chore(deps): Update Rust crate git2 to v0.20.4 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
git2	dependencies	minor	0.16.0 → 0.20.4

GitHub Vulnerability Alerts

GHSA-m4ch-rfv5-x5g3

The git2 and libgit2-sys crates are Rust wrappers around the libgit2 C library. It was discovered that libgit2 1.5.0 and below did not verify SSH host keys when establishing an SSH connection, exposing users of the library to Man-In-the-Middle attacks.

The libgit2 team assigned CVE-2023-22742 to this vulnerability. The following versions of the libgit2-sys Rust crate have been released:

• libgit2-sys 0.14.2, updating the underlying libgit2 C library to version 1.5.1.
• libgit2-sys 0.13.5, updating the underlying libgit2 C library to version 1.4.5.

A new git2 crate version has also been released, 0.16.1. This version only bumps its libgit2-sys dependency to ensure no vulnerable libgit2-sys versions are used, but contains no code changes: if you update the libgit2-sys version there is no need to also update the git2 crate version.

You can learn more about this vulnerability in libgit2's advisory

GHSA-j39j-6gw9-jw6h

If the Buf struct is dereferenced immediately after calling new() or default() on the Buf struct, a null pointer is passed to the unsafe function slice::from_raw_parts. According to the safety section documentation of the function, data must be non-null and aligned even for zero-length slices or slices of ZSTs. Thus, passing a null pointer will lead to undefined behavior.

---

Release Notes

rust-lang/git2-rs (git2)

v0.20.4

Compare Source

v0.20.3

Compare Source

v0.20.2

Compare Source

0.20.1...0.20.2

Added

• Added Status::WT_UNREADABLE.
  #​1151

Fixed

• Added missing codes for GIT_EDIRECTORY, GIT_EMERGECONFLICT, GIT_EUNCHANGED, GIT_ENOTSUPPORTED, and GIT_EREADONLY to Error::raw_code.
  #​1153
• Fixed missing initialization in Indexer::new.
  #​1160

v0.20.1

Compare Source

0.20.1...0.20.2

Added

• Added Status::WT_UNREADABLE.
  #​1151

Fixed

• Added missing codes for GIT_EDIRECTORY, GIT_EMERGECONFLICT, GIT_EUNCHANGED, GIT_ENOTSUPPORTED, and GIT_EREADONLY to Error::raw_code.
  #​1153
• Fixed missing initialization in Indexer::new.
  #​1160

v0.20.0

Compare Source

0.20.0...0.20.1

Added

• Added Repository::branch_upstream_merge()
  #​1131
• Added Index::conflict_get()
  #​1134
• Added Index::conflict_remove()
  #​1133
• Added opts::set_cache_object_limit()
  #​1118
• Added Repo::merge_file_from_index() and associated MergeFileOptions and MergeFileResult.
  #​1062

Changed

• The url dependency minimum raised to 2.5.4
  #​1128
• Changed the tracing callback to abort the process if the callback panics instead of randomly detecting the panic in some other function.
  #​1121
• Credential helper config (loaded with CredentialHelper::config) now checks for helpers that start with something that looks like an absolute path, rather than checking for a / or \ anywhere in the helper string (which resolves an issue if the helper had arguments with / or \).
  #​1137

Fixed

• Fixed panic in Remote::url_bytes if the url is empty.
  #​1120
• Fixed incorrect lifetimes on Patch::delta, Patch::hunk, and Patch::line_in_hunk. The return values must not outlive the Patch.
  #​1141
• Bumped requirement to libgit2-sys 0.18.1, which fixes linking of advapi32 on Windows.
  #​1143

v0.19.0

Compare Source

0.19.0...0.20.0

Added

• Debug is now implemented for transport::Service
  #​1074
• Added Repository::commondir
  #​1079
• Added Repository::merge_base_octopus
  #​1088
• Restored impls for PartialOrd, Ord, and Hash for bitflags types that were inadvertently removed in a prior release.
  #​1096
• Added CheckoutBuilder::disable_pathspec_match
  #​1107
• Added PackBuilder::write
  #​1110

Changed

• ❗ Updated to libgit2 1.9.0
  #​1111
• ❗ Removed the ssh_key_from_memory Cargo feature, it was unused.
  #​1087
• ❗ Errors from Tree::walk are now correctly reported to the caller.
  #​1098
• ❗ The trace_set callback now takes a &[u8] instead of a &str.
  #​1071
• ❗ Error::last_error now returns Error instead of Option<Error>.
  #​1072

