search

frewsxcv / rust-crates-index

Rust library for retrieving and interacting with the crates.io index
https://docs.rs/crates-index/
Apache License 2.0
72 stars 37 forks source link

Transitive dependency on smartstring causing cargo audit to crash #92

Closed suchapalaver closed 1 year ago

suchapalaver commented 1 year ago

Hi, I hope someone can help me. I'm really stuck. My application runs cargo-checkmate in CI as a GitHub Actions workflow and is crashing while calling smartstring-0.2.10/src/inline.rs:41 during the cargo audit stage:

Run cargo-checkmate audit
  cargo-checkmate audit
  shell: /usr/bin/bash -e {0}
    Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 488 security advisories (from /home/runner/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (522 crate dependencies)
The application panicked (crashed).
Message:  assertion failed: len <= MAX_INLINE
Location: /home/runner/.cargo/registry/src/github.com-1ecc6299db9ec823/smartstring-0.2.10/src/inline.rs:41

Here's a RUST_BACKTRACE from the GitHub workflow:

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ BACKTRACE ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
                          (8 post panic frames hidden)                          
 8: core::panicking::panic::h341545107301821d
    at /rustc/fc594f15669680fa70d255faec3ca3fb507c3405/library/core/src/panicking.rs:111
 9: smartstring::inline::InlineString::as_str::h2f436ff3a0499514
    at <unknown source file>
10: <crates_index::Dependency as core::hash::Hash>::hash::h75ca30c41649ca5e
    at <unknown source file>
11: <alloc::sync::Arc<T> as core::hash::Hash>::hash::h18591eafbb654c18
    at <unknown source file>
12: core::hash::BuildHasher::hash_one::h9d15d8789e7bfe25
    at <unknown source file>
13: crates_index::Crate::from_slice::h32a2c259f4ed0e40
    at <unknown source file>
14: crates_index::Index::crate_::hfde629462100dfa9
    at <unknown source file>
15: rustsec::registry::Index::find::h3df6d0baf318d121
    at <unknown source file>
16: cargo_audit::auditor::Auditor::audit::h6bb94a7d7fec80fa
    at <unknown source file>
17: <cargo_audit::commands::audit::AuditCommand as abscissa_core::runnable::Runnable>::run::h82fe50a3d086b018
    at <unknown source file>
18: abscissa_core::application::Application::run::h0fdf1ee0b4a92fc1
    at <unknown source file>

Trying to figure this out, it's been suggested here and here that the issue is a transitive dependency on smartstring. Thanks for any help.

kornelski commented 1 year ago

The current version of crates-index uses smartstring 1.x, but this error comes from smartstring 0.2.

Just in case, I've yanked old versions of crates-index that used smartstring 0.2.

kornelski commented 1 year ago

Oof, actually smartstring 1.x has the same code that looks like it's relying on internal layout of String, which probably changed in Rust 1.67. I'll replace the dependency.

kornelski commented 1 year ago

I've released v0.19.1 without smartstring.

djc commented 1 year ago

Oof, actually smartstring 1.x has the same code that looks like it's relying on internal layout of String, which probably changed in Rust 1.67. I'll replace the dependency.

What code are you referring to? I'd like to investigate this a little since I still have some stuff that depends on smartstring.