22299 Commits

Author SHA1 Message Date
Weihang Lo
3c4678d6a9 Update gix to 0.82 (with security fixes and hardened parsers) (#16941)
This seems to have been an eventless update locally.

### Tasks

* [x] pass CI
2026-04-25 04:08:01 +00:00
Sebastian Thiel
9947f12543 Update gix to 0.82 (with security fixes and hardened parsers) 2026-04-25 10:28:27 +08:00
Weihang Lo
eb9b60f1f6 chore: Remove unused deps (#16938)
### What does this PR try to resolve?

Likely won't make an impact to build times since these dependencies are
still used somewhere but they at least make things clearer. Maybe people
using these crates as libraries can benefit.

### How to test and review this PR?

As found by
```
CARGO_LOG=cargo::core::compiler::unused_deps=debug nargo check --workspace
```
2026-04-24 20:52:07 +00:00
Weihang Lo
e5de173a30 feat(compile): Stabilize build.warnings (#16796)
*[View all
comments](https://triagebot.infra.rust-lang.org/gh-comments/rust-lang/cargo/pull/16796)*

### What does this PR try to resolve?

This allows users to either
- hide warnings (#14258)
- error on warnings (#8424)

`build.warnings` serves a similar purpose as `RUSTFLAGS=-Dwarnings` /
`RUSTFLAGS=-Awarnings` but without invalidation caches.

`build.warnings = "deny"` will
- only errors for lint warnings and not hard warnings
- only errors for local warnings and not non-local warnings visible with
`--verbose --verbose`
- stop the build without `--keep-going`

(this matches `RUSTFLAGS=-Dwarnings`)

These conditions were not originally met and also came as feedback from
rust-lang/rust which has been dogfooding this since the merge of
rust-lang/rust#148332.

`build.warnings = "allow"` will
- only hide lint warnings and not hard warnings
  - Note: `RUSTFLAGS=-Awarnings` will suppress rustc hard warnings
- hide non-local warnings for `--verbose --verbose`
- hide the warning summary line (number of warnings per crate)

Closes #14802

### How to test and review this PR?

My main concern over this was how the naming scheme would extend to
https://github.com/rust-lang/rfcs/pull/3730 but that RFC has not gained
much interest

`build` seems as good of a home as any.
2026-04-24 20:35:58 +00:00
Ed Page
4269047090 chore(rustfix): Bump version 2026-04-24 11:35:17 -05:00
Ed Page
bcbe4a7e6d chore: Remove unused deps
As found by
```
CARGO_LOG=cargo::core::compiler::unused_deps=debug nargo check --workspace
```
2026-04-24 11:14:13 -05:00
Weihang Lo
a0fbe93438 cargo clean: do not error if explicitly specified target-dir does not exist (#16934)
Fixes #16925

Regressed in #16712 which added validation for explicitly specified
target directories by checking if they contain a valid `CACHEDIR.TAG`.
This PR makes it so that cargo skips this validation if the target-dir
doesn't exist.
2026-04-23 21:23:15 +00:00
Arlo Siemsen
71390b5724 Revert "feat(lints): Add unused deps ignore list" (#16937)
### What does this PR try to resolve?

This is a follow up to #16935 where we take a different direction for
false positives.
We are now ignoring unused direct deps that are also transitive deps
(technically still used somewhere). This leaves workflows like `curl`
where the `build.rs` dynamically decides what deps to use but that seems
like enough of an exception case to not worry about direct integration
for.
This means we can punt on having an allowlist to decide what approach we
want take from among rust-lang/rfcs#3920

### How to test and review this PR?

This reverts commit b276acc529.
2026-04-23 20:49:03 +00:00
Tanmay Arya
587a8a2b54 cargo clean: do not error if explicit target-dir does not exist 2026-04-24 01:28:01 +05:30
Ed Page
0687a2c7a0 Revert "feat(lints): Add unused deps ignore list"
This reverts commit b276acc529.

This is a follow up to #16935 where we take a different direction for
false positives.
Instead of an allowlist, we will ignore unused direct deps that are also
transitive deps (technically still used somewhere).
This leaves workflows like `curl` where the `build.rs` dynamically
decides what deps to use but that seems like enough of an exception case
to not worry about direct integration for.
2026-04-23 14:38:27 -05:00
Arlo Siemsen
32aa9b5fb0 fix(compile): Ignore unused deps if also transitive (#16935)
### What does this PR try to resolve?

