Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pixi/0.29.0-r0: cve remediation #28721

Merged
merged 2 commits into from
Oct 8, 2024
Merged

pixi/0.29.0-r0: cve remediation #28721

merged 2 commits into from
Oct 8, 2024

Conversation

octo-sts[bot]
Copy link
Contributor

@octo-sts octo-sts bot commented Sep 18, 2024

@octo-sts Octo STS
Copy link
Contributor Author

octo-sts bot commented Sep 18, 2024

Open AI suggestions to solve the build error:

The error message is: "fatal: detected dubious ownership in repository at '/github/home'
To add an exception for this directory, call:

git config --global --add safe.directory /github/home
ERRO request failed error=\"Get \\\"./packages/apk-configuration\\\": unsupported protocol scheme \\\"\\\"\"
WARN error: failed to select a version for the requirement `lexical-core = \"^0.8\"\`
WARN candidate versions found which didn't match: 1.0.0
WARN location searched: crates.io index
WARN required by package `simd-json v0.13.10`
WARN     ... which satisfies dependency `simd-json = \"^0.13.10\"` (locked to 0.13.10) of package `rattler_conda_types v0.27.4`
WARN     ... which satisfies dependency `rattler_conda_types = \"^0.27.4\"` (locked to 0.27.4) of package `pixi v0.29.0 (/home/build)`' with error: 'exit status 101'"

1. Run `git config --global --add safe.directory /github/home`.
2. Ensure the URL in the GET request includes a valid protocol (e.g., http:// or https://).
3. Update `Cargo.toml` to use `lexical-core = "1.0.0"` or find a compatible version for `simd-json`.

@xnox xnox force-pushed the cve-pixi-fabccb18b4d6f382df93ea95e8d9a890 branch from bbe9ec7 to 685ac1a Compare September 20, 2024 16:52
@octo-sts Octo STS
Copy link
Contributor Author

octo-sts bot commented Sep 20, 2024

Open AI suggestions to solve the build error:

The error message is: "Error: failed to parse the pom file: failed to run cargo update 'Updating git repository `https://github.com/astral-sh/uv`
WARN     Updating git repository `https://github.com/astral-sh/reqwest-middleware`
WARN     Updating crates.io index
WARN     Updating git repository `https://github.com/astral-sh/pubgrub`
WARN     Updating git repository `https://github.com/charliermarsh/rs-async-zip`
WARN     Updating git repository `https://github.com/charliermarsh/tl.git`
WARN error: failed to select a version for the requirement `lexical-core = "^0.8"`
WARN candidate versions found which didn't match: 1.0.0
WARN location searched: crates.io index
WARN required by package `simd-json v0.13.10`
WARN     ... which satisfies dependency `simd-json = "^0.13.10"` (locked to 0.13.10) of package `rattler_conda_types v0.27.4`
WARN     ... which satisfies dependency `rattler_conda_types = "^0.27.4"` (locked to 0.27.4) of package `pixi v0.29.0 (/home/build)`' with error: 'exit status 101'"

1. Update `Cargo.toml` to use `lexical-core = "1.0.0"` if compatible.
2. If not, find a compatible version of `simd-json` that works with `lexical-core = "1.0.0"`.
3. Run `cargo update` again.
4. If issues persist, consider pinning `simd-json` to a specific version that supports `lexical-core = "^0.8"`.

@mamccorm mamccorm enabled auto-merge (squash) October 8, 2024 20:50
@mamccorm mamccorm self-requested a review October 8, 2024 20:50
powersj
powersj approved these changes Oct 8, 2024
View reviewed changes
Copy link
Contributor

@powersj powersj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

+1, confirmed 1.0.0 has fix by looking at GHSA-2326-pfpj-vx3h

@mamccorm mamccorm merged commit 083a250 into main Oct 8, 2024
15 checks passed
@mamccorm mamccorm deleted the cve-pixi-fabccb18b4d6f382df93ea95e8d9a890 branch October 8, 2024 21:01
gdonval pushed a commit to gdonval/wolfi-os that referenced this pull request Oct 9, 2024
@octo-sts @mamccorm
pixi/0.29.0-r0: cve remediation (wolfi-dev#28721)
9a3b342 
pixi/0.29.0-r0: fix GHSA-vr26-jcq5-fjj8/GHSA-2326-pfpj-vx3h/

Advisory data:
https://github.com/wolfi-dev/advisories/blob/main/pixi.advisories.yaml

Signed-off-by: Mark McCormick <[email protected]>
Co-authored-by: octo-sts[bot] <[email protected]>
Co-authored-by: Mark McCormick <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@powersj powersj powersj approved these changes

@mamccorm mamccorm Awaiting requested review from mamccorm

Assignees
No one assigned
Labels
automated pr GHSA-2326-pfpj-vx3h GHSA-vr26-jcq5-fjj8 pixi/0.29.0-r0 request-cve-remediation rust/cargobump
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@powersj @mamccorm