL                             │ CVSS │ ECOSYSTEM │ PACKAGE     │ VERSION │ SOURCE        │
├─────────────────────────────────────┼──────┼───────────┼─────────────┼─────────┼───────────────┤
│ https://osv.dev/RUSTSEC-2021-0139   │      │ crates.io │ ansi_term   │ 0.12.1  │ all.spdx.json │
│ https://osv.dev/RUSTSEC-2021-0145   │      │ crates.io │ atty        │ 0.2.14  │ all.spdx.json │
│ https://osv.dev/GHSA-g98v-hv3f-hcfr │      │           │             │         │               │
│ https://osv.dev/RUSTSEC-2024-0375   │      │ crates.io │ atty        │ 0.2.14  │ all.spdx.json │
│ https://osv.dev/GHSA-wq9x-qwcq-mmgf │ 8.9  │ crates.io │ diesel      │ 2.1.6   │ all.spdx.json │
│ https://osv.dev/RUSTSEC-2024-0365   │      │ crates.io │ diesel      │ 2.1.6   │ all.spdx.json │
│ https://osv.dev/RUSTSEC-2024-0373   │ 8.7  │ crates.io │ quinn-proto │ 0.11.6  │ all.spdx.json │
│ https://osv.dev/GHSA-vr26-jcq5-fjj8 │      │           │             │         │               │
│ https://osv.dev/RUSTSEC-2024-0320   │      │ crates.io │ yaml-rust   │ 0.4.5   │ all.spdx.json │
╰─────────────────────────────────────┴──────┴───────────┴─────────────┴─────────┴───────────────╯

This also sets the stage to pull in a newer version of ptree to get rid of atty in case I can convince the author to merge changes for getting rid of it: https://gitlab.com/Noughmad/ptree/-/merge_requests/10

chore: Bump ptree to update config dependency
aeda436 
Signed-off-by: Joonas Bergius <joonas@cosmonic.com>
@macovedj macovedj merged commit 19339f1 into bytecodealliance:main Oct 21, 2024
@joonas joonas deleted the chore/bump-ptree branch October 21, 2024 20:02
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

1 more reviewer

@macovedj macovedj macovedj approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joonas @macovedj