Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bump the cargo group with 3 updates #2018

Merged
merged 2 commits into from
Sep 11, 2023
Merged

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 11, 2023

Bumps the cargo group with 3 updates: bytemuck, chrono and serde_json.

Updates bytemuck from 1.13.1 to 1.14.0

Changelog

Sourced from bytemuck's changelog.

bytemuck changelog

1.14

  • write_zeroes and fill_zeroes functions: Writes (to one) or fills (a slice) zero bytes to all bytes covered by the provided reference. If your type has padding, this will even zero out the padding bytes.
  • align_offset feature: causes pointer alignment checks to use the align_offset pointer method rather than as-casting the pointer to usize. This may improve codegen, if the compiler would have otherwise thought that the pointer address escaped. No formal benchmarks have been done either way.
  • must_cast feature: Adds must_* family of functions. These functions will fail to compile if the cast requested can't be statically known to succeed. The error messages can be kinda bad when this happens, but eliminating the possibility of a runtime error might be worth it to you.
Commits
  • ff0b14d chore: Release bytemuck version 1.14.0
  • 88f5c8b chore: Release bytemuck_derive version 1.5.0
  • c22cf36 docs.
  • 01c2a07 derive changelog
  • 24b65bd changelog.
  • 1ba4215 Create align_offset feature so that we can continue to work on 1.34
  • caff759 Use align_offset to check alignment (#176)
  • b38d7d0 Have cfgs as part of the input to impl_unsafe_marker_for_simd (#207)
  • d9b23e3 rename these functions before publishing them.
  • d790c04 Add functions for writing zeroed bytes to &mut impl Zeroable and `&mut [imp...
  • Additional commits viewable in compare view

Updates chrono from 0.4.28 to 0.4.30

Release notes

Sourced from chrono's releases.

0.4.30

In this release, we have decided to swap out the chrono::Duration type (which has been a re-export of time 0.1 Duration type) with our own definition, which exposes a strict superset of the time::Duration API. This helps avoid warnings about the CVE-2020-26235 and RUSTSEC-2020-0071 advisories for downstream users and allows us to improve the Duration API going forward.

While this is technically a SemVer-breaking change, we expect the risk of downstream users experiencing actual incompatibility to be exceedingly limited (see our analysis of public code using a crater-like experiment), and not enough justification for the large ecosystem churn of a 0.5 release. If you have any feedback on these changes, please let us know in #1268.

Additions

  • Add NaiveDate::leap_year (#1261)

Documentation

Relation between chrono and time 0.1

Rust first had a time module added to std in its 0.7 release. It later moved to libextra, and then to a libtime library shipped alongside the standard library. In 2014 work on chrono started in order to provide a full-featured date and time library in Rust. Some improvements from chrono made it into the standard library; notably, chrono::Duration was included as std::time::Duration (rust#15934) in 2014.

In preparation of Rust 1.0 at the end of 2014 libtime was moved out of the Rust distro and into the time crate to eventually be redesigned (rust#18832, rust#18858), like the num and rand crates. Of course chrono kept its dependency on this time crate. time started re-exporting std::time::Duration during this period. Later, the standard library was changed to have a more limited unsigned Duration type (rust#24920, RFC 1040), while the time crate kept the full functionality with time::Duration. time::Duration had been a part of chrono's public API.

By 2016 time 0.1 lived under the rust-lang-deprecated organisation and was not actively maintained (time#136). chrono absorbed the platform functionality and Duration type of the time crate in chrono#478 (the work started in chrono#286). In order to preserve compatibility with downstream crates depending on time and chrono sharing a Duration type, chrono kept depending on time 0.1. chrono offered the option to opt out of the time dependency by disabling the oldtime feature (swapping it out for an effectively similar chrono type). In 2019, @​jhpratt took over maintenance on the time crate and released what amounts to a new crate as time 0.2.

Security advisories

In November of 2020 CVE-2020-26235 and RUSTSEC-2020-0071 were opened against the time crate. @​quininer had found that calls to localtime_r may be unsound (chrono#499). Eventually, almost a year later, this was also made into a security advisory against chrono as RUSTSEC-2020-0159, which had platform code similar to time.

