-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(deps): remove chrono #29
Conversation
Signed-off-by: Gabriel Melillo <gabriel@melillo.me>
Edited/Blocked NotificationRenovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR. You can manually request rebase by checking the rebase/retry box above. ⚠ Warning: custom changes will be lost. |
* fix(deps): update rust crate chrono to 0.4.31 * fix(sec): removed chrono because of security advisor Signed-off-by: Gabriel Melillo <gabriel@melillo.me> * ci(deps): enable cache and fix dockerfile * build(ci): install posix compliant tar * build(ci): combine dependency install steps * chore: update cargo deps from default branch * ci: disable releases during maintenance tasks --------- Signed-off-by: Gabriel Melillo <gabriel@melillo.me> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Gabriel Melillo <gabriel@melillo.me> Co-authored-by: Andrew Basson <andrew.basson@gmail.com>
This PR is included in version 1.6.0 🎉 |
4 similar comments
This PR is included in version 1.6.0 🎉 |
This PR is included in version 1.6.0 🎉 |
This PR is included in version 1.6.0 🎉 |
This PR is included in version 1.6.0 🎉 |
This PR contains the following updates:
0.4.15
->0.4.31
Release Notes
chronotope/chrono (chrono)
v0.4.31
: 0.4.31Compare Source
Another maintenance release.
It was not a planned effort to improve our support for UNIX timestamps, yet most PRs seem related to this.
Deprecations
timestamp_nanos
in favor of the non-panickingtimestamp_nanos_opt
(#1275)Additions
DateTime::<Utc>::from_timestamp
(#1279, thanks @demurgos)TimeZone::timestamp_micros
(#1285, thanks @emikitas)DateTime<Tz>::timestamp_nanos_opt
andNaiveDateTime::timestamp_nanos_opt
(#1275)UNIX_EPOCH
constants (#1291)Fixes
This makes many methods a little more strict:
NaiveTime::from_hms_milli
NaiveTime::from_hms_milli_opt
NaiveTime::from_hms_micro
NaiveTime::from_hms_micro_opt
NaiveTime::from_hms_nano
NaiveTime::from_hms_nano_opt
NaiveTime::from_num_seconds_from_midnight
NaiveTime::from_num_seconds_from_midnight_opt
NaiveDate::and_hms_milli
NaiveDate::and_hms_milli_opt
NaiveDate::and_hms_micro
NaiveDate::and_hms_micro_opt
NaiveDate::and_hms_nano
NaiveDate::and_hms_nano_opt
NaiveDateTime::from_timestamp
NaiveDateTime::from_timestamp_opt
TimeZone::timestamp
TimeZone::timestamp_opt
NaiveDateTime::timestamp_nanos_opt
(#1294, thanks @crepererum)Documentation
Internal
__doctest
feature anddoc_comment
dependency (#1276)actions/checkout
from 3 to 4 (#1280)NaiveDate::add_days
for small values (#1214)pure-rust-locales
to 0.7.0 (#1288, thanks @jeremija wo did good improvements onpure-rust-locales
)Thanks to all contributors on behalf of the chrono team, @djc and @pitdicker!
v0.4.30
: 0.4.30Compare Source
In this release, we have decided to swap out the
chrono::Duration
type (which has been a re-export of time 0.1Duration
type) with our own definition, which exposes a strict superset of thetime::Duration
API. This helps avoid warnings about the CVE-2020-26235 and RUSTSEC-2020-0071 advisories for downstream users and allows us to improve theDuration
API going forward.While this is technically a SemVer-breaking change, we expect the risk of downstream users experiencing actual incompatibility to be exceedingly limited (see our analysis of public code using a crater-like experiment), and not enough justification for the large ecosystem churn of a 0.5 release. If you have any feedback on these changes, please let us know in #1268.
Additions
NaiveDate::leap_year
(#1261)Documentation
Timelike::num_seconds_from_midnight
is a simple mapping (#1255)Relation between chrono and time 0.1
Rust first had a
time
module added tostd
in its 0.7 release. It later moved tolibextra
, and then to alibtime
library shipped alongside the standard library. In 2014 work on chrono started in order to provide a full-featured date and time library in Rust. Some improvements from chrono made it into the standard library; notably,chrono::Duration
was included asstd::time::Duration
(rust#15934) in 2014.In preparation of Rust 1.0 at the end of 2014
libtime
was moved out of the Rust distro and into thetime
crate to eventually be redesigned (rust#18832, rust#18858), like thenum
andrand
crates. Of course chrono kept its dependency on thistime
crate.time
started re-exportingstd::time::Duration
during this period. Later, the standard library was changed to have a more limited unsignedDuration
type (rust#24920, RFC 1040), while thetime
crate kept the full functionality withtime::Duration
.time::Duration
had been a part of chrono's public API.By 2016
time
0.1 lived under therust-lang-deprecated
organisation and was not actively maintained (time#136). chrono absorbed the platform functionality andDuration
type of thetime
crate in chrono#478 (the work started in chrono#286). In order to preserve compatibility with downstream crates depending ontime
andchrono
sharing aDuration
type, chrono kept depending on time 0.1. chrono offered the option to opt out of thetime
dependency by disabling theoldtime
feature (swapping it out for an effectively similar chrono type). In 2019, @jhpratt took over maintenance on thetime
crate and released what amounts to a new crate astime
0.2.Security advisories
In November of 2020 CVE-2020-26235 and RUSTSEC-2020-0071 were opened against the
time
crate. @quininer had found that calls tolocaltime_r
may be unsound (chrono#499). Eventually, almost a year later, this was also made into a security advisory against chrono as RUSTSEC-2020-0159, which had platform code similar totime
.On Unix-like systems a process is given a timezone id or description via the
TZ
environment variable. We need this timezone data to calculate the current local time from a value that is in UTC, such as the time from the system clock.time
0.1 and chrono used the POSIX functionlocaltime_r
to do the conversion to local time, which reads theTZ
variable.Rust assumes the environment to be writable and uses locks to access it from multiple threads. Some other programming languages and libraries use similar locking strategies, but these are typically not shared across languages. More importantly, POSIX declares modifying the environment in a multi-threaded process as unsafe, and
getenv
in libc can't be changed to take a lock because it returns a pointer to the data (see rust#27970 for more discussion).Since version 4.20 chrono no longer uses
localtime_r
, instead using Rust code to query the timezone (from theTZ
variable or viaiana-time-zone
as a fallback) and work with data from the system timezone database directly. The code for this was forked from the tz-rs crate by @x-hgg-x. As such, chrono now respects the Rust lock when reading theTZ
environment variable. In general, code should avoid modifying the environment.Removing time 0.1
Because time 0.1 has been unmaintained for years, however, the security advisory mentioned above has not been addressed. While chrono maintainers were careful not to break backwards compatibility with the
time::Duration
type, there has been a long stream of issues from users inquiring about the time 0.1 dependency with the vulnerability. We investigated the potential breakage of removing the time 0.1 dependency in chrono#1095 using a crater-like experiment and determined that the potential for breaking (public) dependencies is very low. We reached out to those few crates that did still depend on compatibility with time 0.1.As such, for chrono 0.4.30 we have decided to swap out the time 0.1
Duration
implementation for a local one that will offer a strict superset of the existing API going forward. This will prevent most downstream users from being affected by the security vulnerability in time 0.1 while minimizing the ecosystem impact of semver-incompatible version churn.Thanks to all contributors on behalf of the chrono team, @djc and @pitdicker!
v0.4.29
: 0.4.29Compare Source
This release fixes a panic introduced in chrono 0.4.27 in
FromStr<DateTime<Utc>>
(#1253).Chrono now has a Discord channel.
Fixes
parse_rfc3339_relaxed
(#1254)Deprecations
TimeZone::datetime_from_str
(#1251)Documentation
FromStr
forWeekday
andMonth
(#1226, thanks @wfraser)Internal improvements
i686
andwasm32-wasi
(#1237)This allows us to upgrade the criterion dependency to 5.1 without changing our MSRV.
Thanks to all contributors on behalf of the chrono team, @djc and @pitdicker!
v0.4.28
: 0.4.28Compare Source
This release fixes a test failure on 32-bit targets introduced with 0.4.27, see https://github.com/chronotope/chrono/issues/1234.
v0.4.27
: 0.4.27Compare Source
This release bumps the MSRV from 1.56 to 1.57. This allows us to take advantage of the panicking in const feature. In this release most methods on
NaiveDate
andNaiveTime
are made const,NaiveDateTime
and others will follow in a later release.The parser for the
%+
formatting specifier and theRFC3339
formatting item is switched from a strict to a relaxed parser (see https://github.com/chronotope/chrono/pull/1145). This matches the existing documentation, and the parser used byDateTime::from_str
. If you need to validate the input, consider usingDateTime::from_rfc3339
.Deprecations
DateTime::{from_local, from_utc}
(https://github.com/chronotope/chrono/pull/1175)Additions
DateTime::signed_duration_since
take argument withBorrow
(https://github.com/chronotope/chrono/pull/1119)PartialOrd
forMonth
(https://github.com/chronotope/chrono/pull/999, thanks @Munksgaard)Ord
andEq
for types which already derivePartialOrd
andPartialEq
(https://github.com/chronotope/chrono/pull/1128, thanks @totikom)FusedIterator
forNaiveDateDaysIterator
andNaiveDateWeeksIterator
(https://github.com/chronotope/chrono/pull/1134)NaiveDateDaysIterator
andNaiveDateWeeksIterator
public (https://github.com/chronotope/chrono/pull/1134)FromStr
forFixedOffset
(https://github.com/chronotope/chrono/pull/1157, thanks @mcronce)Tz::Offset: Display
requirement fromDateTime::to_rfc*
(https://github.com/chronotope/chrono/pull/1160)StrftimeItems
withunstable-locales
work without allocating (https://github.com/chronotope/chrono/pull/1152)NaiveDate::from_ymd_opt
const (https://github.com/chronotope/chrono/pull/1172, thanks @kamadorueda)Error
trait forParseWeekdayError
andParseMonthError
(https://github.com/chronotope/chrono/pull/539, thanks @mike-kfed)NaiveTime
const, update MSRV to 1.57 (https://github.com/chronotope/chrono/pull/1080)NaiveDate
const (https://github.com/chronotope/chrono/pull/1205)core::time::Duration
onDateTime
types (https://github.com/chronotope/chrono/pull/1229)Fixes
timestamp_nanos
panics on overflow in release builds (https://github.com/chronotope/chrono/pull/1123)offset_from_local_datetime
forwasm_bindgen
(https://github.com/chronotope/chrono/pull/1131)%s
to be a timestamp in UTC (https://github.com/chronotope/chrono/pull/1136)%#z
(https://github.com/chronotope/chrono/pull/1140, thanks @domodwyer)%c
and%r
(https://github.com/chronotope/chrono/pull/1165)unstable-locales
feature (https://github.com/chronotope/chrono/pull/1168)Offset
'sDebug
impl when serializingDateTime
(https://github.com/chronotope/chrono/pull/1035)NaiveTime::from_str
(https://github.com/chronotope/chrono/pull/1181)android-tzdata
if theclock
feature is not enabled (https://github.com/chronotope/chrono/pull/1220, thanks @AlexTMjugador)Documentation
NaiveTime
doc typo (https://github.com/chronotope/chrono/pull/1146, thanks @zachs18)Datelike::with_*
(https://github.com/chronotope/chrono/pull/1199)Utc::now
andLocal::now
(https://github.com/chronotope/chrono/pull/1192)Weekday::num_days_from_monday
(https://github.com/chronotope/chrono/pull/1193)Internal improvements
DateTime::to_rfc_*
optimizations (https://github.com/chronotope/chrono/pull/1200)format/formatting.rs
(https://github.com/chronotope/chrono/pull/1156)saturating_abs
(https://github.com/chronotope/chrono/pull/1124)Makefile
(https://github.com/chronotope/chrono/pull/1133)wasm-bindgen
feature (https://github.com/chronotope/chrono/pull/1131)try_verify_against_date_command
(https://github.com/chronotope/chrono/pull/1161)no_std
(https://github.com/chronotope/chrono/pull/1166)test_parse
(https://github.com/chronotope/chrono/pull/1170)#![deny(dead_code)]
(https://github.com/chronotope/chrono/pull/1187)test_date_extreme_offset
(https://github.com/chronotope/chrono/pull/1195)features-check
(https://github.com/chronotope/chrono/pull/1216)Thanks to all contributors on behalf of the chrono team, @djc and @pitdicker!
v0.4.26
: 0.4.26Compare Source
The changes from #807 we merged for 0.4.25 unfortunately restricted parsing in a way that was incompatible with earlier 0.4.x releases. We reverted this in #1113. A small amount of other changes were merged since.
DurationRound
panics from issue #1010 (#1093, thanks to @pitdicker)Thanks on behalf of the chrono team (@djc and @esheppa) to all contributors!
v0.4.25
: 0.4.25Compare Source
Time for another maintenance release. This release bumps the MSRV to 1.56; given MSRV bumps in chrono's dependencies (notably for syn 2), we felt that it no longer made sense to support any older versions. Feedback welcome in our issue tracker!
Additions
NaiveDateTime::and_utc()
method (#952, thanks to @klnusbaum)Hash
for most pub types that also derivePartialEq
(#938, thanks to @bruceg)parse_and_remainder()
methods (#1011, thanks to @pitdicker)DateTime::fix_offset()
(#1030, thanks to @pitdicker)#[track_caller]
toLocalResult::unwrap
(#1046, thanks to @pitdicker)#[must_use]
to some methods (#1007, thanks to @aceArt-GmbH)PartialOrd
forMonth
(#999, thanks to @Munksgaard)impl From<NaiveDateTime> for NaiveDate
(#1012, thanks to @pezcore)Fixes
NaiveWeek::last_day
(#1070, thanks to @pitdicker)Local
toFixedOffset
(#1041, thanks to @pitdicker)Refactoring
Local
(#992, thanks to @nekevss)Documentation
Internal improvements
clock
feature (#1061, thanks to @pitdicker)--no-default-features
(#1059, thanks to @pitdicker)bench_year_flags_from_year
from being optimized out (#1034, thanks to @pitdicker)test_datetime_parse_from_str
(#1078, thanks to @pitdicker)set -eux
, use bash (#1103, thanks to @jtmoon79)LANG
toc
in gnudate
(#1089, thanks to @scarf005)TryFrom
(#1086, thanks to @pitdicker)On behalf of @djc and @esheppa, thanks to all contributors!
v0.4.24
: 0.4.24Compare Source
This is a small maintenance release with accumulated fixes and improvements.
Days::new()
to refer to days, not months (#874, thanks to @brotskydotcom)from_timestamp_opt()
(#879, thanks to @xmo-odoo)format_localized()
forNaiveDate
(#881, thanks to @mseele)Add
/Sub
Days
, add tests with DST timezone (#878)NaiveTime::MIN
public (#890)from_timestamp_millis()
implementation and add more tests (#885)from_timestamp_micros()
function (#906, thanks to @umanwizard)Hash
for most pub types that also derivePartialEq
(#938, thanks to @bruceg)from_utc()
example (#939, thanks to @greg-el)DateTime::checked_add_days()
(#942, thanks to @Ekleog)FixedOffset
docs (#953, thanks to @klnusbaum)const
(#984, thanks to @tormeh)Thanks to all contributors from the chrono team, @esheppa and @djc.
v0.4.23
: 0.4.23Compare Source
0.4.23 is the next 0.4 release of the popular chrono date and time library for Rust. After the 0.4.20-0.4.22 series that brought chrono back to life after a long hiatus, development has been fairly quiet, allowing us to start planning changes for the 0.5.0 release. As such, we've started deprecating some APIs that are likely to be removed in 0.5. If you have any feedback on these changes, please let us know in the issue tracker!
