Bump bindgen from 0.63.0 to 0.69.4 in /yjit/bindgen #10980

ChuckWoodraska · 2024-06-12T16:05:44Z

This PR bumped shlex in the Cargo.lock file but I think what really needs to happen is to bump bindgen in the Cargo.toml file so that it pulls in shlex 1.3.0 correctly otherwise when it builds it looks like the lock file ends up with shlex 1.1.0

ChuckWoodraska · 2024-06-12T17:33:25Z

Not sure if this is failing on the diff or what: https://github.com/ruby/ruby/actions/runs/9485958865/job/26139167171?pr=10980

k0kubun · 2024-06-12T17:57:23Z

This is what we meant (in the CI job name):

~~I think the CI should show a button that we can push to apply the bindgen changes to the PR when there's a diff.~~ (edit: I thought manual-approval workflows can be used for this, but after a bit of research, I'm not sure if it's actually applicable for this use case)

In the meantime, please just include the diff in your branch.

XrXr · 2024-06-12T20:34:12Z

I just tested it without this patch locally and it looks like it's building shlex v1.3.0 correctly, respecting the lock file. I guess your build process involves regenerating the lock file? In any case, I'm unconvinced we need to bump bindgen.

ChuckWoodraska · 2024-06-12T20:55:49Z

I'm using ruby-install to install Ruby and when I look at the usr/local/src/ruby-3.3.3/yjit/bindgen/Cargo.lock I'm seeing shlex 1.1.0

Commands I'm running to get there:

wget https://github.com/postmodern/ruby-install/releases/download/v0.9.3/ruby-install-0.9.3.tar.gz
tar -xzvf ruby-install-0.9.3.tar.gz
cd ruby-install-0.9.3/
make install
ruby-install --system ruby 3.3.3

When I pull down and look at the 3.3.3 Release from here, the lock file shows shlex at 1.1.0

This tool is not in normal build processes, but upgrading this dependency calms security scanners. Backport of <ruby#9652>. See: ruby#10980

`yjit-bindgen` isn't run to build Ruby releases at all, but people might be running security scanners on the source tarball. Upgrade this dependency to calm the scanners. Backport of <ruby#9652>. See: <ruby#10980>

XrXr · 2024-06-12T21:35:29Z

The 3.3.3 release is based off of the release branch https://github.com/ruby/ruby/tree/ruby_3_3, not master. To get the shlex update into a release we need a backport and I've filed #10985 to do that.

Note that if you're just building ruby, yjit-bindgen isn't part of the build process at all. It mostly just runs on our CI for making changes.

Thanks!

`yjit-bindgen` isn't run to build Ruby releases at all, but people might be running security scanners on the source tarball. Upgrade this dependency to calm the scanners. Backport of <#9652>. See: <#10980>

Bumping bindgen to 0.69.4 which should bump shlex to 1.3.0

37d9480

8000

matzbot requested a review from a team June 12, 2024 16:06

ChuckWoodraska changed the title ~~Bump bindgen from 0.64.0 to 0.69.4 in /yjit/bindgen~~ Bump bindgen from 0.63.0 to 0.69.4 in /yjit/bindgen Jun 12, 2024

Patching manually to satisfy diff

e86e597

XrXr added a commit to XrXr/ruby that referenced this pull request Jun 12, 2024

Bump shlex from 1.1.0 to 1.3.0 in /yjit/bindgen

630feb0

This tool is not in normal build processes, but upgrading this dependency calms security scanners. Backport of <ruby#9652>. See: ruby#10980

XrXr mentioned this pull request Jun 12, 2024

Bump shlex from 1.1.0 to 1.3.0 in /yjit/bindgen #10985

Merged

XrXr closed this Jun 12, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Bump bindgen from 0.63.0 to 0.69.4 in /yjit/bindgen #10980

Bump bindgen from 0.63.0 to 0.69.4 in /yjit/bindgen #10980

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Bump bindgen from 0.63.0 to 0.69.4 in /yjit/bindgen #10980

Bump bindgen from 0.63.0 to 0.69.4 in /yjit/bindgen #10980

Uh oh!

Conversation

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!