Fixed

• Fixed OdbReader::read return value.
  #​1061
• When a credential helper executes a shell command, don't pop open a console window on Windows.
  #​1075

v0.18.3

Compare Source

0.18.2...0.18.3

Added

• Added opts:: functions to get / set libgit2 mwindow options
  #​1035

Changed

• Updated examples to use clap instead of structopt
  #​1007

v0.18.2

Compare Source

0.18.2...0.18.3

Added

• Added opts:: functions to get / set libgit2 mwindow options
  #​1035

Changed

• Updated examples to use clap instead of structopt
  #​1007

v0.18.1

Compare Source

0.20.0...0.20.1

Added

• Added Repository::branch_upstream_merge()
  #​1131
• Added Index::conflict_get()
  #​1134
• Added Index::conflict_remove()
  #​1133
• Added opts::set_cache_object_limit()
  #​1118
• Added Repo::merge_file_from_index() and associated MergeFileOptions and MergeFileResult.
  #​1062

Changed

• The url dependency minimum raised to 2.5.4
  #​1128
• Changed the tracing callback to abort the process if the callback panics instead of randomly detecting the panic in some other function.
  #​1121
• Credential helper config (loaded with CredentialHelper::config) now checks for helpers that start with something that looks like an absolute path, rather than checking for a / or \ anywhere in the helper string (which resolves an issue if the helper had arguments with / or \).
  #​1137

Fixed

• Fixed panic in Remote::url_bytes if the url is empty.
  #​1120
• Fixed incorrect lifetimes on Patch::delta, Patch::hunk, and Patch::line_in_hunk. The return values must not outlive the Patch.
  #​1141
• Bumped requirement to libgit2-sys 0.18.1, which fixes linking of advapi32 on Windows.
  #​1143

v0.18.0

Compare Source

0.18.0...0.18.1

Added

• Added FetchOptions::depth to set the depth of a fetch or clone, adding support for shallow clones.
  #​979

Fixed

• Fixed an internal data type (TreeWalkCbData) to not assume it is a transparent type while casting.
  #​989
• Fixed so that DiffPatchidOptions and StashSaveOptions are publicly exported allowing the corresponding APIs to actually be used.
  #​988

v0.17.2

Compare Source

0.17.2...0.18.0

Added

• Added Blame::blame_buffer for getting blame data for a file that has been modified in memory.
  #​981

Changed

• Updated to libgit2 1.7.0.
  #​968
• Updated to libgit2 1.7.1.
  #​982
• Switched from bitflags 1.x to 2.1. This brings some small changes to types generated by bitflags.
  #​973
• Changed Revwalk::with_hide_callback to take a mutable reference to its callback to enforce type safety.
  #​970
• Implemented FusedIterator for many iterators that can support it.
  #​955

Fixed

• Fixed builds with cargo's -Zminimal-versions.
  #​960

v0.17.1

Compare Source

0.17.1...0.17.2

Added

• Added support for stashing with options (which can support partial stashing).
  #​930

v0.17.0

Compare Source

0.17.0...0.17.1

Changed

• Updated to libgit2 1.6.4.
  #​948

v0.16.1

Compare Source

0.16.1...0.17.0

Added

• Added IntoIterator implementation for Statuses.
  #​880
• Added Reference::symbolic_set_target
  #​893
• Added Copy, Clone, Debug, PartialEq, and Eq implementations for AutotagOption and FetchPrune.
  #​889
• Added Eq and PartialEq implementations for Signature.
  #​890
• Added Repository::discover_path.
  #​883
• Added Submodule::repo_init.
  #​914
• Added Tag::is_valid_name.
  #​882
• Added Repository::set_head_bytes.
  #​931
• Added the Indexer type which is a low-level API for storing and indexing pack files.
  #​911
• Added Index::find_prefix.
  #​903
• Added support for the deprecated group-writeable blob mode. This adds a new variant to FileMode.
  #​887
• Added PushCallbacks::push_negotiation callback and the corresponding PushUpdate type for getting receiving information about the updates to perform.
  #​926

Changed

• Updated to libgit2 1.6.3.
  This brings in many changes, including better SSH host key support on Windows and better SSH host key algorithm negotiation.
  1.6.3 is now the minimum supported version.
  #​935
• Updated libssh2-sys from 0.2 to 0.3.
  This brings in numerous changes, including SHA2 algorithm support with RSA.
  #​919
• Changed RemoteCallbacks::credentials callback error handler to correctly set the libgit2 error class.
  #​918
• DiffOptions::flag now takes a git_diff_option_t type.
  #​935

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[coveralls]

Pull Request Test Coverage Report for Build 21951879247

Details

• 0 of 0 changed or added relevant lines in 0 files are covered.
• 10 unchanged lines in 2 files lost coverage.
• Overall coverage decreased (-0.1%) to 40.943%

---

Files with Coverage Reduction	New Missed Lines	%
src/ops.rs	3	30.0%
src/tree.rs	7	72.73%

Totals
Change from base Build 21907163047:	-0.1%
Covered Lines:	278
Relevant Lines:	679

---

💛 - Coveralls