search

renovatebot / renovate

Home of the Renovate CLI: Cross-platform Dependency Automation by Mend.io
https://mend.io/renovate
GNU Affero General Public License v3.0
17.66k stars 2.33k forks source link

Strange Rust remediation PR #15342

Closed rarkins closed 2 years ago

rarkins commented 2 years ago

How are you running Renovate?

WhiteSource Renovate hosted app on github.com

If you're self-hosting Renovate, tell us what version of Renovate you run.

No response

Please select which platform you are using if self-hosting.

No response

If you're self-hosting Renovate, tell us what version of the platform you run.

No response

Was this something which used to work for you, and then stopped?

I never saw this working

Describe the bug

Renovate raises a Lock file maintenance [SECURITY] PR with branch renovate/rust-vulnerability.

Relevant debug logs

Logs ```json { "matchDatasources": [ "undefined" ], "matchPackageNames": [ "crossbeam-utils" ], "matchCurrentVersion": "= 0.7.2", "matchFiles": [ "Cargo.lock" ], "allowedVersions": "0.8.7", "prBodyNotes": [ "### GitHub Vulnerability Alerts", "#### [CVE-2022-23639](https://github.com/crossbeam-rs/crossbeam/security/advisories/GHSA-qc84-gqf4-9926)\n\n### Impact\n\nThe affected version of this crate incorrectly assumed that the alignment of `{i,u}64` was always the same as `Atomic{I,U}64`. \n\nHowever, the alignment of `{i,u}64` on a 32-bit target can be smaller than `Atomic{I,U}64`.\n\nThis can cause the following problems:\n\n- Unaligned memory accesses\n- Data race\n\nCrates using `fetch_*` methods with `AtomicCell<{i,u}64>` are affected by this issue.\n\n32-bit targets without `Atomic{I,U}64` and 64-bit targets are not affected by this issue.\n32-bit targets with `Atomic{I,U}64` and `{i,u}64` have the same alignment are also not affected by this issue.\n\nThe following is a complete list of the builtin targets that may be affected. (last update: nightly-2022-02-11)\n\n- armv7-apple-ios (tier 3)\n- armv7s-apple-ios (tier 3)\n- i386-apple-ios (tier 3)\n- i586-unknown-linux-gnu\n- i586-unknown-linux-musl\n- i686-apple-darwin (tier 3)\n- i686-linux-android\n- i686-unknown-freebsd\n- i686-unknown-haiku (tier 3)\n- i686-unknown-linux-gnu\n- i686-unknown-linux-musl\n- i686-unknown-netbsd (tier 3)\n- i686-unknown-openbsd (tier 3)\n- i686-wrs-vxworks (tier 3)\n\n([script to get list](https://gist.github.com/taiki-e/3c7891e8c5f5e0cbcb44d7396aabfe10))\n\n### Patches\n\nThis has been fixed in crossbeam-utils 0.8.7.\n\nAffected 0.8.x releases have been yanked.\n\n### References\n\nhttps://github.com/crossbeam-rs/crossbeam/pull/781 " ], "isVulnerabilityAlert": true, "force": { "groupName": null, "schedule": "[Circular]", "dependencyDashboardApproval": false, "rangeStrategy": "update-lockfile", "commitMessageSuffix": "[SECURITY]", "branchTopic": "{{{datasource}}}-{{{depName}}}-vulnerability", "prCreation": "immediate" } } ```

Have you created a minimal reproduction repository?

No reproduction, but I have linked to a public repo where it occurs

renovate-release commented 2 years ago

:tada: This issue has been resolved in version 32.32.7 :tada:

The release is available on:

Your semantic-release bot :package::rocket: