diff --git a/CHANGELOG.md b/CHANGELOG.md index d8d938056a..243516246c 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -19,6 +19,7 @@ ## Other - Bump MSRV to 1.88, update `time` crate to 0.3.47 to fix RUSTSEC-2026-0009, see #3581 (@NORMAL-EX) +- Replace unmaintained `bincode` dependency with `postcard` to address RUSTSEC-2025-0141, see #3595 (@IMaloney) ## Syntaxes diff --git a/Cargo.lock b/Cargo.lock index 6684e40b14..1276390d3c 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -96,6 +96,15 @@ dependencies = [ "wait-timeout", ] +[[package]] +name = "atomic-polyfill" +version = "1.0.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "8cf2bce30dfe09ef0bfaef228b9d414faaf7e563035494d7fe092dba54b300f4" +dependencies = [ + "critical-section", +] + [[package]] name = "autocfg" version = "1.4.0" @@ -115,7 +124,6 @@ dependencies = [ "ansi_colours", "anyhow", "assert_cmd", - "bincode", "bugreport", "bytesize", "clap", @@ -138,6 +146,7 @@ dependencies = [ "once_cell", "path_abs", "plist", + "postcard", "predicates", "prettyplease", "proc-macro2", @@ -221,6 +230,12 @@ version = "1.21.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "ef657dfab802224e671f5818e9a4935f9b1957ed18e58292690cc39e7a4092a3" +[[package]] +name = "byteorder" +version = "1.5.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "1fd0f2584146f6f2ef48085050886acf353beff7305ebd1ae69500e27c67f64b" + [[package]] name = "bytesize" version = "1.3.0" @@ -288,6 +303,15 @@ dependencies = [ "windows 0.56.0", ] +[[package]] +name = "cobs" +version = "0.3.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "0fa961b519f0b462e3a3b4a34b64d119eeaca1d59af726fe450bbba07a9fc0a1" +dependencies = [ + "thiserror 2.0.16", +] + [[package]] name = "colorchoice" version = "1.0.3" @@ -331,6 +355,12 @@ dependencies = [ "cfg-if", ] +[[package]] +name = "critical-section" +version = "1.2.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "790eea4361631c5e7d22598ecd5723ff611904e3344ce8720784c93e3d83d40b" + [[package]] name = "crossbeam-channel" version = "0.5.15" @@ -476,6 +506,18 @@ version = "1.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "60b1af1c220855b6ceac025d3f6ecdd2b7c4894bfe9cd9bda4fbb4bc7c0d4cf0" +[[package]] +name = "embedded-io" +version = "0.4.0" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "ef1a6892d9eef45c8fa6b9e0086428a2cca8491aca8f787c534a3d6d0bcb3ced" + +[[package]] +name = "embedded-io" +version = "0.6.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "edd0f118536f44f5ccd48bcb8b111bdc3de888b58c74639dfb034a357d0f206d" + [[package]] name = "encode_unicode" version = "1.0.0" @@ -702,6 +744,15 @@ dependencies = [ "winapi-util", ] +[[package]] +name = "hash32" +version = "0.2.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "b0c35f58762feb77d74ebe43bdbc3210f09be9fe6742234d573bacc26ed92b67" +dependencies = [ + "byteorder", +] + [[package]] name = "hashbrown" version = "0.14.5" @@ -714,6 +765,20 @@ version = "0.16.1" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100" +[[package]] +name = "heapless" +version = "0.7.17" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cdc6457c0eb62c71aac4bc17216026d8410337c4126773b9c5daba343f17964f" +dependencies = [ + "atomic-polyfill", + "hash32", + "rustc_version", + "serde", + "spin", + "stable_deref_trait", +] + [[package]] name = "icu_collections" version = "1.5.0" @@ -1169,6 +1234,19 @@ dependencies = [ "time", ] +[[package]] +name = "postcard" +version = "1.1.3" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6764c3b5dd454e283a30e6dfe78e9b31096d9e32036b5d1eaac7a6119ccb9a24" +dependencies = [ + "cobs", + "embedded-io 0.4.0", + "embedded-io 0.6.1", + "heapless", + "serde", +] + [[package]] name = "powerfmt" version = "0.2.0" @@ -1309,6 +1387,15 @@ dependencies = [ "bytemuck", ] +[[package]] +name = "rustc_version" +version = "0.4.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "cfcb3a22ef46e85b45de6ee7e79d063319ebb6594faafcf1c225ea92ab6e9b92" +dependencies = [ + "semver", +] + [[package]] name = "rustix" version = "0.38.43" @@ -1525,6 +1612,15 @@ version = "1.13.2" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67" +[[package]] +name = "spin" +version = "0.9.8" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "6980e8d7511241f8acf4aebddbb1ff938df5eebe98691418c4468d0b72a96a67" +dependencies = [ + "lock_api", +] + [[package]] name = "stable_deref_trait" version = "1.2.0" diff --git a/Cargo.toml b/Cargo.toml index 4a2025cb00..65c6ec6c15 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -44,7 +44,7 @@ regex-fancy = ["syntect/regex-fancy"] # Use the rust-only "fancy-regex" engine [dependencies] nu-ansi-term = "0.50.3" ansi_colours = "^1.2" -bincode = "1.0" +postcard = { version = "1.0", features = ["alloc"] } console = "0.16.2" flate2 = "1.1" once_cell = "1.20" diff --git a/assets/acknowledgements.bin b/assets/acknowledgements.bin index 7c534f5367..374546e2c3 100644 Binary files a/assets/acknowledgements.bin and b/assets/acknowledgements.bin differ diff --git a/assets/syntaxes.bin b/assets/syntaxes.bin index a901561109..849525b3f3 100644 Binary files a/assets/syntaxes.bin and b/assets/syntaxes.bin differ diff --git a/assets/syntaxes/02_Extra/Verilog b/assets/syntaxes/02_Extra/Verilog index 532e87c1b4..497df661bb 160000 --- a/assets/syntaxes/02_Extra/Verilog +++ b/assets/syntaxes/02_Extra/Verilog @@ -1 +1 @@ -Subproject commit 532e87c1b40114be14ccfe382a141247daa54be4 +Subproject commit 497df661bb1c53dec66d21fd93a8ff96ffaefd5c diff --git a/assets/syntaxes/02_Extra/Vue b/assets/syntaxes/02_Extra/Vue index 6eb71bc6bb..2a3e89e415 160000 --- a/assets/syntaxes/02_Extra/Vue +++ b/assets/syntaxes/02_Extra/Vue @@ -1 +1 @@ -Subproject commit 6eb71bc6bba5e6a284b6d1d3154484da6f366e21 +Subproject commit 2a3e89e415f49f5fbe8bf8bf42e45f8f78ccf642 diff --git a/assets/syntaxes/02_Extra/Zig b/assets/syntaxes/02_Extra/Zig index c16d871ccc..d3816b6d85 160000 --- a/assets/syntaxes/02_Extra/Zig +++ b/assets/syntaxes/02_Extra/Zig @@ -1 +1 @@ -Subproject commit c16d871ccccb3749f5a4b824f3fd44b143114565 +Subproject commit d3816b6d851f3c10ac74474e24b6414ce5b9ec0c diff --git a/assets/syntaxes/02_Extra/hosts b/assets/syntaxes/02_Extra/hosts index 60ed92c472..96fcc678c6 160000 --- a/assets/syntaxes/02_Extra/hosts +++ b/assets/syntaxes/02_Extra/hosts @@ -1 +1 @@ -Subproject commit 60ed92c472dc6038a13a38d033bba6bc64fd6913 +Subproject commit 96fcc678c64b74b89ef1b27dd008401f2661d12d diff --git a/assets/syntaxes/02_Extra/sublime-odin b/assets/syntaxes/02_Extra/sublime-odin index 5d6a0ed41e..f8c146f1ac 160000 --- a/assets/syntaxes/02_Extra/sublime-odin +++ b/assets/syntaxes/02_Extra/sublime-odin @@ -1 +1 @@ -Subproject commit 5d6a0ed41e41ec3709ec74f40686dc3761d6596e +Subproject commit f8c146f1aca96626d75c7abb39d018aaaaf936c9 diff --git a/assets/syntaxes/02_Extra/typst-syntax-highlight b/assets/syntaxes/02_Extra/typst-syntax-highlight index 363f0e767c..b6d6fb3467 160000 --- a/assets/syntaxes/02_Extra/typst-syntax-highlight +++ b/assets/syntaxes/02_Extra/typst-syntax-highlight @@ -1 +1 @@ -Subproject commit 363f0e767c938c615a14912c302db7936f025fc2 +Subproject commit b6d6fb34679759ae9e4a6f6a4d97dd9572f5bb01 diff --git a/assets/syntaxes/02_Extra/vscode-wgsl b/assets/syntaxes/02_Extra/vscode-wgsl index acf26718d7..a285c38f74 160000 --- a/assets/syntaxes/02_Extra/vscode-wgsl +++ b/assets/syntaxes/02_Extra/vscode-wgsl @@ -1 +1 @@ -Subproject commit acf26718d7a327377641e31d8f9a9dab376efa84 +Subproject commit a285c38f74eba2eb5c5a06be8d95b9f581338509 diff --git a/assets/themes.bin b/assets/themes.bin index a5199f1544..827bf6b59b 100644 Binary files a/assets/themes.bin and b/assets/themes.bin differ diff --git a/assets/themes/Solarized b/assets/themes/Solarized index 87e01090cf..afc0abe7ae 160000 --- a/assets/themes/Solarized +++ b/assets/themes/Solarized @@ -1 +1 @@ -Subproject commit 87e01090cf5fb821a234265b3138426ae84900e7 +Subproject commit afc0abe7aeef5e1a1827916f938f78784d35d82b diff --git a/assets/themes/TwoDark b/assets/themes/TwoDark index 8e0f6fa5b5..b7cb2e6ce3 160000 --- a/assets/themes/TwoDark +++ b/assets/themes/TwoDark @@ -1 +1 @@ -Subproject commit 8e0f6fa5b59d196658a22288f519fd8320de4c87 +Subproject commit b7cb2e6ce36e809e56dc09ceab46a879809b56ff diff --git a/assets/themes/gruvbox b/assets/themes/gruvbox index 4050347282..429749e29c 160000 --- a/assets/themes/gruvbox +++ b/assets/themes/gruvbox @@ -1 +1 @@ -Subproject commit 40503472826e51d87666e548a0634c4f1d74938c +Subproject commit 429749e29c84724b72b71a80dfdd67be2e0bc506 diff --git a/assets/themes/onehalf b/assets/themes/onehalf index 141c775ace..75eb2e97ac 160000 --- a/assets/themes/onehalf +++ b/assets/themes/onehalf @@ -1 +1 @@ -Subproject commit 141c775ace6b71992305f144a8ab68e9a8ca4a25 +Subproject commit 75eb2e97acd74660779fed8380989ee7891eec56 diff --git a/src/assets.rs b/src/assets.rs index 82c160c9f1..838893f990 100644 --- a/src/assets.rs +++ b/src/assets.rs @@ -342,12 +342,19 @@ fn asset_from_contents( description: &str, compressed: bool, ) -> Result { - if compressed { - bincode::deserialize_from(flate2::read::ZlibDecoder::new(contents)) + let data = if compressed { + use std::io::Read; + let mut decoder = flate2::read::ZlibDecoder::new(contents); + let mut decompressed = Vec::new(); + decoder + .read_to_end(&mut decompressed) + .map_err(|_| format!("Could not decompress {description}"))?; + decompressed } else { - bincode::deserialize_from(contents) - } - .map_err(|_| format!("Could not parse {description}").into()) + contents.to_vec() + }; + + postcard::from_bytes(&data).map_err(|_| format!("Could not parse {description}").into()) } fn asset_from_cache( diff --git a/src/assets/build_assets.rs b/src/assets/build_assets.rs index 6d9c8e59f1..7581f71900 100644 --- a/src/assets/build_assets.rs +++ b/src/assets/build_assets.rs @@ -142,17 +142,24 @@ pub(crate) fn asset_to_contents( description: &str, compressed: bool, ) -> Result> { - let mut contents = vec![]; + let serialized = + postcard::to_allocvec(asset).map_err(|_| format!("Could not serialize {description}"))?; + if compressed { - bincode::serialize_into( - flate2::write::ZlibEncoder::new(&mut contents, flate2::Compression::best()), - asset, - ) + let mut contents = vec![]; + use std::io::Write; + let mut encoder = + flate2::write::ZlibEncoder::new(&mut contents, flate2::Compression::best()); + encoder + .write_all(&serialized) + .map_err(|_| format!("Could not compress {description}"))?; + encoder + .finish() + .map_err(|_| format!("Could not finish compression for {description}"))?; + Ok(contents) } else { - bincode::serialize_into(&mut contents, asset) + Ok(serialized) } - .map_err(|_| format!("Could not serialize {description}"))?; - Ok(contents) } fn asset_to_cache( diff --git a/src/assets/serialized_syntax_set.rs b/src/assets/serialized_syntax_set.rs index 46099e3249..b157a93e70 100644 --- a/src/assets/serialized_syntax_set.rs +++ b/src/assets/serialized_syntax_set.rs @@ -4,7 +4,7 @@ use syntect::parsing::SyntaxSet; use super::*; -/// A SyntaxSet in serialized form, i.e. bincoded and flate2 compressed. +/// A SyntaxSet in serialized form, i.e. postcard serialized and flate2 compressed. /// We keep it in this format since we want to load it lazily. #[derive(Debug)] pub enum SerializedSyntaxSet {