This changes `unused_dependencies` lint to reduce the chance of false
positives while we work out the story of how we want people to response
to false positives (rust-lang/rfcs#3920).

### How to test and review this PR?

My assumption is that I will revert the `ignore` lint control added in
#16600 after this.

Looking at the known cases of false positives, my short term plan is:
- transitive version constraint: don't lint
- transitive feature activation: don't lint
- dynamically used dep (e.g. `build.rs` in `curl`): users must `allow`

Longer term, I'd like to replace this change with either
- `lib = false` from artifact deps
- `cfg(resolver = "versions")`, [#t-cargo > Additional dependency tables
@
💬](https://rust-lang.zulipchat.com/#narrow/channel/246057-t-cargo/topic/Additional.20dependency.20tables/near/590208010)

We can evolve this because the exact nature of warning-by-default lints
is not stable.
2026-04-23 17:58:08 +00:00
Ed Page
944a5403d3 fix(compile): Ignore unused deps if also transitive
This is to reduce false positives without having to ignore them.
In fact, I plan to revert support for `ignore` after this change.
2026-04-23 10:24:37 -05:00
Ed Page
5442d4942a refactor(compile): Track manifest deps in ExternState 2026-04-23 10:24:37 -05:00
Ed Page
36ae25a52c test(lints): Make package selection test resilient against change
This is to ensure these tests still have the intended coverage
regardless of how we work around unused direct deps that are present to
control their transitive presence.
2026-04-23 10:24:37 -05:00
Tanmay Arya
71e941ffc6 cargo clean: add test showing cargo error when explicitely specified target-dir does not exist 2026-04-23 19:03:33 +05:30
Ed Page
c5efee4513 Update rustls (#16932)
This updates:

Updating rustls v0.23.37 -> v0.23.39
Updating rustls-webpki v0.103.10 -> v0.103.13

There were several security fixes in rustls-webki. I don't know if any
of them are important. I don't remember if gix is even using rustls.

- https://github.com/rustls/rustls/releases/tag/v%2F0.23.38
- https://github.com/rustls/rustls/releases/tag/v%2F0.23.39
- https://github.com/rustls/webpki/releases/tag/v%2F0.103.11
- https://github.com/rustls/webpki/releases/tag/v%2F0.103.12
- https://github.com/rustls/webpki/releases/tag/v%2F0.103.13
2026-04-22 22:36:00 +00:00
Eric Huss
d32d631db1 chore(deps): update rust crate openssl to v0.10.78 [security] (#16931)
This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [openssl](https://redirect.github.com/rust-openssl/rust-openssl) |
workspace.dependencies | patch | `0.10.76` → `0.10.78` |

---

### rust-openssl: Unchecked callback length in PSK/cookie trampolines
leaks adjacent memory to peer

[GHSA-hppc-g8h3-xhp3](https://redirect.github.com/advisories/GHSA-hppc-g8h3-xhp3)

<details>
<summary>More information</summary>

#### Details
The FFI trampolines behind `SslContextBuilder::set_psk_client_callback`,
`set_psk_server_callback`, `set_cookie_generate_cb`, and
`set_stateless_cookie_generate_cb` forwarded the user closure's returned
usize directly to OpenSSL without checking it against the `&mut [u8]`
that was handed to the closure. This can lead to buffer overflows and
other unintended consequences.

#### Severity
- CVSS Score: 8.3 / 10 (High)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:N/VA:L/SC:N/SI:N/SA:N`

#### References
-
[https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-hppc-g8h3-xhp3](https://redirect.github.com/rust-openssl/rust-openssl/security/advisories/GHSA-hppc-g8h3-xhp3)
-
[https://github.com/rust-openssl/rust-openssl/pull/2607](https://redirect.github.com/rust-openssl/rust-openssl/pull/2607)
-
[1d109020d9)
-
[https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78](https://redirect.github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78)
-
[https://github.com/advisories/GHSA-hppc-g8h3-xhp3](https://redirect.github.com/advisories/GHSA-hppc-g8h3-xhp3)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-hppc-g8h3-xhp3)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### rust-openssl: rustMdCtxRef::digest_final() writes past caller buffer
with no length check
[CVE-2026-41681](https://nvd.nist.gov/vuln/detail/CVE-2026-41681) /
[GHSA-ghm9-cr32-g9qj](https://redirect.github.com/advisories/GHSA-ghm9-cr32-g9qj)

<details>
<summary>More information</summary>

#### Details
`EVP_DigestFinal()` always writes `EVP_MD_CTX_size(ctx)` to the `out`
buffer. If `out` is smaller than that, `MdCtxRef::digest_final()` writes
past its end, usually corrupting the stack. This is reachable from safe
Rust.

