Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

zellij/0.41.2-r1: cve remediation #35025

Open
wants to merge 2 commits into
base: main
Choose a base branch
from

Conversation

octo-sts[bot]
Copy link
Contributor

@octo-sts octo-sts bot commented Nov 22, 2024

Copy link
Contributor Author

octo-sts bot commented Nov 22, 2024

Gen AI suggestions to solve the build error:

• Detected Error:

error: failed to select a version for the requirement `wasmtime = "^21.0.2"`
candidate versions found which didn't match: 24.0.2
location searched: crates.io index
required by package `zellij-server v0.41.2`

• Error Category: Dependency/Version

• Failure Point: rust/cargobump step when attempting to update the wasmtime dependency

• Root Cause Analysis: The cargobump tool is trying to update wasmtime to a newer version, but zellij-server specifically requires wasmtime 21.0.2, while only version 24.0.2 is available in the crates.io index.

• Suggested Fix:
Add wasmtime to the exclusion list in cargobump-deps.yaml:

exclude:
  - wasmtime

• Explanation:
The failure occurs because wasmtime 21.0.2 is a hard requirement for zellij-server 0.41.2, but cargobump is trying to update it to 24.0.2. By excluding wasmtime from the automatic updates, we preserve the required version compatibility while allowing other dependencies to update safely.

• Additional Notes:

  • This is a common issue when a package has strict version requirements for critical dependencies
  • Wasmtime has significant breaking changes between major versions
  • The exclusion approach is safer than forcing an upgrade that could break functionality

• References:

Signed-off-by: Hector Fernandez <[email protected]>
Copy link
Contributor Author

octo-sts bot commented Nov 26, 2024

Gen AI suggestions to solve the build error:

• Detected Error:

error: failed to select a version for the requirement `wasmtime = "^21.0.2"`
candidate versions found which didn't match: 25.0.0
location searched: crates.io index
required by package `zellij-server v0.41.2`

• Error Category: Dependency Version Conflict

• Failure Point: rust/cargobump step during dependency update

• Root Cause Analysis: The package requires wasmtime v21.0.2, but this version is no longer available in crates.io. The only available version is 25.0.0, which is incompatible with the current package version.

• Suggested Fix:

  1. Add a version override in the cargobump-deps.yaml file:
dependencies:
  - name: wasmtime
    version: "25.0.0"
  1. Or pin the specific version in the pipeline:
  - uses: rust/cargobump
    with:
      packages:
        - [email protected]

• Explanation: The wasmtime dependency has undergone a major version update from 21.x to 25.x. Since this is a breaking change, we need to explicitly specify the version compatibility. The fix will allow the build system to use the newer version of wasmtime.

• Additional Notes:

  • This may require additional code changes due to breaking API changes between wasmtime 21 and 25
  • Consider opening an upstream issue to update the wasmtime dependency
  • Test thoroughly as this is a major version jump

• References:

@mamccorm
Copy link
Member

mamccorm commented Dec 7, 2024

Unfortunately we cannot remediate this one. Advisory filed:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants