chore: release v0.5.102 — ship pipeline auto-commit#309
Merged
Conversation
cargo vet check was failing the lint-pre-push gate with 17 unaudited
dependencies that had drifted off their exemption pins (no behaviour
change in this repo; all are transitive deps that got patch-bumped by
cargo update).
Resolution follows docs/architecture/security/supply-chain-posture.md
§"Mandating audits over blanket bumps" — no exemption-version bumps,
no blanket [[exemptions]] additions, and no BYPASS_VET_AUDIT_DISCIPLINE
escape hatch.
Trust grants (cargo vet trust, covers all current + future versions
published by the listed publisher):
* tower-http -> seanmonstar (project already trusts seanmonstar
for h2/hyper/reqwest/...)
* cc -> github:rust-lang/cc-rs (GH Actions, rust-lang org)
* digest -> github:RustCrypto/traits (GH Actions, RustCrypto org)
* hybrid-array -> github:RustCrypto/hybrid-array
* js-sys -> github:wasm-bindgen/wasm-bindgen
* web-sys -> github:wasm-bindgen/wasm-bindgen
* wasm-bindgen -> github:wasm-bindgen/wasm-bindgen
* wasm-bindgen-{futures,macro,macro-support,shared} -> same
* winnow -> epage (already trusted by isrg/mozilla/bytecode-alliance)
Manual delta audits (full cargo vet diff reviewed; notes in audits.toml
summarise the actual code changes line-by-line, no rubber-stamping):
* quick-xml 0.39.2 -> 0.39.4 DTD parser panic-prevention fixes
* zerofrom 0.1.7 -> 0.1.8 metadata-only (authors -> ICU4X project)
* num-conv 0.2.1 -> 0.2.2 Extend trait deprecated, Widen added
* siphasher 1.0.2 -> 1.0.3 single-shot hash() fast-path optimization
Side effects:
* supply-chain/config.toml: 13 stale exemption blocks auto-removed by
cargo-vet (the trust grants supersede them); two unrelated stale
exemptions (iri-string, unicode-segmentation) were also cleaned up
incidentally when the trust grants made them redundant.
* supply-chain/imports.lock: refreshed publisher cache (the original
failure was partly because h2 0.4.14's publisher info was stale).
Verified: `cargo vet check` -> "Vetting Succeeded (150 fully audited,
9 partially audited, 353 exempted)".
No code changes; supply-chain only.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
just shipPhase 2 auto-commit for v0.5.102. Binaries + GitHub Release v0.5.102 are already live (step 09). This PR routes the corresponding commit through branch-protection rules.Auto-merge
--auto --squashis queued — GitHub will merge as soon as the required status checks pass. Squash is required becausemain-protectionmandates signed commits, and GitHub's rebase-auto-merge cannot sign the rebased commit; the squash-merge commit is signed by GitHub's own key, which satisfiesrequired_signatures: true. The original author's signed commit remains verifiable in the PR branch history.After merge
Local
mainhad this commit with a different SHA before squash rewrote it onto main; recover withgit fetch origin && git reset --hard origin/main.