#### Severity
- CVSS Score: 8.1 / 10 (High)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U`

#### References
-
[https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-ghm9-cr32-g9qj](https://redirect.github.com/rust-openssl/rust-openssl/security/advisories/GHSA-ghm9-cr32-g9qj)
-
[https://github.com/rust-openssl/rust-openssl/pull/2608](https://redirect.github.com/rust-openssl/rust-openssl/pull/2608)
-
[826c3888b7)
-
[https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78](https://redirect.github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78)
-
[https://github.com/advisories/GHSA-ghm9-cr32-g9qj](https://redirect.github.com/advisories/GHSA-ghm9-cr32-g9qj)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-ghm9-cr32-g9qj)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### rust-openssl has incorrect bounds assertion in aes key wrap
[CVE-2026-41678](https://nvd.nist.gov/vuln/detail/CVE-2026-41678) /
[GHSA-8c75-8mhr-p7r9](https://redirect.github.com/advisories/GHSA-8c75-8mhr-p7r9)

<details>
<summary>More information</summary>

#### Details
##### Summary
``aes::unwrap_key()`` has an incorrect bounds assertion on the out
buffer size, which can lead to out-of-bounds write.

##### Details
``aes::unwrap_key()`` contains an incorrect assertion: it checks that
`out.len() + 8 <= in_.len()`, but this condition is reversed. The
intended invariant is `out.len() >= in_.len() - 8`, ensuring the output
buffer is large enough.

Because of the inverted check, the function only accepts buffers at or
below the minimum required size and rejects larger ones. If a smaller
buffer is provided the function will write past the end of `out` by
`in_.len() - 8 - out.len()` bytes, causing an out-of-bounds write from a
safe public function.

##### Impact
Vulnerable applications using AES keywrap and allowing attacker
controlled buffer sizes could have an attacker trigger an out-of-bounds
write.

#### Severity
- CVSS Score: 7.2 / 10 (High)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U`

#### References
-
[https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-8c75-8mhr-p7r9](https://redirect.github.com/rust-openssl/rust-openssl/security/advisories/GHSA-8c75-8mhr-p7r9)
-
[https://github.com/rust-openssl/rust-openssl/pull/2604](https://redirect.github.com/rust-openssl/rust-openssl/pull/2604)
-
[718d07ff8f)
-
[https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78](https://redirect.github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78)
-
[https://github.com/advisories/GHSA-8c75-8mhr-p7r9](https://redirect.github.com/advisories/GHSA-8c75-8mhr-p7r9)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-8c75-8mhr-p7r9)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### rust-opennssl has an Out-of-bounds read in PEM password callback
when returning an oversized length
[CVE-2026-41677](https://nvd.nist.gov/vuln/detail/CVE-2026-41677) /
[GHSA-xmgf-hq76-4vx2](https://redirect.github.com/advisories/GHSA-xmgf-hq76-4vx2)

<details>
<summary>More information</summary>

#### Details
The `*_from_pem_callback` APIs did not validate the length returned by
the user's callback. A password callback that returns a value larger
than the buffer it was given can cause some versions of OpenSSL to
over-read this buffer. OpenSSL 3.x is not affected by this.

#### Severity
- CVSS Score: 1.7 / 10 (Low)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:L/SC:N/SI:N/SA:N/E:U`

#### References
-
[https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xmgf-hq76-4vx2](https://redirect.github.com/rust-openssl/rust-openssl/security/advisories/GHSA-xmgf-hq76-4vx2)
-
[https://github.com/rust-openssl/rust-openssl/pull/2605](https://redirect.github.com/rust-openssl/rust-openssl/pull/2605)
-
[5af6895c90)
-
[https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78](https://redirect.github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78)
-
[https://github.com/advisories/GHSA-xmgf-hq76-4vx2](https://redirect.github.com/advisories/GHSA-xmgf-hq76-4vx2)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-xmgf-hq76-4vx2)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### rust-openssl: Deriver::derive and PkeyCtxRef::derive can overflow
short buffers on OpenSSL 1.1.1
[CVE-2026-41676](https://nvd.nist.gov/vuln/detail/CVE-2026-41676) /
[GHSA-pqf5-4pqq-29f5](https://redirect.github.com/advisories/GHSA-pqf5-4pqq-29f5)

