Skip to content
This repository has been archived by the owner on May 5, 2024. It is now read-only.

Update Rust crate prost-types to 0.8.0 [SECURITY] #80

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update Rust crate prost-types to 0.8.0 [SECURITY] #80

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link

@renovate renovate bot commented Jun 18, 2022
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Type Update Change
prost-types dependencies minor 0.5.0 -> 0.8.0

GitHub Vulnerability Alerts

CVE-2021-38192

Affected versions of this crate contained a bug in which untrusted input could cause an overflow and panic when converting a Timestamp to SystemTime. It is recommended to upgrade to prost-types v0.8 and switch the usage of From for SystemTime to TryFrom for SystemTime.

Release Notes

tokio-rs/prost (prost-types)

v0.8.0

Compare Source

PROST! is a Protocol Buffers implementation for the Rust Language. prost generates simple, idiomatic Rust code from proto2 and proto3 files.

NOTE: This version contains a security fix for prost-types and is recommend that you upgrade to it from <0.7.

prost 0.8.0 includes breaking changes:

  • Timestamp's From implementation for converting into SystemTime has been converted to a fallible TryFrom implementation.
  • prost-build's compile_protos now takes impl AsRef<Path> to allow each parameter to use its own generic type.
  • Bundled protoc version bumped to 3.15.8

As well as many new (non-breaking) changes:

  • @​pluth enabled zero-copy support for Bytes based fields.
  • @​sfackler for fixing message optionals and oneofs in prost-build.
  • @​rubdos for adding the ability to encode prost messages directly to a Vec<u8>.

and numerous smaller fixes. Many thanks to the generous contributors who have helped out since 0.7:

v0.7.0

Compare Source

PROST! is a Protocol Buffers implementation for the Rust Language. prost generates simple, idiomatic Rust code from proto2 and proto3 files.

prost 0.7.0 includes breaking changes:

  • The minimum-supported Rust version (MSRV) is now 1.46.0.
  • The bytes public dependency version is now 1.0.
  • The bundled protoc version is now 3.14.0.

As well as many new (non-breaking) features and improvements:

  • @​hockeybuggy added support for deprecated field annotations.
  • @​garbageslam and @​dflemstr added no_std support.
  • @​joseph-wakeling-frequenz fixed a bug in Timestamp <-> SystemTime conversions.
  • @​rolftimmermans added support for generating Rust bytes::Bytes fields from protobuf bytes fields. When deserializing from a Bytes instance, this enables zero-copy deserialization for bytes fields!
  • @​olix0r bumped the bytes dependency to 0.6, which included most of the heavy lifting for the subsequent move to bytes 1.0.
  • @​danburkert added support for the experimental proto3 optional field presence feature.

and numerous smaller fixes. Many thanks to the generous contributors who have helped out since 0.6.1:

v0.6.1

Compare Source

PROST! is a Protocol Buffers implementation for the Rust Language. prost generates simple, idiomatic Rust code from proto2 and proto3 files.

prost 0.6.1 fixes a bug in which decoding untrusted input could overflow the stack. The bug was reported by @​dbrgn in #​267 (with an attached repro!), and fixed by @​danburkert. The fix extended the same recursion limits introduced in #​186 by @​nrc (released in 0.6.0) to the logic which skips unknown fields during decoding, which became recursive when support was added for decoding groups (also released in 0.6.0). The 0.6.0 release of the prost crates has been yanked from crates.io.

Additionally, @​koushiro updated the private dependencies of all prost crates to the latest versions.

Many thanks to the generous contributors who have helped out since 0.6.0:

  • Dan Burkert
  • Danilo Bargen
  • Qinxuan Chen

v0.6.0

Compare Source

PROST! is a Protocol Buffers implementation for the Rust Language. prost generates simple, idiomatic Rust code from proto2 and proto3 files.

prost 0.6.0 includes breaking changes:

  • The minimum-supported Rust version (MSRV) is now 1.39.0.
  • The bytes public dependency version is now 0.5.
  • The prost-types Timestamp and Duration types now impl TryFrom for their
    std::time equivalents. The old inherent try_from methods have been
    removed.
  • Deeply nested messages now fail decoding with an error, instead of potentially
    resulting in a stack overflow. The limit is set to a nesting depth of 100, and
    the limit can be disabled using a new no-recursion-limit Cargo feature.

As well as many new (non-breaking) features and improvements:

  • @​hanya added support for protobuf Group types.
  • @​danburkert improved the benchmark suite, including adding support for the
    full set of upstream message encoding and decoding benchmarks.
  • @​nrc implemented a series of micro-optimizations which result in faster
    message encoding and decoding.
  • @​dunmatt improved the method docs on generated types.
  • @​lukaslueg removed the dependency on byteorder.
  • @​parasyte added the ServiceGenerator::finalize_package, which is useful for
    advanced service generators.
  • @​joelgallant improved the error message that occurs when attempting to compile
    .proto files without a package specifier.
  • @​LucioFranco removed the direct dependency of generated types on the bytes
    crate, which means applications which use prost code generation are no
    longer required to declare a bytes dependency.
  • @​ErichDonGubler and @​hobofan bumped the syn, quote, and proc-macro2 to stable
    versions.
  • @​Timmmm improved prost-build so that it no longer writes .rs files when they
    are unchanged, which improves working with tools like cargo watch in
    codebases with prost code generation.
  • @​Hirevo replaced usage of failure with anyhow.
  • @​danburkert bumped the packaged protoc version to 3.11.2.

Many thanks to the generous contributors who have helped out since 0.5.0:

  • Dan Burkert
  • Erich Gubler
  • FujiApple
  • Hanya
  • Jay Oster
  • Joel Gallant
  • koushiro
  • Lucio Franco
  • Luffbee
  • lukaslueg
  • M@ Dunlap
  • Maximilian Goisser
  • Mikhail Zabaluev
  • Nick Cameron
  • Nicolas Polomack
  • Stephan Wolski
  • Tim Hutt

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/crate-prost-types-vulnerability branch from 9690ce5 to ba64503 Compare September 25, 2022 19:13
@renovate renovate bot force-pushed the renovate/crate-prost-types-vulnerability branch from ba64503 to fe868ca Compare March 16, 2023 20:09
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants