Update jni-rs to 0.22, the main changes involve the introduction of
`with_env` within native methods, and updating uses of
`attach_current_thread`, which now requires a closure passed to it.
Callback object is now stored inside a `OnceLock`, since it would crash
when it was deleted, probably once a `WakeupCallback` was dropped:
```
JNI DETECTED ERROR IN APPLICATION: JNI ERROR (app bug): jobject is an invalid global reference: 0x2fc6 (deleted reference at index 382)
```
Also update android-activity and rustls-platform-verifier.
Testing: We don't have android tests in CI, manual testing is required
Fixes: Part of #40979
---------
Signed-off-by: Gae24 <96017547+Gae24@users.noreply.github.com>
Helps with: https://github.com/servo/servo/issues/38776. Reduces total
Servo crate count by 7 (977 -> 970).
This PR simply:
- Disables the `server` feature in the `webdriver` crate
- Vendors the implementation of the server from the `webdriver` crate
- Updates dependencies + fixes code to work with new versions
Unfortunately `webdriver` depends on `http` even with the `server`
feature disabled, so we still end up with duplicate versions of `http`.
But at least the duplicate `hyper` is eliminated. Future work could
change the implementation to e.g. move away from `warp` or similar.
Testing: WPT tests use webdriver, so this should be exercised heavily by
those tests.
---------
Signed-off-by: Nico Burns <nico@nicoburns.com>
Testing: We have no automated testing for the servoshell UI. Some quick
manual testing of servo.org seemed to work as expected.
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
btleplug depends on tokio so we use a bridge thread to interface with
Servo thread based messaging.
We keep feature parity except for BtleplugGATTService::get_includes()
that will require upstream implementation.
In terms of OS support, I verified on Linux and MacOS. Android is
untested, but btleplug claims support.
Testing: No test failures, green try run at
https://github.com/webbeef/servo/actions/runs/23390850825Fixes: #43254.
Signed-off-by: webbeef <me@webbeef.org>
Updates the wayland crates and adds a new exemption for the quick-xml
duplication. This prevents dependabot opening a PR every day for these
crates which can never be merged.
Closes: #43294
Signed-off-by: Josh Matthews <josh@joshmatthews.net>
The CVE doesn't impact us, so we can ignore it safely. This improves the
comment above the ignored entry in deny.toml. We test our own code via
`clippy` and we aren't using the vulnerable type. Our dependencies could
in theory use it, but that seems rather unlikely.
Testing: test-tidy is tested in CI.
---------
Signed-off-by: Jonathan Schwender <schwenderjonathan@gmail.com>
We need to bump the accesskit version in order to use
[subtrees](https://docs.rs/accesskit/latest/accesskit/struct.Node.html#method.tree_id),
which are required to join the servo tree into the embedder tree.
We need to patch egui for servoshell, as we're waiting for them to land
the patch bumping their version of accesskit.
Once https://github.com/emilk/egui/pull/7850 lands and a new version of
egui is pushed out, we'll be able to remove the patch.
Testing: No tests.
Fixes: Part of #4344
Signed-off-by: Alice Boxhall <alice@igalia.com>
- Remove deps on `futures@0.1.31`. Update deny
- Remove `compat` features of futures. This is not used anywhere and
introduces duplication.
- Move deps to root. Fix weird field like `futures = { version = "0.3",
package = "futures" }`. Use 0.3 instead of minor version as recommended
by
[README](https://github.com/rust-lang/futures-rs/tree/master/futures-executor#readme)
- Use workspace version for sha2
- Update `futures` & `futures-executor` to 0.3.32
- Disable default features of `futures`: this decreases binary size by
12KB in release.
Testing: Existing UT.
---------
Signed-off-by: Euclid Ye <yezhizhenjiakang@gmail.com>
Unblock the CI.
We cannot upgrade time right now due to MSRV.
This thing has high attack complexity.
Signed-off-by: Euclid Ye <yezhizhenjiakang@gmail.com>
This change moves Servo's macOS font code away from using our homegrown
`core-*` crates and toward the more general-purpose `objc2-*` crates.
Development of these crates is more active and they use automatic code
generation to have more complete coverage of the relevant platform APIs.
In
addition, this means that it is easier to understand Servo's code if you
are familiar with the platform APIs as the `objc2` crate are a more
direct Rust wrapper over them. In comparison, our wrappers had more
batteries-included behavior that was less flexible.
This change:
- is the first step toward more flexible font fallback on macOS (#41426)
- means we can now remove our manually FFI bindings for font variation
code.
Testing: This should not change behavior and macOS is currently untested
via WPT on the Ci.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
This vulnerability is just issued 3 hours ago. It is patched in
>=0.1.0-rc.3, but we tried last week: it takes significant effort to
upgrade:
https://github.com/servo/servo/pull/42120#issuecomment-3793543197
Given that it blocks the CI, no exploit is known yet, and the high
attack complexity, we should ignore it for now.
---------
Signed-off-by: Euclid Ye <yezhizhenjiakang@gmail.com>
Bumps [gilrs-core](https://gitlab.com/gilrs-project/gilrs) from 0.6.6 to
0.6.7.
<details>
<summary>Commits</summary>
<ul>
<li>See full diff in <a
href="https://gitlab.com/gilrs-project/gilrs/commits/master">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Euclid Ye <yezhizhenjiakang@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Euclid Ye <yezhizhenjiakang@gmail.com>
The versions of `cargo-deny` older than 0.18.6 have a bug which causes
the executions of `cargo-deny check` to prematurely fail when reading
the advisory db
(https://github.com/EmbarkStudios/cargo-deny/issues/804).
This error is ignored by `test-tidy` since the error message doesn't
have the expected JSON fields, causing `test-tidy` to succeed even when
there are valid issues in `deny.toml` or `Cargo.lock`.
So upgrade the `cargo-deny` version installed by `mach` to be the latest
version and ensure that at least the version with the fix is installed
on the system. Also fix the `test-tidy` code to always fail when the
exit code from `cargo-deny` is non-zero.
This patch also updates `deny.toml` to include exceptions to allow
`./mach test-tidy` to pass. Some of these need to be investigated
separately from this change.
Fixes#41845.
Fixes#38945.
Testing: Tested locally on NixOS.
---------
Signed-off-by: Mukilan Thiyagarajan <mukilan@igalia.com>
`quick-xml` is no longer duplicated. Checking rest later.
Fixes: The case reported in #41845, but not the issue itself.
Signed-off-by: Euclid Ye <yezhizhenjiakang@gmail.com>
Start adding ML-DSA support to WebCrypto API.
This patch implements the import key operations of ML-DSA, with `ml-dsa`
crate.
Specification:
https://wicg.github.io/webcrypto-modern-algos/#ml-dsa-operations-import-key
Testing:
- Pass some WPT tests that were expected to fail.
- Some new FAIL expectations are added. They were skipped by WPT when
the import key operations of ML-DSA had not been implemented, and
requires other not-yet-implemented operations to pass.
Fixes: Part of #41626
Signed-off-by: Kingsley Yung <kingsley@kkoyung.dev>
Start adding RSA-PSS support to WebCrypto API.
This patch implements import key operation of RSA-PSS, with `rsa` crate.
Testing:
- Pass some WPT tests that were expected to fail.
- Some new FAIL expectations are added. They were skipped by WPT when
the import key operation of RSA-PSS had not been implemented, and
requires other not-yet-implemented operations to pass.
Fixes: #34362, and part of #41113
---------
Signed-off-by: Kingsley Yung <kingsley@kkoyung.dev>
This crate is just using system APIs to get the resident and virtual
memory size of the current process. We can do this directly with
`mach2`, which also allows more flexibility if we want to fetch other
values in the future.
This does require duplicating `mach2` as the version used by `gilrs` is
older. Presumably, some future release of `gilrs` will upgrade soon.
Testing: There aren't really tests for this, but I tested it manually by
running the memory reporter and ensuring that both the old and new
values were
the same.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Other than upgrading phf, phf_codegen and phf_shared to 0.13, this also
upgrades html5ever, markup5ever and xml5ever to 0.36, string_cache to
0.9, and Stylo to https://github.com/servo/stylo/pull/266.
Testing: Not needed, no behavior change
Fixes: #40533
Signed-off-by: Oriol Brufau <obrufau@igalia.com>
Bump various linebender crates (most importantly kurbo and peniko). We
will now use released versions of both vello and vello_cpu.
Unfortunately new kurbo is not yet in svgtypes (on which we depends via
usvg), so for now we need to duplicate it, but all in all I still think
this bump is worth it.
This PR is mostly mechanical. I will do follow up to better use new
peniko/kurbo options.
Testing: It should be covered by existing WPT tests
try run: https://github.com/sagudev/servo/actions/runs/18817103076
---------
Signed-off-by: sagudev <16504129+sagudev@users.noreply.github.com>
Bumps from 0.2.0 to 0.4.0, we have to temporarily duplicate
`objc2-encode`, but the next PR will finish the upgrade and unduplicate
that dependency.
Testing: No functionality changed, only a refactor
Signed-off-by: Ashwin Naren <arihant2math@gmail.com>
These crates are now marked as 'unmaintained' and cause `test-tidy` to
fail on CI. They are pulled in by the `urlpattern 0.3` crate which needs
to be upgraded to `0.4` but that is blocked to the duplication of some
icu4x crates (which need to be upgraded to 2.0) and a few other crates.
Testing: No testing needed.
Signed-off-by: Mukilan Thiyagarajan <mukilan@igalia.com>
Bumps the tungstenite-related group with 2 updates:
[async-tungstenite](https://github.com/sdroege/async-tungstenite) and
[tungstenite](https://github.com/snapview/tungstenite-rs).
Updates `async-tungstenite` from 0.29.1 to 0.31.0
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/sdroege/async-tungstenite/blob/main/CHANGELOG.md">async-tungstenite's
changelog</a>.</em></p>
<blockquote>
<h2>[0.31.0] - 2025-08-09</h2>
<h3>Changed</h3>
<ul>
<li><code>WebSocketSender::send()</code> and <code>close()</code>
require a mutable reference now.</li>
</ul>
<h2>[0.30.0] - 2025-07-15</h2>
<h3>Changed</h3>
<ul>
<li>Update to tungstenite 0.27.</li>
<li>Update to webpki-roots to 1.0.</li>
<li>Update to glib / gio 0.21.</li>
</ul>
<h3>Added</h3>
<ul>
<li>Add support for splitting a <code>WebSocketStream</code> into a
sender and receiver
type without making use of the future's <code>Sink</code> trait, and
re-combining them
again into a single value.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="c3bba9cb11"><code>c3bba9c</code></a>
Release 0.31.0</li>
<li><a
href="caa815be80"><code>caa815b</code></a>
Make <code>WebSocketSender</code> methods take <code>&mut
self</code></li>
<li><a
href="782ad71bdc"><code>782ad71</code></a>
Hide internal state in <code>Debug</code> for
<code>ByteWriter</code></li>
<li><a
href="5241a19e25"><code>5241a19</code></a>
Add closing state for <code>ByteWriter</code></li>
<li><a
href="e05133a217"><code>e05133a</code></a>
Remove <code>futures-03-sink</code> feature flag for
<code>ByteWriter</code></li>
<li><a
href="5419857734"><code>5419857</code></a>
Update CHANGELOG.md for 0.30.0</li>
<li><a
href="2af272de75"><code>2af272d</code></a>
Update version to 0.30.0</li>
<li><a
href="17b8f87c71"><code>17b8f87</code></a>
Update various dependencies</li>
<li><a
href="ee47b7ecf2"><code>ee47b7e</code></a>
Add <code>reunite</code> and <code>is_pair_of</code> methods</li>
<li><a
href="f4f78cd57c"><code>f4f78cd</code></a>
Add <code>concurrent_send</code> test</li>
<li>Additional commits viewable in <a
href="https://github.com/sdroege/async-tungstenite/compare/0.29.1...0.31.0">compare
view</a></li>
</ul>
</details>
<br />
Updates `tungstenite` from 0.26.2 to 0.27.0
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/snapview/tungstenite-rs/blob/master/CHANGELOG.md">tungstenite's
changelog</a>.</em></p>
<blockquote>
<h1>0.27.0</h1>
<ul>
<li>Fix large message read performance by enforcing max
<code>read_buffer_size</code> read chunks.</li>
<li>Make <code>Hash</code> implementation consistent for
<code>Utf8Bytes</code> payloads.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="3ffeb33e29"><code>3ffeb33</code></a>
Prepare 0.27.0 release</li>
<li><a
href="5e15390029"><code>5e15390</code></a>
When reading avoid over-reserving the in the case WouldBlock causes
multiple ...</li>
<li><a
href="d8b45ee3e7"><code>d8b45ee</code></a>
Add end to end "send+recv" benchmarks (<a
href="https://redirect.github.com/snapview/tungstenite-rs/issues/497">#497</a>)</li>
<li><a
href="f20436ca16"><code>f20436c</code></a>
Update src/protocol/frame/frame.rs</li>
<li><a
href="e4fb204fb0"><code>e4fb204</code></a>
Don't allow zero <code>in_buf_max_read</code></li>
<li><a
href="1dc706ced6"><code>1dc706c</code></a>
Fix large message read performance by enforcing max
<code>read_buffer_size</code> read c...</li>
<li><a
href="255aaa2c0c"><code>255aaa2</code></a>
add more details for utf8 errors for debugging</li>
<li><a
href="75b59d9792"><code>75b59d9</code></a>
Implement <code>From\<Bytes></code> for <code>Message</code></li>
<li><a
href="56d758bebd"><code>56d758b</code></a>
fix(Utf8Bytes): hash consistency for Borrow + Hash traits</li>
<li>See full diff in <a
href="https://github.com/snapview/tungstenite-rs/compare/v0.26.2...v0.27.0">compare
view</a></li>
</ul>
</details>
<br />
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
</details>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Euclid Ye <euclid.ye@huawei.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Euclid Ye <euclid.ye@huawei.com>
This wrapper was added in order to eliminate the number of file
descriptors used accessing `/dev/urandom`, but these days `osrandom` and
by proxy `rand` will try to use `getrandom` on Linux and similar system
APIs on other platforms [^1].
This is a trial balloon for removing the wrapper, since almost all
modern Linux systems have `getrandom` (available since Linux
3.17).
[^1]: https://docs.rs/getrandom/0.3.4/getrandom/#supported-targets
Testing: Should not change observable behavior (only in random ways), so
should
be covered by WPT tests.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
This is the latest release of WebRender that will be based on a recent
version of WebRender from the Gecko repository.
Testing: This should not change Servo's behavior and is thus covered
by existing tests.
Fixes: https://github.com/servo/webrender/issues/4875
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Bumps [gilrs-core](https://gitlab.com/gilrs-project/gilrs) from 0.6.4 to
0.6.5.
<details>
<summary>Commits</summary>
<ul>
<li><a
href="e07b360284"><code>e07b360</code></a>
Prepare for gilrs-core 0.6.5</li>
<li><a
href="4b074c18cf"><code>4b074c1</code></a>
Update nix</li>
<li><a
href="583ad9b658"><code>583ad9b</code></a>
core: Expand <code>windows</code> version range to include
<code>0.62</code> release</li>
<li><a
href="f165d80b62"><code>f165d80</code></a>
Fix new Jitter comment</li>
<li><a
href="9490be58ad"><code>9490be5</code></a>
refactor: fixed some inconsistencies</li>
<li><a
href="e27689dda8"><code>e27689d</code></a>
add fallback warning for no uuid found</li>
<li>See full diff in <a
href="https://gitlab.com/gilrs-project/gilrs/compare/gilrs-core-v0.6.4...gilrs-core-v0.6.5">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Euclid Ye <yezhizhenjiakang@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Euclid Ye <yezhizhenjiakang@gmail.com>
This changes removes the integration with Instruments.app "Points of
Interest" track for a variety of reasons:
- This functionality is made somewhat redundant by Servo's support for
Perfetto traces.
- This functionality depends on the `signpost` crate which hasn't seen
activity for 9 years and only supports macOS.
Testing: This removes some functionality that is only observable via
Instruments.app, so testing it is difficult.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
`winres` is unmaintained and it seems like `winresoures` is the
successor.
Testing: This should not have any behavior changes and just modifies
a build step, so shouldn't need tests.
Signed-off-by: Martin Robinson <mrobinson@igalia.com>
Vello has updated to wgpu v26 recently. It might be a good time for
servo to update as well. This PR should wait for #39015 and #38717
Testing: WebGPU CTS
Fixes: None
---------
Signed-off-by: Wu Yu Wei <yuweiwu@pm.me>
Bumps [zbus](https://github.com/dbus2/zbus) from 5.9.0 to 5.11.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/dbus2/zbus/releases">zbus's
releases</a>.</em></p>
<blockquote>
<h2>🔖 zbus 5.11.0</h2>
<ul>
<li>✨ API to specify timeouts for method calls. Add a way to specify an
timeout for method calls. If
set, the method calls will timeout after the specified duration,
returning an error. This can be
used to handle the issues with non-answering D-Bus services.</li>
<li>🩹 Add <code>connection::socket::Split::new</code> method, allowing
<code>Socket</code> trait impls outside zbus.</li>
<li>📝 Mention receive_X_changes in <code>proxy</code> docs.</li>
</ul>
<h2>🔖 zbus 5.10.0</h2>
<ul>
<li>✨ Property stream will now first yield the current value.</li>
<li>🐛 Fall back to no groups rather than erroring out for peer
creds.</li>
<li>📝 Fix wrong documentation in blocking <code>Proxy</code>
methods.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="edd9a3c3d3"><code>edd9a3c</code></a>
Merge pull request <a
href="https://redirect.github.com/dbus2/zbus/issues/1494">#1494</a> from
zeenix/prep-zb-5.11</li>
<li><a
href="ee3fb1b4f7"><code>ee3fb1b</code></a>
🔖 zb,zm: Release 5.11.0</li>
<li><a
href="9f85ee4b3d"><code>9f85ee4</code></a>
✅ zb: Much shorter timeout in method timeout test</li>
<li><a
href="000039a7d8"><code>000039a</code></a>
♻️ zb: Micro simplification</li>
<li><a
href="dbd853e3be"><code>dbd853e</code></a>
⬆️ micro: Update chrono to v0.4.42 (<a
href="https://redirect.github.com/dbus2/zbus/issues/1493">#1493</a>)</li>
<li><a
href="bd4d5c722e"><code>bd4d5c7</code></a>
Merge pull request <a
href="https://redirect.github.com/dbus2/zbus/issues/1491">#1491</a> from
dbus2/security-policy</li>
<li><a
href="29825e74cc"><code>29825e7</code></a>
🔒️ Add comprehensive security policy</li>
<li><a
href="e46151c9ad"><code>e46151c</code></a>
Merge pull request <a
href="https://redirect.github.com/dbus2/zbus/issues/1477">#1477</a> from
sergeyfd/main</li>
<li><a
href="979f5f9030"><code>979f5f9</code></a>
✨ zb: API to specify timeouts for method calls</li>
<li><a
href="442063d295"><code>442063d</code></a>
⬆️ micro: Update time to v0.3.43 (<a
href="https://redirect.github.com/dbus2/zbus/issues/1490">#1490</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/dbus2/zbus/compare/zbus-5.9.0...zbus-5.11.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Euclid Ye <yezhizhenjiakang@gmail.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Euclid Ye <yezhizhenjiakang@gmail.com>
Bumps [windows-sys](https://github.com/microsoft/windows-rs) from 0.59.0
to 0.61.0.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/microsoft/windows-rs/releases">windows-sys's
releases</a>.</em></p>
<blockquote>
<h2>61</h2>
<p>Major crate updates:</p>
<ul>
<li><code>windows</code> 0.59.0</li>
<li><code>windows-core</code> 0.59.0
<ul>
<li><code>windows-implement</code> 0.59.0</li>
<li><code>windows-interface</code> 0.59.0</li>
</ul>
</li>
<li><code>windows-targets</code> 0.53.0
<ul>
<li><code>windows_i686_msvc</code> 0.53.0</li>
<li><code>windows_x86_64_msvc</code> 0.53.0</li>
<li><code>windows_aarch64_msvc</code> 0.53.0</li>
<li><code>windows_i686_gnu</code> 0.53.0</li>
<li><code>windows_x86_64_gnu</code> 0.53.0</li>
<li><code>windows_i686_gnullvm</code> 0.53.0</li>
<li><code>windows_x86_64_gnullvm</code> 0.53.0</li>
<li><code>windows_aarch64_gnullvm</code> 0.53.0</li>
</ul>
</li>
<li><code>windows-bindgen</code> 0.59.0</li>
<li><code>windows-registry</code> 0.4.0</li>
<li><code>windows-result</code> 0.3.0</li>
<li><code>windows-strings</code> 0.3.0</li>
<li><code>cppwinrt</code> 0.2.0</li>
</ul>
<p>Minor crate updates:</p>
<ul>
<li><code>windows-version</code> 0.1.2</li>
</ul>
<p>Excluded:</p>
<ul>
<li><code>windows-sys</code> 0.59.0</li>
</ul>
<p>Things to keep in mind:</p>
<ul>
<li>
<p>The tag/release names no longer map directly to the crate versions,
so to <a
href="https://github.com/microsoft/windows-rs/tree/master/crates/samples">find
samples</a> for a particular release requires looking at <a
href="https://github.com/microsoft/windows-rs/releases">the releases</a>
page and finding the release that most recently updated a particular
crate.</p>
</li>
<li>
<p>The <code>windows-bindgen</code> crate includes the major code
generation overhaul that brings many improvements - be sure to check out
the PR description for more information. The resulting code gen depends
on the new version of <code>windows-core</code> and its dependencies,
unless you include the <code>--sys</code> option. <a
href="https://redirect.github.com/microsoft/windows-rs/issues/3359">#3359</a></p>
</li>
<li>
<p>The <code>cppwinrt</code> crate constitutes a major update due to
streamlining the error handling. <a
href="https://redirect.github.com/microsoft/windows-rs/issues/3415">#3415</a></p>
</li>
<li>
<p>The <code>windows-registry</code>, <code>windows-strings,</code> and
<code>windows-result</code> crates are also major version updates since
they include small breaking changes.</p>
</li>
<li>
<p>The <code>windows-targets</code> crate finally receives a major
version update, the first in over a year. This is due to <a
href="https://redirect.github.com/microsoft/windows-rs/issues/3359">#3359</a>
and <a
href="https://redirect.github.com/microsoft/windows-rs/issues/3342">#3342</a>
potentially introducing breaking changes. Although unlikely, these
updates introduced sufficient changes that make it hard to ensure that
the <code>windows-targets</code> libs don't break existing code. As
we're updating <code>windows-targets</code> anyway, I took the liberty
to bump the MSRV to 1.60 - to match the latest version of
<code>windows-sys</code> - and remove the old but unused doc macro
feature. Both remained for compatibility with very old dependents of the
<code>windows-targets</code> crate.</p>
</li>
<li>
<p>The <code>windows-version</code> crate receives a minor update to
update its dependency on the <code>windows-targets</code> crate.</p>
</li>
<li>
<p>Beyond these specifics, this update is the culmination of around 6
months worth of work on the <code>windows-rs</code> project. The biggest
improvements comes from the new code generation engine, but many other
improvements are now also available for production. This includes
support for many new lints, warnings, and suggestions provided by the
Rust toolchain; much smaller code gen thanks to deriving many more
traits; more efficient code gen; major improvements to WinRT type system
and implementation support; more robust and consistent error handling;
stock collection and async support; improved support for class
hierarchies; and much more!</p>
</li>
</ul>
<p>In addition to "what's changed" below, check out what's
changed for notes for <a
href="https://github.com/microsoft/windows-rs/releases/tag/0.60.0">0.60.0</a>
and <a
href="https://github.com/microsoft/windows-rs/releases/tag/0.59.0">0.59.0</a>
for additional changes that roll up to the crates published as part of
this release.</p>
<h2>What's Changed</h2>
<ul>
<li>Remove improper_ctypes workaround by <a
href="https://github.com/ChrisDenton"><code>@ChrisDenton</code></a> in
<a
href="https://redirect.github.com/microsoft/windows-rs/pull/3296">microsoft/windows-rs#3296</a></li>
</ul>
<!-- raw HTML omitted -->
</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="5888c8c472"><code>5888c8c</code></a>
Release 0.61.0 (<a
href="https://redirect.github.com/microsoft/windows-rs/issues/3418">#3418</a>)</li>
<li><a
href="9911fee2a9"><code>9911fee</code></a>
Improve feature search UX, add dark mode, and update deps (<a
href="https://redirect.github.com/microsoft/windows-rs/issues/3422">#3422</a>)</li>
<li><a
href="eed74532cd"><code>eed7453</code></a>
Update GitHub Actions runners (<a
href="https://redirect.github.com/microsoft/windows-rs/issues/3423">#3423</a>)</li>
<li><a
href="284f18906a"><code>284f189</code></a>
Avoid <code>transmute</code> where possible (<a
href="https://redirect.github.com/microsoft/windows-rs/issues/3421">#3421</a>)</li>
<li><a
href="b35dfd1470"><code>b35dfd1</code></a>
Update web workflow to use external origin (<a
href="https://redirect.github.com/microsoft/windows-rs/issues/3420">#3420</a>)</li>
<li><a
href="3566fca8c5"><code>3566fca</code></a>
Fix provenance in direct32 sample (<a
href="https://redirect.github.com/microsoft/windows-rs/issues/3419">#3419</a>)</li>
<li><a
href="382ea566c2"><code>382ea56</code></a>
Use <code>track_caller</code> to make debugging <code>cppwinrt</code>
build script errors easier (#...</li>
<li><a
href="f09c13292a"><code>f09c132</code></a>
Shorten sample crate names (<a
href="https://redirect.github.com/microsoft/windows-rs/issues/3416">#3416</a>)</li>
<li><a
href="5e8ce09c70"><code>5e8ce09</code></a>
<code>cppwinrt</code> should consistently panic on failure (<a
href="https://redirect.github.com/microsoft/windows-rs/issues/3415">#3415</a>)</li>
<li><a
href="d02c977dc8"><code>d02c977</code></a>
Detect unsupported array parameters (<a
href="https://redirect.github.com/microsoft/windows-rs/issues/3402">#3402</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/microsoft/windows-rs/compare/0.59.0...0.61.0">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
</details>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Euclid Ye <euclid.ye@huawei.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Euclid Ye <euclid.ye@huawei.com>
Bumps [tracing-subscriber](https://github.com/tokio-rs/tracing) from
0.3.19 to 0.3.20.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tokio-rs/tracing/releases">tracing-subscriber's
releases</a>.</em></p>
<blockquote>
<h2>tracing-subscriber 0.3.20</h2>
<p><strong>Security Fix</strong>: ANSI Escape Sequence Injection
(CVE-TBD)</p>
<h2>Impact</h2>
<p>Previous versions of tracing-subscriber were vulnerable to ANSI
escape sequence injection attacks. Untrusted user input containing ANSI
escape sequences could be injected into terminal output when logged,
potentially allowing attackers to:</p>
<ul>
<li>Manipulate terminal title bars</li>
<li>Clear screens or modify terminal display</li>
<li>Potentially mislead users through terminal manipulation</li>
</ul>
<p>In isolation, impact is minimal, however security issues have been
found in terminal emulators that enabled an attacker to use ANSI escape
sequences via logs to exploit vulnerabilities in the terminal
emulator.</p>
<h2>Solution</h2>
<p>Version 0.3.20 fixes this vulnerability by escaping ANSI control
characters in when writing events to destinations that may be printed to
the terminal.</p>
<h2>Affected Versions</h2>
<p>All versions of tracing-subscriber prior to 0.3.20 are affected by
this vulnerability.</p>
<h2>Recommendations</h2>
<p>Immediate Action Required: We recommend upgrading to
tracing-subscriber 0.3.20 immediately, especially if your
application:</p>
<ul>
<li>Logs user-provided input (form data, HTTP headers, query parameters,
etc.)</li>
<li>Runs in environments where terminal output is displayed to
users</li>
</ul>
<h2>Migration</h2>
<p>This is a patch release with no breaking API changes. Simply update
your Cargo.toml:</p>
<pre lang="toml"><code>[dependencies]
tracing-subscriber = "0.3.20"
</code></pre>
<h2>Acknowledgments</h2>
<p>We would like to thank <a href="http://github.com/zefr0x">zefr0x</a>
who responsibly reported the issue at
<code>security@tokio.rs</code>.</p>
<p>If you believe you have found a security vulnerability in any
tokio-rs project, please email us at <code>security@tokio.rs</code>.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="4c52ca5266"><code>4c52ca5</code></a>
fmt: fix ANSI escape sequence injection vulnerability (<a
href="https://redirect.github.com/tokio-rs/tracing/issues/3368">#3368</a>)</li>
<li><a
href="f71cebe41e"><code>f71cebe</code></a>
subscriber: impl Clone for EnvFilter (<a
href="https://redirect.github.com/tokio-rs/tracing/issues/3360">#3360</a>)</li>
<li><a
href="3a1f571102"><code>3a1f571</code></a>
Fix CI (<a
href="https://redirect.github.com/tokio-rs/tracing/issues/3361">#3361</a>)</li>
<li><a
href="e63ef57f3d"><code>e63ef57</code></a>
chore: prepare tracing-attributes 0.1.30 (<a
href="https://redirect.github.com/tokio-rs/tracing/issues/3316">#3316</a>)</li>
<li><a
href="6e59a13b1a"><code>6e59a13</code></a>
attributes: fix tracing::instrument regression around shadowing (<a
href="https://redirect.github.com/tokio-rs/tracing/issues/3311">#3311</a>)</li>
<li><a
href="e4df761275"><code>e4df761</code></a>
tracing: update core to 0.1.34 and attributes to 0.1.29 (<a
href="https://redirect.github.com/tokio-rs/tracing/issues/3305">#3305</a>)</li>
<li><a
href="643f392ebb"><code>643f392</code></a>
chore: prepare tracing-attributes 0.1.29 (<a
href="https://redirect.github.com/tokio-rs/tracing/issues/3304">#3304</a>)</li>
<li><a
href="d08e7a6eea"><code>d08e7a6</code></a>
chore: prepare tracing-core 0.1.34 (<a
href="https://redirect.github.com/tokio-rs/tracing/issues/3302">#3302</a>)</li>
<li><a
href="6e70c571d3"><code>6e70c57</code></a>
tracing-subscriber: count numbers of enters in <code>Timings</code> (<a
href="https://redirect.github.com/tokio-rs/tracing/issues/2944">#2944</a>)</li>
<li><a
href="c01d4fd9de"><code>c01d4fd</code></a>
fix docs and enable CI on <code>main</code> branch (<a
href="https://redirect.github.com/tokio-rs/tracing/issues/3295">#3295</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/tokio-rs/tracing/compare/tracing-subscriber-0.3.19...tracing-subscriber-0.3.20">compare
view</a></li>
</ul>
</details>
<br />
[](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)
Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.
[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)
---
<details>
<summary>Dependabot commands and options</summary>
<br />
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/servo/servo/network/alerts).
</details>
---------
Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Euclid Ye <euclid.ye@huawei.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Euclid Ye <euclid.ye@huawei.com>
Testing: These changes should be covered by existing web platform tests
and `image`'s own test suite.
---------
Signed-off-by: Simon Wülker <simon.wuelker@arcor.de>
Instead of vendoring a copy of icu_capi, mozjs now instead determines
the location of the provided c header files by parsing the cargo
metadata output.
This will allow vendoring mozjs and is a step towards publishing mozjs
and thus servo again.
Corresponding mozjs PR: https://github.com/servo/mozjs/pull/596
Testing: Covered by existing tests
Signed-off-by: Jonathan Schwender <schwenderjonathan@gmail.com>
- Use sqlite instead of heed. (one indexed database = one sqlite
database)
- Implement the backend for indexes
- Use keyranges where needed (as specified by the spec)
- Implement `getKey`
- Fix channel error messaging (led to a bunch of changes to how async
requests are handled)
Note: `components/net/indexeddb/engines/sqlite/serialize.rs` is unused;
I can delete it if needed.
Testing: Switching to sqlite eliminated many panics (exposing some new
failures).
Fixes: #38040
---------
Signed-off-by: Ashwin Naren <arihant2math@gmail.com>