<details>
<summary>More information</summary>

#### Details
`Deriver::derive` (and `PkeyCtxRef::derive`) sets `len = buf.len()` and
passes it as the in/out length to `EVP_PKEY_derive`, relying on OpenSSL
to honor it. On OpenSSL 1.1.x, X25519, X448, DH and HKDF-extract ignore
the incoming `*keylen`, unconditionally writing the full shared secret
(32/56/prime-size bytes). A caller passing a short slice gets a
heap/stack overflow from safe code. OpenSSL 3.x providers do check, so
this only impacts older OpenSSL.

#### Severity
- CVSS Score: 7.2 / 10 (High)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U`

#### References
-
[https://github.com/rust-openssl/rust-openssl/security/advisories/GHSA-pqf5-4pqq-29f5](https://redirect.github.com/rust-openssl/rust-openssl/security/advisories/GHSA-pqf5-4pqq-29f5)
-
[https://github.com/rust-openssl/rust-openssl/pull/2606](https://redirect.github.com/rust-openssl/rust-openssl/pull/2606)
-
[09b425e5f5)
-
[https://github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78](https://redirect.github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78)
-
[https://github.com/advisories/GHSA-pqf5-4pqq-29f5](https://redirect.github.com/advisories/GHSA-pqf5-4pqq-29f5)

This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-pqf5-4pqq-29f5)
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)).
</details>

---

### Release Notes

<details>
<summary>rust-openssl/rust-openssl (openssl)</summary>

###
[`v0.10.78`](https://redirect.github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.78)

[Compare
Source](https://redirect.github.com/rust-openssl/rust-openssl/compare/openssl-v0.10.77...openssl-v0.10.78)

#### What's Changed

- Fix Suite B flag assignments in verify.rs by
[@&#8203;alex](https://redirect.github.com/alex) in
[#&#8203;2592](https://redirect.github.com/rust-openssl/rust-openssl/pull/2592)
- Use cvt\_p for OPENSSL\_malloc error handling by
[@&#8203;alex](https://redirect.github.com/alex) in
[#&#8203;2593](https://redirect.github.com/rust-openssl/rust-openssl/pull/2593)
- Mark BIO\_get\_mem\_data on AWS-LC to be unsafe by
[@&#8203;alex](https://redirect.github.com/alex) in
[#&#8203;2594](https://redirect.github.com/rust-openssl/rust-openssl/pull/2594)
- Set timeout for package installation step by
[@&#8203;alex](https://redirect.github.com/alex) in
[#&#8203;2595](https://redirect.github.com/rust-openssl/rust-openssl/pull/2595)
- Panic in Crypter::new when IV is required but not provided by
[@&#8203;alex](https://redirect.github.com/alex) in
[#&#8203;2596](https://redirect.github.com/rust-openssl/rust-openssl/pull/2596)
- openssl 4 support by
[@&#8203;reaperhulk](https://redirect.github.com/reaperhulk) in
[#&#8203;2591](https://redirect.github.com/rust-openssl/rust-openssl/pull/2591)
- Avoid panic for overlong OIDs by
[@&#8203;botovq](https://redirect.github.com/botovq) in
[#&#8203;2598](https://redirect.github.com/rust-openssl/rust-openssl/pull/2598)
- Fix dangling stack pointer in custom extension add callback by
[@&#8203;alex](https://redirect.github.com/alex) in
[#&#8203;2599](https://redirect.github.com/rust-openssl/rust-openssl/pull/2599)
- Add support for LibreSSL 4.3.x by
[@&#8203;botovq](https://redirect.github.com/botovq) in
[#&#8203;2603](https://redirect.github.com/rust-openssl/rust-openssl/pull/2603)
- fix inverted bounds assertion in AES key unwrap by
[@&#8203;reaperhulk](https://redirect.github.com/reaperhulk) in
[#&#8203;2604](https://redirect.github.com/rust-openssl/rust-openssl/pull/2604)
- Reject oversized length returns from password callback trampoline by
[@&#8203;alex](https://redirect.github.com/alex) in
[#&#8203;2605](https://redirect.github.com/rust-openssl/rust-openssl/pull/2605)
- Validate callback-returned lengths in PSK and cookie trampolines by
[@&#8203;alex](https://redirect.github.com/alex) in
[#&#8203;2607](https://redirect.github.com/rust-openssl/rust-openssl/pull/2607)
- Error for short out in MdCtxRef::digest\_final() by
[@&#8203;botovq](https://redirect.github.com/botovq) in
[#&#8203;2608](https://redirect.github.com/rust-openssl/rust-openssl/pull/2608)
- Check derive output buffer length on OpenSSL 1.1.x by
[@&#8203;alex](https://redirect.github.com/alex) in
[#&#8203;2606](https://redirect.github.com/rust-openssl/rust-openssl/pull/2606)
- Release openssl v0.10.78 and openssl-sys v0.9.114 by
[@&#8203;alex](https://redirect.github.com/alex) in
[#&#8203;2609](https://redirect.github.com/rust-openssl/rust-openssl/pull/2609)