On Unix-like systems a process is given a timezone id or description via the TZ environment variable. We need this timezone data to calculate the current local time from a value that is in UTC, such as the time from the system clock. time 0.1 and chrono used the POSIX function localtime_r to do the conversion to local time, which reads the TZ variable.

Rust assumes the environment to be writable and uses locks to access it from multiple threads. Some other programming languages and libraries use similar locking strategies, but these are typically not shared across languages. More importantly, POSIX declares modifying the environment in a multi-threaded process as unsafe, and getenv in libc can't be changed to take a lock because it returns a pointer to the data (see rust#27970 for more discussion).

Since version 4.20 chrono no longer uses localtime_r, instead using Rust code to query the timezone (from the TZ variable or via iana-time-zone as a fallback) and work with data from the system timezone database directly. The code for this was forked from the tz-rs crate by @​x-hgg-x. As such, chrono now respects the Rust lock when reading the TZ environment variable. In general, code should avoid modifying the environment.

... (truncated)

Commits
  • 101ca7e Bump version to 0.4.30
  • eee59e3 Rewrite history sections for clarity and consistency
  • 7387fe7 Add history of chrono and time 0.1 to main documentation
  • 8509da4 Apply Clippy suggestions for duration module
  • 9d7fafe Remove mention of oldtime from documentation
  • 27ea7e9 Rename oldtime module to duration
  • 8f5becd Drop time 0.1 as optional dependency
  • f4aefc7 Clarify Timelike::num_seconds_from_midnight is a simple mapping
  • 1903778 Add NaiveDate::leap_year
  • 84334df Update readme
  • Additional commits viewable in compare view

Updates serde_json from 1.0.105 to 1.0.106

Release notes

Sourced from serde_json's releases.

v1.0.106

Commits
  • 45f10ec Release 1.0.106
  • f346308 Elaborate on documentation of Number::as_str
  • f16cad6 Add cfg banner to documentation of Number::as_str
  • fc8dd13 Touch up PR 1067
  • 028b643 Merge pull request #1067 from chanced/add-as_str-to-number
  • db75c22 Fix unintended u8 link inferred by intra doc link
  • 11b603c Resolve rustdoc::redundant_explicit_links lint
  • 95c5d6c Fix documentation typo from PR 1069
  • 5a39516 Reorder Value::as_number after is_number
  • 6a5fef9 Wrap as_number documentation to 80 columns
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the cargo group with 3 updates: [bytemuck](https://github.com/Lokathor/bytemuck), [chrono](https://github.com/chronotope/chrono) and [serde_json](https://github.com/serde-rs/json).


Updates `bytemuck` from 1.13.1 to 1.14.0
- [Changelog](https://github.com/Lokathor/bytemuck/blob/main/changelog.md)
- [Commits](Lokathor/bytemuck@v1.13.1...v1.14.0)

Updates `chrono` from 0.4.28 to 0.4.30
- [Release notes](https://github.com/chronotope/chrono/releases)
- [Changelog](https://github.com/chronotope/chrono/blob/main/CHANGELOG.md)
- [Commits](chronotope/chrono@v0.4.28...v0.4.30)

Updates `serde_json` from 1.0.105 to 1.0.106
- [Release notes](https://github.com/serde-rs/json/releases)
- [Commits](serde-rs/json@v1.0.105...v1.0.106)

---
updated-dependencies:
- dependency-name: bytemuck
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: cargo
- dependency-name: chrono
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: cargo
- dependency-name: serde_json
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot requested a review from hannobraun as a code owner September 11, 2023 12:05
@dependabot dependabot bot added dependencies Pull requests that update a dependency file rust Pull requests that update Rust code labels Sep 11, 2023
@hannobraun hannobraun merged commit c5e08f4 into main Sep 11, 2023
4 checks passed
@hannobraun hannobraun deleted the dependabot/cargo/cargo-7fc1ac7c57 branch September 11, 2023 12:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file rust Pull requests that update Rust code
Projects
None yet
Development

Successfully merging this pull request may close these issues.

1 participant