Deprecations
_opt()
alternative (#827)Date<Tz>
type (#851)Features
Days
type (#784)NaiveDateTime::from_timestamp_millis(_opt)
(#818, thanks to @Pscheidl -- backported in #823)Local
timezone (#853)arbitrary::Arbitrary
trait (#849, thanks to @greyblake and @asayers)Fixes
On behalf of @esheppa and @djc, thanks to all contributors!
v0.4.22
: 0.4.22Compare Source
Unfortunately the introduction of the iana-time-zone dependency in 0.4.21 caused some new regressions with lesser known platforms. This release fixes all of the issues we've encountered, improving the situation on some WebAssembly targets, SGX and on macOS/iOS. We've improved our CI setup to hopefully catch more of these issues before release in the future.
wasm32-unknown-unknown
target (#771)x86_64-fortanix-unknown-sgx
(#767, thanks to @trevor-crypto)iana-time-zone
version to 0.1.44 to avoid cyclic dependencies (#773, thanks to @Kijewski for the upstream PRs)v0.4.21
: 0.4.21Compare Source
0.4.21 is a bugfix release that mainly fixes one regression from 0.4.20:
TimeZone::now()
fell back to UTC in the case it could not find the current timezone, but the new implementation panicked in that case./etc/localtime
to keep track of the current timezone. Instead we now use the iana-time-zone crate as a dependency, since it already has quite a bit of logic for finding the current timezone on a host of platforms.Additionally, there is a documentation fix that reverts an incorrect guarantee:
%Y
can have a negative value, both in formatting and in parsing (#760, thanks to @alex)v0.4.20
: 0.4.20Compare Source
chrono is a date and time library for Rust and 0.4.20 is the first chrono release since Sep 2020. There has been a long hiatus since the previous maintainer was no longer able to spend much time on the crate; thanks to @quodlibetor for their stewardship of the chrono crate for many years! The new maintainers are @djc and @esheppa. Our first priority has been fixing the soundness issues with calls to
localtime_r()
as first reported in #499 and the RUSTSEC-2020-0159 advisory. In order to do this we adapted code from the tz-rs crate maintained by @x-hgg-x for use within chrono -- thanks for working on that! With the new implementation, chrono uses safe Rust code to parse the timezone data files on Unix platforms directly instead of relying on libc.Due to compatibility reasons, this release does not yet remove the time 0.1 dependency, though chrono 0.4.20 does not depend on the vulnerable parts of the time 0.1.x versions. In a future 0.5 release, we will remove the time dependency.
The minimum supported Rust version for 0.4.20 is 1.32.0, which is intentionally still quite conservative. If you are using chrono 0.4 with a Rust version older than 1.52, we'd like to hear from you since we'd like to further modernize the code base to ease maintenance.
Fixes
localtime_r()
by parsing timezone files in Rust on Unix (#677 and #728)Duration::abs()
behavior in case of negative durations with nanoseconds (#734, thanks to @abreis)Additions
ParserErrorKind
public and available throughParseError::kind()
(#588, thanks to @sbrocket)MIN
andMAX
const values in favor of free-standing consts (#726)NaiveDate
(#732 with follow up in #752, thanks to @avantgardnerio)NaiveWeek
type to facilitate week-based calculations (#666, thanks to @sestrella)NaiveDateTime::and_local_timezone()
method (#711, thanks to @botahamec)DateTime::from_local()
method (#572, thanks to @retrhelo)NaiveDateTime
(#664, thanks to @nickelc)DoubleEndedIterator
forNaiveDateDaysIterator
/NaiveDateWeeksIterator
(#697, thanks to @teobouvard)std::iter::Sum
forDuration
(#522, thanks to @jakevossen5)years_since()
method toDateTime
/Date
(#557 then #707, thanks to @yozhgoor)AddAssign
/SubAssign
forDateTime
/Date
(#698, thanks to @MrGunflame)Non-functional improvements
Utc::now()
(#647, thanks to @ModProg)DateTime::with_timezone()
(#747, thanks to @kevincox)naive
serde integration (#616, thanks to @nickelc)extern crate
statements and outdated comments (#665, thanks to @nickelc)v0.4.19
Compare Source
v0.4.18
Compare Source
v0.4.17
Compare Source
v0.1
v0.4.16
Compare Source
Features
Add %Z specifier to the
FromStr
, similar to the glibc strptime(does not set the offset from the timezone name)
Drop the dependency on time v0.1, which is deprecated, unless the
oldtime
feature is active. This feature is active by default in v0.4.16 for backwards
compatibility, but will likely be removed in v0.5. Code that imports
time::Duration
should be switched to importchrono::Duration
instead toavoid breakage.
Configuration
📅 Schedule: Branch creation - "after 10pm every weekday,before 5am every weekday,every weekend" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.