**Full Changelog**:
<https://github.com/rust-openssl/rust-openssl/compare/openssl-v0.10.77...openssl-v0.10.78>

###
[`v0.10.77`](https://redirect.github.com/rust-openssl/rust-openssl/releases/tag/openssl-v0.10.77)

[Compare
Source](https://redirect.github.com/rust-openssl/rust-openssl/compare/openssl-v0.10.76...openssl-v0.10.77)

#### What's Changed

- CI: Hash-pin all action usage, avoid credential persistence in
actions/checkout by
[@&#8203;woodruffw](https://redirect.github.com/woodruffw) in
[#&#8203;2587](https://redirect.github.com/rust-openssl/rust-openssl/pull/2587)
- Bump aws-lc-sys to 0.39 by
[@&#8203;goffrie](https://redirect.github.com/goffrie) in
[#&#8203;2588](https://redirect.github.com/rust-openssl/rust-openssl/pull/2588)
- md\_ctx: enable sign/verify/reset on BoringSSL, LibreSSL, and AWS-LC
by [@&#8203;alex](https://redirect.github.com/alex) in
[#&#8203;2589](https://redirect.github.com/rust-openssl/rust-openssl/pull/2589)
- Release openssl v0.10.77 and openssl-sys v0.9.113 by
[@&#8203;alex](https://redirect.github.com/alex) in
[#&#8203;2590](https://redirect.github.com/rust-openssl/rust-openssl/pull/2590)

#### New Contributors

- [@&#8203;woodruffw](https://redirect.github.com/woodruffw) made their
first contribution in
[#&#8203;2587](https://redirect.github.com/rust-openssl/rust-openssl/pull/2587)

**Full Changelog**:
<https://github.com/rust-openssl/rust-openssl/compare/openssl-v0.10.76...openssl-v0.10.77>

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - ""
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/rust-lang/cargo).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzkuNCIsInVwZGF0ZWRJblZlciI6IjQzLjEzOS40IiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->
2026-04-22 22:09:20 +00:00
Eric Huss
61a5231349 Update rustls
This updates:

Updating rustls v0.23.37 -> v0.23.39
Updating rustls-webpki v0.103.10 -> v0.103.13

There were several security fixes in rustls-webki. I don't know if any
of them are important. I don't remember if gix is even using rustls.

https://github.com/rustls/rustls/releases/tag/v%2F0.23.38
https://github.com/rustls/rustls/releases/tag/v%2F0.23.39

https://github.com/rustls/webpki/releases/tag/v%2F0.103.11
https://github.com/rustls/webpki/releases/tag/v%2F0.103.12
https://github.com/rustls/webpki/releases/tag/v%2F0.103.13
2026-04-22 15:03:02 -07:00
renovate[bot]
60a1f11ab3 chore(deps): update rust crate openssl to v0.10.78 [security] 2026-04-22 21:35:39 +00:00
Weihang Lo
6264f746c0 chore(build-rs): Ensure we lint the crate (#16930)
### What does this PR try to resolve?

This is to resolve warnings from `-Zcargo-lints`

### How to test and review this PR?
2026-04-22 21:00:51 +00:00
Ed Page
8f01f76af1 chore(build-rs): Bump version 2026-04-22 15:28:57 -05:00
Ed Page
113e01fb06 chore(build-rs): Ensure we lint the crate
This is to resolve warnings from `-Zcargo-lints`
2026-04-22 14:56:27 -05:00
Weihang Lo
c4dabdc363 Fix flaky test: proc_macro_in_artifact_dep (#16922)
Sometimes cargo will attempt to download `pm` before `bin-uses-pm`,
which causes the expected error to occur before the `[DOWNLOADED]`
message is printed.

