From 70e02424162a73e7219ea5476b496d6241c7cf51 Mon Sep 17 00:00:00 2001 From: "octo-sts[bot]" <157150467+octo-sts@users.noreply.github.com> Date: Fri, 22 Nov 2024 23:02:13 +0000 Subject: [PATCH 1/3] zellij/0.41.2-r1: fix GHSA-c2f5-jxjv-2hh8 --- zellij.yaml | 2 +- zellij/cargobump-deps.yaml | 2 ++ 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/zellij.yaml b/zellij.yaml index d1cbecaffa4..35bc0dcd05a 100644 --- a/zellij.yaml +++ b/zellij.yaml @@ -1,7 +1,7 @@ package: name: zellij version: 0.41.2 - epoch: 1 + epoch: 2 description: A terminal workspace with batteries included copyright: - license: MIT diff --git a/zellij/cargobump-deps.yaml b/zellij/cargobump-deps.yaml index 8a04008c838..39ad46943e6 100644 --- a/zellij/cargobump-deps.yaml +++ b/zellij/cargobump-deps.yaml @@ -7,3 +7,5 @@ packages: version: 3.4.1 - name: cap-std version: 3.4.1 + - name: wasmtime + version: 24.0.2 From 6afd5373eb1dc2660df419e957105e1f7bc397dd Mon Sep 17 00:00:00 2001 From: Hector Fernandez Date: Tue, 26 Nov 2024 16:50:55 -0600 Subject: [PATCH 2/3] Update cargobump-deps.yaml Signed-off-by: Hector Fernandez --- zellij/cargobump-deps.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/zellij/cargobump-deps.yaml b/zellij/cargobump-deps.yaml index 39ad46943e6..37bf7f8faa9 100644 --- a/zellij/cargobump-deps.yaml +++ b/zellij/cargobump-deps.yaml @@ -8,4 +8,4 @@ packages: - name: cap-std version: 3.4.1 - name: wasmtime - version: 24.0.2 + version: 25.0.0 From 3ad09db8af7bb1d04c8362a70c6fccc02a736b1f Mon Sep 17 00:00:00 2001 From: Mark McCormick Date: Mon, 30 Dec 2024 17:31:47 +0000 Subject: [PATCH 3/3] remediates GHSA-c2f5-jxjv-2hh8, by bumping wasmtime Signed-off-by: Mark McCormick --- zellij.yaml | 12 ++++++++++++ zellij/bump-wasmtime.patch | 31 +++++++++++++++++++++++++++++++ zellij/cargobump-deps.yaml | 2 -- 3 files changed, 43 insertions(+), 2 deletions(-) create mode 100644 zellij/bump-wasmtime.patch diff --git a/zellij.yaml b/zellij.yaml index 35bc0dcd05a..2821f7a8e4e 100644 --- a/zellij.yaml +++ b/zellij.yaml @@ -27,6 +27,18 @@ pipeline: - uses: rust/cargobump + # Remediates: GHSA-c2f5-jxjv-2hh8. This is two-parts: + # 1. Updates in 'zellij-server/Cargo.toml' (this patch) + # 2. Upgrades dependency at top level of project using 'cargo update'. + # cargo/bump is not able to handle either of these scenarios currently. + # Can be removed if the following contribution is accepted: https://github.com/zellij-org/zellij/pull/3902. + - uses: patch + with: + patches: bump-wasmtime.patch + + - runs: | + cargo update -p wasmtime@21.0.2 --precise 24.0.2 + - runs: | # use system openssl export OPENSSL_NO_VENDOR=1 diff --git a/zellij/bump-wasmtime.patch b/zellij/bump-wasmtime.patch new file mode 100644 index 00000000000..580ed5e97c7 --- /dev/null +++ b/zellij/bump-wasmtime.patch @@ -0,0 +1,31 @@ +diff --git a/zellij-server/Cargo.toml b/zellij-server/Cargo.toml +index 7e5653b5..ad102c31 100644 +--- a/zellij-server/Cargo.toml ++++ b/zellij-server/Cargo.toml +@@ -19,7 +19,7 @@ daemonize = "0.5" + serde_json = "1.0" + unicode-width = "0.1.8" + url = "2.2.2" +-wasmtime-wasi = "21.0.2" # Keep in sync with wasmtime ++wasmtime-wasi = "24.0.2" # Keep in sync with wasmtime + cassowary = "0.3.0" + zellij-utils = { path = "../zellij-utils/", version = "0.41.2" } + log = "0.4.17" +@@ -34,7 +34,7 @@ uuid = { version = "1.4.1", features = ["serde", "v4"] } + semver = "0.11.0" + + [dependencies.wasmtime] +-version = "21.0.2" # Keep in sync with wasmtime-wasi ++version = "24.0.2" # Keep in sync with wasmtime-wasi + default-features = false + features = [ + 'async', +@@ -53,7 +53,7 @@ features = [ + [dev-dependencies] + insta = "1.6.0" + tempfile = "3.2.0" +-wasmtime = { version = "21.0.2", features = ["winch"] } # Keep in sync with the other wasmtime dep ++wasmtime = { version = "24.0.2", features = ["winch"] } # Keep in sync with the other wasmtime dep + + [features] + singlepass = ["wasmtime/winch"] diff --git a/zellij/cargobump-deps.yaml b/zellij/cargobump-deps.yaml index 37bf7f8faa9..8a04008c838 100644 --- a/zellij/cargobump-deps.yaml +++ b/zellij/cargobump-deps.yaml @@ -7,5 +7,3 @@ packages: version: 3.4.1 - name: cap-std version: 3.4.1 - - name: wasmtime - version: 25.0.0