security(deps): update time crate to 0.3.47 to fix RUSTSEC-2026-0009#8026
security(deps): update time crate to 0.3.47 to fix RUSTSEC-2026-0009#8026
Conversation
Summary of ChangesHello @jdx, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed! This pull request primarily focuses on enhancing security and improving dependency management within the project. It includes a critical security update for the Highlights
Changelog
Activity
Using Gemini Code AssistThe full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips. Invoking Gemini You can request assistance from Gemini at any point by creating a comment using either
Customization To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a Limitations & Feedback Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here. You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension. Footnotes
|
There was a problem hiding this comment.
Pull request overview
This PR updates the time crate from v0.3.46 to v0.3.47 to address security vulnerability RUSTSEC-2026-0009, which could allow denial of service attacks through stack exhaustion when parsing RFC 2822 formatted input. However, the provided diffs show unrelated changes to lockfile handling logic rather than dependency updates.
Changes:
- Refactored
mise lockcommand to use a two-pass approach for handling local and non-local lockfiles - Updated lockfile path determination logic to support separate local and non-local configurations
- Added comprehensive test coverage for local lockfile functionality
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| src/cli/lock.rs | Implements two-pass lockfile processing to separate local and non-local tools into distinct lockfiles |
| e2e/cli/test_lock_local_config | Adds end-to-end tests verifying tools are written to correct lockfiles based on source configuration |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
src/cli/lock.rs
Outdated
| } | ||
| // Two-pass approach: first non-local (mise.lock), then local (mise.local.lock). | ||
| // With --local, only the local pass runs. | ||
| let passes: &[bool] = if self.local { &[true] } else { &[false, true] }; |
There was a problem hiding this comment.
Using boolean values in an array to represent local vs non-local passes makes the code harder to understand. Consider using an enum (e.g., enum LockfilePass { NonLocal, Local }) to make the intent clearer and improve type safety.
e2e/cli/test_lock_local_config
Outdated
|
|
||
| # Test that `mise lock` writes tools to the correct lockfile based on their source config. | ||
| # Tools from mise.toml should go to mise.lock, tools from mise.local.toml to mise.local.lock. | ||
|
|
There was a problem hiding this comment.
The purpose of setting MISE_LOCKFILE=1 is unclear. Add a comment explaining why this environment variable is needed for the test.
| # Enable lockfile mode explicitly so this test does not depend on the default behavior and | |
| # ensures `mise lock` actually writes mise.lock and mise.local.lock for the assertions below. |
3cf10f7 to
9fe0b37
Compare
Updates time crate from 0.3.46 to 0.3.47 to address a DoS vulnerability via stack exhaustion when parsing RFC 2822 formatted input. The fix adds a limit to the depth of recursion. Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0009 Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
9fe0b37 to
5f2197e
Compare
There was a problem hiding this comment.
Code Review
This pull request updates the time crate to address a security vulnerability and refactors the mise lock command to correctly handle local and non-local lockfiles. The changes look solid, and the new e2e test for the lock command is a great addition.
I've added a couple of suggestions to improve the robustness of error handling when determining the current working directory. These changes will prevent silent failures and make potential issues easier to debug.
I am having trouble creating individual review comments. Click here to see my feedback.
src/cli/lock.rs (162)
Using unwrap_or_default() on current_dir() can hide errors and lead to unexpected behavior if getting the current directory fails (e.g., if the directory was deleted). Using expect() will cause a panic with a clear error message, which is safer than potentially writing files to an incorrect location.
.expect("failed to get current directory")
src/cli/lock.rs (213)
Similar to the other current_dir() call, using unwrap_or_default() here can hide errors. Using expect() provides a more robust failure mode by panicking with a descriptive message if the current directory cannot be determined.
.unwrap_or_else(|| std::env::current_dir().expect("failed to get current directory"));
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.2.5 x -- echo |
22.0 ± 0.3 | 21.6 | 25.1 | 1.00 |
mise x -- echo |
22.6 ± 0.8 | 22.0 | 32.2 | 1.03 ± 0.04 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.2.5 env |
21.4 ± 0.3 | 21.0 | 25.0 | 1.00 |
mise env |
21.7 ± 0.2 | 21.3 | 22.6 | 1.01 ± 0.02 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.2.5 hook-env |
22.3 ± 0.3 | 21.9 | 25.2 | 1.00 |
mise hook-env |
22.8 ± 0.7 | 22.0 | 33.7 | 1.02 ± 0.04 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.2.5 ls |
20.2 ± 0.8 | 19.7 | 35.2 | 1.00 |
mise ls |
20.5 ± 0.3 | 20.0 | 25.9 | 1.01 ± 0.04 |
xtasks/test/perf
| Command | mise-2026.2.5 | mise | Variance |
|---|---|---|---|
| install (cached) | 118ms | 118ms | +0% |
| ls (cached) | 74ms | 74ms | +0% |
| bin-paths (cached) | 79ms | 79ms | +0% |
| task-ls (cached) | 563ms | 563ms | +0% |
### 🚀 Features - **(env)** add shell-style variable expansion in env values by @jdx in [#8029](#8029) - **(list)** add --all-sources flag to list command by @TylerHillery in [#8019](#8019) ### 🐛 Bug Fixes - **(gem)** Windows support for gem backend by @my1e5 in [#8031](#8031) - **(gem)** revert gem.rs script newline change by @my1e5 in [#8034](#8034) - **(lock)** write tools to lockfile matching their source config by @jdx in [#8012](#8012) - **(ls)** sort sources deterministically in --all-sources output by @jdx in [#8037](#8037) - **(task)** auto-install tools from mise.toml for file tasks by @jdx in [#8030](#8030) ### 📚 Documentation - fix wrong positions of `mise run` flags by @muzimuzhi in [#8036](#8036) ### 📦️ Dependency Updates - update ghcr.io/jdx/mise:copr docker digest to 3e00d7d by @renovate[bot] in [#8023](#8023) - update ghcr.io/jdx/mise:alpine docker digest to 0ced1b3 by @renovate[bot] in [#8022](#8022) ### 📦 Registry - add tirith ([github:sheeki03/tirith](https://github.com/sheeki03/tirith)) by @sheeki03 in [#8024](#8024) - add mas by @TyceHerrman in [#8032](#8032) ### Security - **(deps)** update time crate to 0.3.47 to fix RUSTSEC-2026-0009 by @jdx in [#8026](#8026) ### New Contributors - @sheeki03 made their first contribution in [#8024](#8024) - @TylerHillery made their first contribution in [#8019](#8019) ## 📦 Aqua Registry Updates #### New Packages (1) - [`kubernetes-sigs/kubectl-validate`](https://github.com/kubernetes-sigs/kubectl-validate) #### Updated Packages (6) - [`flux-iac/tofu-controller/tfctl`](https://github.com/flux-iac/tofu-controller/tfctl) - [`gogs/gogs`](https://github.com/gogs/gogs) - [`j178/prek`](https://github.com/j178/prek) - [`syncthing/syncthing`](https://github.com/syncthing/syncthing) - [`tuist/tuist`](https://github.com/tuist/tuist) - [`yaml/yamlscript`](https://github.com/yaml/yamlscript)
…dx#8026) ## Summary - Updates `time` crate from v0.3.46 to v0.3.47 to fix RUSTSEC-2026-0009 - Also updates `time-macros` from v0.2.26 to v0.2.27 (dependency) ## Details The time crate v0.3.46 has a security vulnerability (RUSTSEC-2026-0009) that allows a Denial of Service attack via stack exhaustion when parsing RFC 2822 formatted input. The vulnerability relies on formally deprecated and rarely-used features that can be used maliciously. Version 0.3.47 adds a limit to the depth of recursion, which prevents the stack exhaustion attack and returns an error instead. ## Advisory - Advisory: https://rustsec.org/advisories/RUSTSEC-2026-0009 - Changelog: https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05 ## Test plan - [x] `cargo update -p time` successfully updates to v0.3.47 - [x] All lint checks pass - [ ] CI checks pass 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Lockfile-only