Since the test doesn't care about downloading `pm`, we can exclude this
case by matching `...`.
2026-04-21 23:00:00 +00:00
Arlo Siemsen
1758c891f5 Fix flaky test: proc_macro_in_artifact_dep 2026-04-21 17:22:26 -05:00
Weihang Lo
dede9f5f6b refactor(compile): Log all ignored unused externs (#16920)
### What does this PR try to resolve?

Shoring up the logging we do for unused dependency lints to help with
debugging and profiling.

This could also be useful for users to get more insight on things we
can't or won't show, like helping hunt down features to deactivate to
reduce unused dependencies (e.g. `cli` on `pulldown-cmark`) or removing
transitively unused dependencies.

### How to test and review this PR?

Running this on `cargo` itself:
```console
$ CARGO_LOG=cargo::core::compiler::unused_deps=debug nargo check
...
   2.537113285s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg crypto-common v0.1.6 (normal): ignoring unused extern `typenum`, untracked dependent
   2.537569241s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg heapless v0.8.0 (normal): ignoring unused extern `stable_deref_trait`, untracked dependent
   2.537758659s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg faster-hex v0.10.0 (normal): ignoring unused extern `heapless`, untracked dependent
   2.537984665s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg gix-date v0.15.1 (normal): ignoring unused extern `bstr`, untracked dependent
   2.538312867s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg gix-object v0.58.0 (normal): ignoring unused extern `gix_hashtable`, untracked dependent
   2.538704975s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg gix-tempfile v21.0.2 (normal): ignoring unused extern `libc`, untracked dependent
   2.538762374s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg gix-tempfile v21.0.2 (normal): ignoring unused extern `parking_lot`, untracked dependent
   2.539010269s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg gix-commitgraph v0.35.0 (normal): ignoring unused extern `bstr`, untracked dependent
   2.539205527s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg libnghttp2-sys v0.1.13+1.68.1 (normal): ignoring unused extern `libc`, untracked dependent
   2.539597903s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg curl-sys v0.4.87+curl-8.19.0 (normal): ignoring unused extern `libnghttp2_sys`, untracked dependent
   2.539654548s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg curl-sys v0.4.87+curl-8.19.0 (normal): ignoring unused extern `libz_sys`, untracked dependent
   2.539711192s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg curl-sys v0.4.87+curl-8.19.0 (normal): ignoring unused extern `openssl_sys`, untracked dependent
   2.540319246s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg curl v0.4.49 (normal): ignoring unused extern `openssl_probe`, untracked dependent
   2.540373049s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg curl v0.4.49 (normal): ignoring unused extern `openssl_sys`, untracked dependent
   2.540811522s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg gix-index v0.49.0 (normal): ignoring unused extern `gix_fs`, untracked dependent
   2.541504178s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg gix-revision v0.43.0 (normal): ignoring unused extern `gix_commitgraph`, untracked dependent
   2.541560742s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg gix-revision v0.43.0 (normal): ignoring unused extern `nonempty`, untracked dependent
   2.541873702s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg nix v0.30.1 (normal): ignoring unused extern `bitflags`, lint is allowed
   2.542548816s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg nom v7.1.3 (normal): ignoring unused extern `minimal_lexical`, lint is allowed
   2.542935941s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg gix-negotiate v0.29.0 (normal): ignoring unused extern `gix_commitgraph`, untracked dependent
   2.542989018s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg gix-negotiate v0.29.0 (normal): ignoring unused extern `gix_object`, untracked dependent
   2.543198046s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg tracing-subscriber v0.3.23 (normal): ignoring unused extern `once_cell`, lint is allowed
   2.543249959s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg tracing-subscriber v0.3.23 (normal): ignoring unused extern `regex_automata`, lint is allowed
   2.543640436s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg git2 v0.20.4 (normal): ignoring unused extern `openssl_sys`, untracked dependent
   2.544004330s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg regex v1.12.3 (normal): ignoring unused extern `aho_corasick`, lint is allowed
   2.544419766s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg futures v0.3.32 (normal): ignoring unused extern `futures_task`, lint is allowed
   2.544564859s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg gix v0.81.0 (normal): ignoring unused extern `gix_revision`, untracked dependent
   2.544617049s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg gix v0.81.0 (normal): ignoring unused extern `prodash`, untracked dependent
   2.544779907s debug emit_unused_warnings: cargo::core::compiler::unused_deps: pkg rustfix v0.9.6 (normal): ignoring unused extern `tracing`, untracked dependent
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 2.54s

```

Doesn't work too well for `--all-targets` because we don't support dev
targets at the moment, so we don't track which externs came from
dependencies vs dev-dependencies.

Also, of note that I found while doing this that confused me at first is
that we don't fingerprint `-Zcargo-lints`, so users can have stale
caches with no unused externs "reported" by rustc to cargo.
2026-04-21 21:29:56 +00:00
Ed Page
4bcdfc16d5 refactor(compile): Track all unused externs 2026-04-21 11:24:19 -05:00
Ed Page
f2051935a9 refactor(compile): Track when there are needed units 2026-04-21 11:24:17 -05:00
Ed Page
afd955f5e3 refactor(compile): Narrow the scope of some variables 2026-04-21 11:22:22 -05:00
Ed Page
765e77e76a refactor(compile): Improve traces for outstanding dep 2026-04-21 11:22:03 -05:00
Ed Page
b9d07c7337 refactor(compile): Trace allowed unused externs 2026-04-21 10:51:18 -05:00
Weihang Lo
06ac0e7c05 test(git): add regression test for full-hash GitHub fast path (#16919)
### What does this PR try to resolve?

Follow-up coverage for #13946, which fixed #13555

That fix restored the early return in `github_fast_path` for full commit
hashes, but it did not add a direct test for this path. If this guard
gets removed in a later refactor, CI would not catch it very directly.

I first looked at adding this in the testsuite, but the existing GitHub
fast-path coverage uses the public network, and the GitHub API URL is
built directly in the code. So i went with a small unit test for the
early-return path instead.

### How to test and review this PR?

```bash
cargo +1.95 test --lib github_fast_path_full_hash_returns_needs_fetch
cargo +1.95 fmt --check --all
```
2026-04-21 15:33:56 +00:00
Weihang Lo
da3f639369 fix(help): add .1 extension to man page temp file (#16917)
Fixes #16910

Add `.1` suffix to the temp file when spawning `man` so platforms like
NetBSD recognize it as a man page.
2026-04-21 15:27:43 +00:00
Vastargazing
c9ac306257 test(git): add regression test for full-hash fast path (#13555) 2026-04-21 17:48:02 +03:00
Ed Page
756c3acf11 refactor(compile): Improve trace for ignored dep 2026-04-21 08:41:22 -05:00
Ed Page
d5a6b4e521 refactor(compile): Trace correct number of outstanding units 2026-04-21 08:41:22 -05:00
Ed Page
cf14a70c76 refactor(compile): Log unused externs 2026-04-21 08:38:56 -05:00
Ed Page
0c2c5b5ada refactor(compile): Log the top-level unused dep operations 2026-04-21 08:26:20 -05:00
Ed Page
e9f069c98e refactor(compile): Be consistent with variable name 2026-04-21 08:25:43 -05:00
Raushan Kumar
67e895acc5 fix(help): add .1 extension to man page temp file (#16910) 2026-04-21 06:56:22 +00:00
Raushan Kumar
4b39274b9e test(help): add test for man page temp file extension (#16910) 2026-04-21 06:52:34 +00:00
Arlo Siemsen
da18b72991 Fix flaky test: sparse_blocking_count (#16916)
The two dependencies `dep1` and `dep2` are fetched and downloaded at the
same time, leading to nondeterministic output in the test.

Fix this issue by replacing dep1 and dep2 with [..]

Additionally, sometimes the pending request count can be less than the
number of queued requests if the requests finish before the resolver
restarts.

Fix this issue by replacing the pending request count with [..] unless
it's zero, which is stable.
2026-04-21 02:09:48 +00:00
Arlo Siemsen
f894f5763a Fix flaky test: sparse_blocking_count
The two dependencies `dep1` and `dep2` are fetched and downloaded at the
same time, leading to nondeterministc output in the test.

Fix this issue by using `unordered()`.

Additionally, sometimes the pending request count can be less than the
number of queued requests if the requests finish before the resolver
restarts.

