itsscb/cargo
1
0
Fork 0
mirror of https://github.com/rust-lang/cargo.git synced 2026-03-21 20:03:56 +00:00
Code Issues Packages Projects Releases Wiki Activity
22,007 Commits 92 Branches 117 Tags
master
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Weihang Lo 95ac78773e chore(deps): bump rustls-webpki from 0.103.9 to 0.103.10 (#16778) 
Bumps [rustls-webpki](https://github.com/rustls/webpki) from 0.103.9 to
0.103.10.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/rustls/webpki/releases">rustls-webpki's
releases</a>.</em></p>
<blockquote>
<h2>0.103.10</h2>
<p><strong>Correct selection of candidate CRLs by Distribution Point and
Issuing Distribution Point</strong>. If a certificate had more than one
<code>distributionPoint</code>, then only the first
<code>distributionPoint</code> would be considered against each CRL's
<code>IssuingDistributionPoint</code> <code>distributionPoint</code>,
and then the certificate's subsequent <code>distributionPoint</code>s
would be ignored.</p>
<p>The impact was that correct provided CRLs would not be consulted to
check revocation. With <code>UnknownStatusPolicy::Deny</code> (the
default) this would lead to incorrect but safe
<code>Error::UnknownRevocationStatus</code>. With
<code>UnknownStatusPolicy::Allow</code> this would lead to inappropriate
acceptance of revoked certificates.</p>
<p>This vulnerability is thought to be of limited impact. This is
because both the certificate and CRL are signed -- an attacker would
need to compromise a trusted issuing authority to trigger this bug. An
attacker with such capabilities could likely bypass revocation checking
through other more impactful means (such as publishing a valid, empty
CRL.)</p>
<p>More likely, this bug would be latent in normal use, and an attacker
could leverage faulty revocation checking to continue using a revoked
credential.</p>
<p>This vulnerability is identified by <a
href="https://github.com/rustls/webpki/security/advisories/GHSA-pwjx-qhcg-rvj4">GHSA-pwjx-qhcg-rvj4</a>.
Thank you to <a href="https://github.com/1seal"><code>@​1seal</code></a>
for the report.</p>
<h2>What's Changed</h2>
<ul>
<li>Freshen up rel-0.103 by <a
href="https://github.com/ctz"><code>@​ctz</code></a> in <a
href="https://redirect.github.com/rustls/webpki/pull/455">rustls/webpki#455</a></li>
<li>Prepare 0.103.10 by <a
href="https://github.com/ctz"><code>@​ctz</code></a> in <a
href="https://redirect.github.com/rustls/webpki/pull/458">rustls/webpki#458</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/rustls/webpki/compare/v/0.103.9...v/0.103.10">https://github.com/rustls/webpki/compare/v/0.103.9...v/0.103.10</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="348ce01c01"><code>348ce01</code></a>
Prepare 0.103.10</li>
<li><a
href="dbde592116"><code>dbde592</code></a>
crl: fix authoritative_for() support for multiple URIs</li>
<li><a
href="9c4838e612"><code>9c4838e</code></a>
avoid std::prelude imports</li>
<li><a
href="009ef667e3"><code>009ef66</code></a>
fix rust 1.94 ambiguous panic macro warnings</li>
<li><a
href="c41360d095"><code>c41360d</code></a>
build(deps): bump taiki-e/cache-cargo-install-action from 2 to 3</li>
<li><a
href="e401d0083d"><code>e401d00</code></a>
generate.py: reformat for black 2026.1.0</li>
<li><a
href="06cedecbf6"><code>06cedec</code></a>
Take semver-compatible deps</li>
<li>See full diff in <a
href="https://github.com/rustls/webpki/compare/v/0.103.9...v/0.103.10">compare
view</a></li>
</ul>
</details>
<br />

[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=rustls-webpki&package-manager=cargo&previous-version=0.103.9&new-version=0.103.10)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/rust-lang/cargo/network/alerts).

</details>
2026-03-21 15:34:30 +00:00
.cargo
.github
benches
ci
crates
Fix symlink_and_directory when running in a long target dir name
2026-03-20 17:50:57 -07:00
credential
src
cargo clean: Validate that target_dir is not a file (#16765)
2026-03-20 13:20:51 +00:00
tests
Fix symlink_and_directory when running in a long target dir name
2026-03-20 17:50:57 -07:00
.git-blame-ignore-revs
.gitignore
.ignore
build.rs
Cargo.lock
chore(deps): bump rustls-webpki from 0.103.9 to 0.103.10
2026-03-21 09:39:51 +00:00
Cargo.toml
Update tar to 0.4.45
2026-03-19 17:21:09 -07:00
CHANGELOG.md
clippy.toml
CODE_OF_CONDUCT.md
CONTRIBUTING.md
deny.toml
LICENSE-APACHE
LICENSE-MIT
LICENSE-THIRD-PARTY
publish.py
README.md
rustfmt.toml
Rustfmt 2024
2025-07-05 19:50:36 -07:00
triagebot.toml
typos.toml
windows.manifest.xml

README.md

Cargo

Cargo downloads your Rust projects dependencies and compiles your project.

To start using Cargo, learn more at The Cargo Book.

To start developing Cargo itself, read the Cargo Contributor Guide.

The Cargo binary distributed through with Rust is maintained by the Cargo team for use by the wider ecosystem. For all other uses of this crate (as a binary or library) this is maintained by the Cargo team, primarily for use by Cargo and not intended for external use (except as a transitive dependency). This crate may make major changes to its APIs.

Code Status

CI

Code documentation: https://doc.rust-lang.org/nightly/nightly-rustc/cargo/

Compiling from Source

Requirements

Cargo requires the following tools and packages to build:

Other requirements:

The following are optional based on your platform and needs.

  • pkg-config — This is used to help locate system packages, such as libssl headers/libraries. This may not be required in all cases, such as using vendored OpenSSL, or on Windows.

  • OpenSSL — Only needed on Unix-like systems and only if the vendored-openssl Cargo feature is not used.

    This requires the development headers, which can be obtained from the libssl-dev package on Ubuntu or openssl-devel with apk or yum or the openssl package from Homebrew on macOS.

    If using the vendored-openssl Cargo feature, then a static copy of OpenSSL will be built from source instead of using the system OpenSSL. This may require additional tools such as perl and make.

    On macOS, common installation directories from Homebrew, MacPorts, or pkgsrc will be checked. Otherwise it will fall back to pkg-config.

    On Windows, the system-provided Schannel will be used instead.

    LibreSSL is also supported.

Optional system libraries:

The build will automatically use vendored versions of the following libraries. However, if they are provided by the system and can be found with pkg-config, then the system libraries will be used instead:

  • libcurl — Used for network transfers.
  • libgit2 — Used for fetching git dependencies.
  • libssh2 — Used for SSH access to git repositories.
  • libz (AKA zlib) — Used by the above C libraries for data compression. (Rust code uses zlib-rs instead.)

It is recommended to use the vendored versions as they are the versions that are tested to work with Cargo.

Compiling

First, you'll want to check out this repository

git clone https://github.com/rust-lang/cargo.git
cd cargo

With cargo already installed, you can simply run:

cargo build --release

Adding new subcommands to Cargo

Cargo is designed to be extensible with new subcommands without having to modify Cargo itself. See the Wiki page for more details and a list of known community-developed subcommands.

Releases

Cargo releases coincide with Rust releases. High level release notes are available as part of Rust's release notes. Detailed release notes are available in the changelog.

Reporting issues

Found a bug? We'd love to know about it!

Please report all issues on the GitHub issue tracker.

Contributing

See the Cargo Contributor Guide for a complete introduction to contributing to Cargo.

License

Cargo is primarily distributed under the terms of both the MIT license and the Apache License (Version 2.0).

See LICENSE-APACHE and LICENSE-MIT for details.

Third party software

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (https://www.openssl.org/).

In binary form, this product includes software that is licensed under the terms of the GNU General Public License, version 2, with a linking exception, which can be obtained from the upstream repository.

See LICENSE-THIRD-PARTY for details.

Reference in New Issue View Git Blame Copy Permalink
Description
The Rust package manager
cargopackage-managerrust
Readme 107 MiB
Languages
Rust 95.8%
Roff 3.8%
JavaScript 0.2%
Shell 0.1%