Regex version out of date, perhaps run a cargo upgrade?

[Zageron]

Github audit is reporting a vulnerability with the current version of regex in this package. Could either enable dependabot, or run a cargo upgrade pass. I would make a PR, but there are a lot of active PRs with no progress.

@KodrAus @mainrs

Thanks!

[friedman-ionq]

This also resolves a second audit vulnerability -- namely https://github.com/advisories/GHSA-9hpw-r23r-xgm5 (Data race in Iter and IterMut) as regex 1.4.4 drops the thread_local dependency.

[mainrs]

Not sure why I did not receive any dependabot security alerts. Seems like my mail filters are off... I approved the PR for the fix and it runs through CI right now. If everything works out I'll push to main.

What is the best approach for publishing a new version to crates.io? Would it make sense to yank every old version due to the security vulnerability? Pinging @jplatte since he is more involved in the ecosystem and knows the best practices :)

Sorry for the long delay.

[jplatte]

No, please don't yank anything. There isn't even an actual problem here, the version constraint we have now will be resolved to the latest 1.x.y by cargo unless there is already a lockfile in the downstream project (which can be updated with cargo update).

I'm not opposed to the version bump, but let's not pretend it fixes some security issue when all it maybe does is make it easier for people who have a lockfile but never update it other than through Cargo.toml changes (which is a horrible idea...) to get the latest regex version...

[jplatte]

Documented here: https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#specifying-dependencies-from-cratesio

[mainrs]

Glad I pinged you! Thanks for explaining! I wasn't aware that it isn't a fixed version. Bumping the version seems like a good idea nonetheless.