Skip to content

chore(release): v0.10.1#57

Merged
Rushit merged 3 commits into
mainfrom
chore/release-v0.10.1
Jul 3, 2026
Merged

chore(release): v0.10.1#57
Rushit merged 3 commits into
mainfrom
chore/release-v0.10.1

Conversation

@Rushit

@Rushit Rushit commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Release v0.10.1 with quick-xml advisory ignore to pass CI

@github-actions github-actions Bot added the dependencies Dependency version bumps label Jul 2, 2026

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request bumps the workspace package version from 0.10.0 to 0.10.1 and adds two security advisories (RUSTSEC-2026-0194 and RUSTSEC-2026-0195) to the ignore list in deny.toml. Feedback highlights that ignoring these advisories for quick-xml bypasses critical security checks, leaving the application vulnerable to Denial of Service (DoS) or panic exploits. It is recommended to upgrade the affected dependencies or use Cargo's patch mechanism to resolve the vulnerabilities instead of ignoring them.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

Comment thread deny.toml
Comment on lines +38 to 39
{ id = "RUSTSEC-2026-0195" },
]

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

security-high high

Ignoring security advisories `RUSTSEC-2026-0194` and `RUSTSEC-2026-0195` for `quick-xml` in `deny.toml` bypasses critical security checks and leaves the application vulnerable to potential Denial of Service (DoS) or panic-inducing exploits when parsing malformed XML documents (such as DTD/DOCTYPE slice-index panics).\n\nInstead of ignoring these advisories, the recommended approach is to upgrade the dependencies that pull in the vulnerable versions of `quick-xml` (specifically `opendal` and `reqsign`) to versions that use patched releases of `quick-xml` (e.g., `quick-xml >= 0.38.4`, `0.39.4`, or `0.40.1`).\n\nIf upgrading those dependencies is not immediately feasible, consider using Cargo's `[patch.crates-io]` section in the workspace `Cargo.toml` to override the vulnerable `quick-xml` versions with patched ones, or investigate if a newer patch release of the dependencies is available.

@Rushit Rushit merged commit f1bb3f9 into main Jul 3, 2026
3 checks passed
@Rushit Rushit deleted the chore/release-v0.10.1 branch July 3, 2026 22:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Dependency version bumps

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant