Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

atuin/18.4.0 package update #38432

Merged
merged 2 commits into from
Dec 28, 2024
Merged

atuin/18.4.0 package update #38432

merged 2 commits into from
Dec 28, 2024

Conversation

octo-sts[bot]
Copy link
Contributor

@octo-sts octo-sts bot commented Dec 27, 2024

@wolfi-bot
atuin/18.4.0 package update
bfca4c2 
Signed-off-by: wolfi-bot <121097084+wolfi-bot@users.noreply.github.com>
@octo-sts octo-sts bot added request-version-update request for a newer version of a package automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. auto-approver-bot/initial-checks-failed labels Dec 27, 2024
@octo-sts Octo STS
Copy link
Contributor Author

octo-sts bot commented Dec 27, 2024

Gen AI suggestions to solve the build error:

Based on the error output, I'll analyze and provide specific fixes:

• Detected Error: ```
error: failed to select a version for the requirement idna = "^0.5.0"
candidate versions found which didn't match: 1.0.3


• Error Category: Dependency/Version

• Failure Point: The cargobump step during package build, specifically when trying to resolve the idna package dependency

• Root Cause Analysis: The cargobump tool is unable to find a compatible version of the idna crate. The package requires idna ^0.5.0, but only version 1.0.3 is available, causing a version constraint conflict with the url crate.

• Suggested Fix:
1. Add a specific override in the cargobump-deps.yaml file:
```yaml
dependencies:
  - name: idna
    version: "1.0.3"
  - name: url
    version: "2.5.2"
  1. Or update the melange.yaml to pin specific versions:
environment:
  contents:
    packages:
      # ... existing packages ...
      - cargo-auditable
      - openssf-compiler-options
      - protobuf-dev
      - rust
  environment:
    CARGO_NET_GIT_FETCH_WITH_CLI: "true"
    CARGO_TERM_COLOR: "always"
    RUST_VERSION: "1.83.0"

• Explanation: The idna crate has undergone a major version bump to 1.0.3, which is breaking compatibility with older dependencies. By explicitly specifying compatible versions, we ensure the build system can resolve dependencies correctly.

• Additional Notes:

  • The url crate 2.5.2 is locked to an older idna version
  • This is a common issue when upstream dependencies have version mismatches
  • Consider opening an issue upstream about the version constraint

• References:

@developer-guy
try mitigating CVEs GHSA-h97m-ww89-6jmq and CVE-2024-47609
36c651b 
Signed-off-by: Batuhan Apaydin <batuhan.apaydin@chainguard.dev>
@developer-guy developer-guy force-pushed the wolfictl-5e7e5a9e-2211-4312-a795-0957c321a398 branch from c473049 to 36c651b Compare December 27, 2024 18:49
@developer-guy developer-guy requested a review from a team December 27, 2024 19:59
@kranurag7 kranurag7 merged commit dcc884a into main Dec 28, 2024
14 checks passed
@kranurag7 kranurag7 deleted the wolfictl-5e7e5a9e-2211-4312-a795-0957c321a398 branch December 28, 2024 07:36
@kranurag7 kranurag7 mentioned this pull request Dec 28, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jamie-albert jamie-albert jamie-albert approved these changes

@kranurag7 kranurag7 kranurag7 approved these changes

Assignees
No one assigned
Labels
auto-approver-bot/initial-checks-failed automated pr bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. manual/review-needed request-version-update request for a newer version of a package
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@kranurag7 @jamie-albert @wolfi-bot @developer-guy