0.79.1 release with updated gix dependency

[smoelius]

(Continued from #13950 (comment))

Would it be possible to get a 0.79.1 release with gix updated to version 0.63, as in these two PRs?

• upgrade gix from 0.62 to 0.63 #13948
• [beta-1.79] upgrade gix from 0.62 to 0.63 #13950

Currently, software that relies on cargo as a dependency triggers this warning: GHSA-7w47-3wg8-547c

Please forgive me as I don't know how labor intensive what I am asking for is.

[weihanglo]

That requires some amount of cross-team collaboration. I don't have the permission to make a release. It also requires an extra stable backport, with an major update from gix@0.58.0 to gix@0.63.0. Due to some odd CI settings in this repo, a stable backport might require more efforts to figure out which set of changes need to be included (see #13925 as an example).

I am assuming that packages don't really use gitoxide feature when depending on cargo as a library. The actual risk should be quite low. And also cloning arbitrary repositories is always under risks and users need to scrutinize by themselves, as malicious build scripts could exist.

Does any package stop from compiling due to this, and have no way out? If not, I would recommend waiting for the 1.79.0 release on 2024-06-13.

[smoelius]

@weihanglo Thanks very much for your reply. I had a hunch what I was asking for would be difficult.

Does any package stop from compiling due to this, and have no way out? If not, I would recommend waiting for the 1.79.0 release on 2024-06-13.

Not that I am aware of. I think your proposal makes sense. Thanks again.