itsscb/cargo
1
0
Fork 0
mirror of https://github.com/rust-lang/cargo.git synced 2025-09-28 11:20:36 +00:00
Code Issues Packages Projects Releases Wiki Activity

changelog: add link to CVE-2023-40030

Browse Source
This commit is contained in:
Weihang Lo 2023-08-24 18:14:15 +01:00
parent 35814255a1
commit f975722a0e
No known key found for this signature in database
GPG Key ID: D7DBF189825E82E7
1 changed files with 5 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
CHANGELOG.md
View File

@ -191,10 +191,11 @@
### Changed
- ❗ Turned feature name validation check to a hard error. The warning was
added in Rust 1.49. These extended characters aren't allowed on crates.io, so
this should only impact users of other registries, or people who don't publish
to a registry.
- [CVE-2023-40030](https://github.com/rust-lang/cargo/security/advisories/GHSA-wrrj-h57r-vx9p):
Malicious dependencies can inject arbitrary JavaScript into cargo-generated timing reports.
To mitigate this, feature name validation check is now turned into a hard error.
The warning was added in Rust 1.49. These extended characters aren't allowed on crates.io,
so this should only impact users of other registries, or people who don't publish to a registry.
[#12291](https://github.com/rust-lang/cargo/pull/12291)
- Cargo now warns when an edition 2021 package is in a virtual workspace and
`workspace.resolver` is not set. It is recommended to set the resolver