atuin/18.3.0-r3: cve remediation

[octo-sts]

atuin/18.3.0-r3: fix GHSA-h97m-ww89-6jmq

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/atuin.advisories.yaml

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error:

error: failed to select a version for the requirement `idna = "^0.5.0"`
candidate versions found which didn't match: 1.0.0
location searched: crates.io index
required by package `url v2.5.0`

• Error Category: Dependency

• Failure Point: rust/cargobump step during dependency resolution

• Root Cause Analysis:
The error occurs because there's a version mismatch with the idna crate. The package requires idna ^0.5.0, but only version 1.0.0 is available, causing a dependency resolution conflict with the url crate.

• Suggested Fix:
Add a cargobump-deps.yaml file to pin the idna dependency:

dependencies:
  - name: idna
    version: "1.0.0"
  - name: url
    version: "2.5.0"

Or update the package.environment section to include:

environment:
  contents:
    packages:
      - cargo-auditable
      - rust
      # ... other existing packages ...
    environment:
      CARGO_NET_GIT_FETCH_WITH_CLI: "true"
      CARGO_TERM_COLOR: "always"

• Explanation:
The fix works by either explicitly managing the dependency versions through cargobump-deps.yaml or ensuring proper cargo environment settings. This helps resolve the dependency conflict between the required idna version and what's available in the registry.

• Additional Notes:

• This is a common issue when upstream dependencies have breaking changes
• The error suggests a compatibility break between url 2.5.0 and idna 1.0.0
• Consider checking the upstream repository for any related issues or updates

• References:

• https://doc.rust-lang.org/cargo/reference/resolver.html
• https://github.com/atuinsh/atuin/issues (check for related dependency issues)
• https://crates.io/crates/idna (version history)

[kranurag7]

new version was bumped and cves were addressed via #38432