Upgrade smallvec to fix insert_many vulnerability. #11449

jsirois · 2021-01-11T14:36:59Z

See: https://rustsec.org/advisories/RUSTSEC-2021-0003

[ci skip-build-wheels]

See: https://rustsec.org/advisories/RUSTSEC-2021-0003 [ci skip-build-wheels]

jsirois · 2021-01-11T14:40:22Z

The issue was surfaced in CI CRON: https://travis-ci.com/github/pantsbuild/pants/builds/212643465?utm_medium=notification&utm_source=email and I was the lucky winner of the CI failure email.

The change was mechanical:

$ ./cargo update --package smallvec
error: There are multiple `smallvec` packages in your project, and the specification `smallvec` is ambiguous.
Please re-run this command with `-p <spec>` where `<spec>` is one of the following:
  smallvec:0.6.13
  smallvec:1.5.1
$ ./cargo update -p smallvec:0.6.13
    Updating crates.io index
    Updating smallvec v0.6.13 -> v0.6.14
$ ./cargo update -p smallvec:1.5.1
    Updating crates.io index
    Updating smallvec v1.5.1 -> v1.6.1

Eric-Arellano

Thanks!

Upgrade smallvec to fix insert_many vulnerability.

6e7aaf1

See: https://rustsec.org/advisories/RUSTSEC-2021-0003 [ci skip-build-wheels]

jsirois requested a review from gshuflin January 11, 2021 14:40

Eric-Arellano approved these changes Jan 11, 2021

View reviewed changes

stuhood merged commit d87272f into pantsbuild:master Jan 11, 2021

Eric-Arellano mentioned this pull request Jan 21, 2021

Prepare 2.3.0.dev1 #11490

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upgrade smallvec to fix insert_many vulnerability. #11449

Upgrade smallvec to fix insert_many vulnerability. #11449

jsirois commented Jan 11, 2021

jsirois commented Jan 11, 2021

Eric-Arellano left a comment

Upgrade smallvec to fix insert_many vulnerability. #11449

Upgrade smallvec to fix insert_many vulnerability. #11449

Conversation

jsirois commented Jan 11, 2021

jsirois commented Jan 11, 2021

Eric-Arellano left a comment

Choose a reason for hiding this comment