Fix this issue by replacing the pending request count with [..] unless
it's zero, which is stable.
2026-04-20 20:35:47 -05:00
Weihang Lo
49b14fe6c5 Fix flaky test compile_offline_while_transitive_dep_not_cached (#16915)
The new async crate downloader is less deterministic in the order of
downloaded crates. In this test, the setup is to have bar download
successfully, but baz not be available. Then attempt to do a check with
--offline. In the flaky failure case, the setup would be wrong, and
neither bar nor baz would be available because it attempted to download
baz first and failed.

This changes the setup for the test to download both crates, then remove
baz from the cache before testing with --offline
2026-04-21 00:56:32 +00:00
Eric Huss
6c6a37e12b Fix test fetch_all_platform_dependencies_when_no_target_is_given (#16914)
This test was randomly failing because the order that cargo prints the
completion of `d1` and `d2` is not deterministic.

I suspect this is a result of
https://github.com/rust-lang/cargo/pull/16898 which can cause the
parallel fetches to finish in different orders.

This is fixed with `.unordered()` because the order these are printed
isn't important.
2026-04-21 00:40:53 +00:00
Arlo Siemsen
d774658502 Fix flaky test compile_offline_while_transitive_dep_not_cached
The new async crate downloader is less deterministic in the order of
downloaded crates. In this test, the setup is to have bar download
successfully, but baz not be available. Then attempt to do a check with
--offline. In the flaky failure case, the setup would be wrong, and
neither bar nor baz would be available.

This changes the setup for the test to download both crates, then
remove baz from the cache before testing with --offline
2026-04-20 19:20:17 -05:00
Eric Huss
2efe042b3b Fix test fetch_all_platform_dependencies_when_no_target_is_given
This test was randomly failing because the order that cargo prints the
completion of `d1` and `d2` is not deterministic.

I suspect this is a result of
https://github.com/rust-lang/cargo/pull/16898 which can cause the
parallel fetches to finish in different orders.

This is fixed with `.unordered()` because the order these are printed
isn't important.
2026-04-20 15:38:27 -07:00
Eric Huss
862f60b27a chore(ci): Use actions/deploy-pages for Cargo Contributor Guide deployment (#16876)
This replaces the `gh-pages` git branch deployment with the official
`actions/upload-pages-artifact` and `actions/deploy-pages` actions.

It requires changing the repository's Pages settings from "Deploy from a
branch" to "GitHub Actions" as described also in
https://github.com/rust-lang/rfcs/pull/3419, which has used a similar
setup for a while now.

I've tested the `build` job in my forked repo and verified that the
artifact contents match the current content of the `gh-pages` branch. I
did not test the `deploy` job with my fork repo, but since it is the
same as in e.g. the `rfcs` repo I don't expect any issues from that.
2026-04-20 22:27:01 +00:00
Ed Page
d503637e30 feat: Stabilize build.warnings
This allows users to either
- hide warnings (#14258)
- error on warnings (#8424)

`build.warnings` is setup to mirror the behavior of `RUSTFLAGS=-Dwarnings`,
including
- only errors for lint warnings and not hard warnings
- only errors for local warnings and not non-local warnings visible with
  `--verbose --verbose`
- stop the build without `--keep-going`

These conditions were not originally met and also came as feedback from
rust-lang/rust which has been dogfooding this since the merge of rust-lang/rust#148332.

Things are a bit different with `RUSTFLAGS=-Awarnings`:
- Hard warnings are hidden for rustc but not cargo (rustc seems in the
  wrong imo)
  - In particular, we shouldn't mask the edition warning for Cargo
    Script
- both hide the warning summary line (number of warnings per crate)
- both hide non-local warnings for `--verbose --verbose`

One design constraint we are operating on with this is that changing
`build.warnings` should not cause a rebuild, unlike a `RUSTFLAGS`
solution.

Closes #14802
2026-04-20 16:33:37 -05:00
Weihang Lo
6307456e9a Convert GitHub fast path to use http_async (#16912)
### What does this PR try to resolve?

- Add a new `request_blocking` function to the `http_async` module. This
function does not start an executor and runs the request on the current
thread, preventing #16860
- Migrates the GitHub fastpath to use the blocking http_async client.

cc #16845

### How to test and review this PR?

Commit by commit. All commits pass tests.
2026-04-20 21:06:40 +00:00
Tobias Bieniek
732417aa2c chore(ci): Remove CNAME file generation from ci/generate.py
`CNAME` files are apparently ignored if GitHub Pages are deployed via GitHub Actions and instead the custom domain needs to be set in the repository settings.
2026-04-20 20:49:10 +02:00