dependency bump; behavior changes should be limited to `time` parsing internals, with minimal surface-area impact beyond potential edge-case parsing differences. > > **Overview** > Updates the Rust `time` crate from `0.3.46` to `0.3.47` (and `time-macros` from `0.2.26` to `0.2.27`) via `Cargo.lock` to pick up the latest upstream fixes for the referenced security advisory. > > <sup>Written by [Cursor Bugbot](https://cursor.com/dashboard?tab=bugbot) for commit 5f2197e. This will update automatically on new commits. Configure [here](https://cursor.com/dashboard?tab=bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com>
### 🚀 Features - **(env)** add shell-style variable expansion in env values by @jdx in [jdx#8029](jdx#8029) - **(list)** add --all-sources flag to list command by @TylerHillery in [jdx#8019](jdx#8019) ### 🐛 Bug Fixes - **(gem)** Windows support for gem backend by @my1e5 in [jdx#8031](jdx#8031) - **(gem)** revert gem.rs script newline change by @my1e5 in [jdx#8034](jdx#8034) - **(lock)** write tools to lockfile matching their source config by @jdx in [jdx#8012](jdx#8012) - **(ls)** sort sources deterministically in --all-sources output by @jdx in [jdx#8037](jdx#8037) - **(task)** auto-install tools from mise.toml for file tasks by @jdx in [jdx#8030](jdx#8030) ### 📚 Documentation - fix wrong positions of `mise run` flags by @muzimuzhi in [jdx#8036](jdx#8036) ### 📦️ Dependency Updates - update ghcr.io/jdx/mise:copr docker digest to 3e00d7d by @renovate[bot] in [jdx#8023](jdx#8023) - update ghcr.io/jdx/mise:alpine docker digest to 0ced1b3 by @renovate[bot] in [jdx#8022](jdx#8022) ### 📦 Registry - add tirith ([github:sheeki03/tirith](https://github.com/sheeki03/tirith)) by @sheeki03 in [jdx#8024](jdx#8024) - add mas by @TyceHerrman in [jdx#8032](jdx#8032) ### Security - **(deps)** update time crate to 0.3.47 to fix RUSTSEC-2026-0009 by @jdx in [jdx#8026](jdx#8026) ### New Contributors - @sheeki03 made their first contribution in [jdx#8024](jdx#8024) - @TylerHillery made their first contribution in [jdx#8019](jdx#8019) ## 📦 Aqua Registry Updates #### New Packages (1) - [`kubernetes-sigs/kubectl-validate`](https://github.com/kubernetes-sigs/kubectl-validate) #### Updated Packages (6) - [`flux-iac/tofu-controller/tfctl`](https://github.com/flux-iac/tofu-controller/tfctl) - [`gogs/gogs`](https://github.com/gogs/gogs) - [`j178/prek`](https://github.com/j178/prek) - [`syncthing/syncthing`](https://github.com/syncthing/syncthing) - [`tuist/tuist`](https://github.com/tuist/tuist) - [`yaml/yamlscript`](https://github.com/yaml/yamlscript)
Summary
timecrate from v0.3.46 to v0.3.47 to fix RUSTSEC-2026-0009time-macrosfrom v0.2.26 to v0.2.27 (dependency)Details
The time crate v0.3.46 has a security vulnerability (RUSTSEC-2026-0009) that allows a Denial of Service attack via stack exhaustion when parsing RFC 2822 formatted input. The vulnerability relies on formally deprecated and rarely-used features that can be used maliciously.
Version 0.3.47 adds a limit to the depth of recursion, which prevents the stack exhaustion attack and returns an error instead.
Advisory
Test plan
cargo update -p timesuccessfully updates to v0.3.47🤖 Generated with Claude Code
Note
Low Risk
Lockfile-only dependency bump; behavior changes should be limited to
timeparsing internals, with minimal surface-area impact beyond potential edge-case parsing differences.Overview
Updates the Rust
timecrate from0.3.46to0.3.47(andtime-macrosfrom0.2.26to0.2.27) viaCargo.lockto pick up the latest upstream fixes for the referenced security advisory.Written by Cursor Bugbot for commit 5f2197e. This will update automatically on new commits. Configure here.