Don't use oldtime feature of chrono (#9577)

<!--
if this PR closes one or more issues, you can automatically link the PR
with
them by using one of the [*linking
keywords*](https://docs.github.com/en/issues/tracking-your-work-with-issues/linking-a-pull-request-to-an-issue#linking-a-pull-request-to-an-issue-using-a-keyword),
e.g.
- this PR should close #xxxx
- fixes #xxxx

you can also mention related issues, PRs or discussions!
-->

# Description
`chrono` crate enables `oldtime` feature by default, which has a
vulnerability (https://rustsec.org/advisories/RUSTSEC-2020-0071). This
PR tries to remove `time` v0.1.45 completely from nu and add an audit CI
to check for security vulnerabilities.

 Wait for the following PRs:
- [x] https://github.com/nushell/reedline/pull/599
- [x] https://github.com/bspeice/dtparse/pull/44
- [x] https://github.com/Byron/trash-rs/pull/75
- [x] https://gitlab.com/imp/chrono-humanize-rs/-/merge_requests/15

# User-Facing Changes
<!-- List of all changes that impact the user experience here. This
helps us keep track of breaking changes. -->

# Tests + Formatting
<!--
Don't forget to add tests that cover your changes.

Make sure you've run and fixed any issues with these commands:

- `cargo fmt --all -- --check` to check standard code formatting (`cargo
fmt --all` applies these changes)
- `cargo clippy --workspace -- -D warnings -D clippy::unwrap_used -A
clippy::needless_collect -A clippy::result_large_err` to check that
you're using the standard code style
- `cargo test --workspace` to check that all tests pass
- `cargo run -- crates/nu-std/tests/run.nu` to run the tests for the
standard library

> **Note**
> from `nushell` you can also use the `toolkit` as follows
> ```bash
> use toolkit.nu # or use an `env_change` hook to activate it
automatically
> toolkit check pr
> ```
-->

# After Submitting
<!-- If your PR had any user-facing changes, update [the
documentation](https://github.com/nushell/nushell.github.io) after the
PR is merged, if necessary. This will help us keep the docs up to date.
-->

---------

Co-authored-by: sholderbach <sholderbach@users.noreply.github.com>
This commit is contained in:
nibon7 2023-08-25 16:54:01 +08:00 committed by GitHub
parent e25a795cf6
commit 27dcc3ecc3
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 37 additions and 32 deletions

25
.github/workflows/audit.yml vendored Normal file
View File

@ -0,0 +1,25 @@
name: Security audit
on:
pull_request:
paths:
- '**/Cargo.toml'
- '**/Cargo.lock'
push:
branches:
- main
env:
RUST_BACKTRACE: 1
CARGO_TERM_COLOR: always
CLICOLOR: 1
jobs:
security_audit:
runs-on: ubuntu-latest
# Prevent sudden announcement of a new advisory from failing ci:
continue-on-error: true
steps:
- uses: actions/checkout@v3
- uses: rustsec/audit-check@v1.4.1
with:
token: ${{ secrets.GITHUB_TOKEN }}

38
Cargo.lock generated
View File

@ -568,20 +568,17 @@ checksum = "ec837a71355b28f6556dbd569b37b3f363091c0bd4b2e735674521b4c5fd9bc5"
dependencies = [ dependencies = [
"android-tzdata", "android-tzdata",
"iana-time-zone", "iana-time-zone",
"js-sys",
"num-traits", "num-traits",
"pure-rust-locales", "pure-rust-locales",
"serde", "serde",
"time 0.1.45",
"wasm-bindgen",
"winapi", "winapi",
] ]
[[package]] [[package]]
name = "chrono-humanize" name = "chrono-humanize"
version = "0.2.2" version = "0.2.3"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "32dce1ea1988dbdf9f9815ff11425828523bd2a134ec0805d2ac8af26ee6096e" checksum = "799627e6b4d27827a814e837b9d8a504832086081806d45b1afa34dc982b023b"
dependencies = [ dependencies = [
"chrono", "chrono",
] ]
@ -1087,9 +1084,9 @@ dependencies = [
[[package]] [[package]]
name = "dtparse" name = "dtparse"
version = "1.5.0" version = "2.0.0"
source = "registry+https://github.com/rust-lang/crates.io-index" source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "68235de3c014ade82e550337b2c88a2a884361793ed3be2d74ee703bd810e401" checksum = "458c7cfe1c34b1ef7c2c435076064711050aedabae9952a261687c500f80e839"
dependencies = [ dependencies = [
"chrono", "chrono",
"lazy_static", "lazy_static",
@ -1490,7 +1487,7 @@ dependencies = [
"cfg-if", "cfg-if",
"js-sys", "js-sys",
"libc", "libc",
"wasi 0.11.0+wasi-snapshot-preview1", "wasi",
"wasm-bindgen", "wasm-bindgen",
] ]
@ -2407,7 +2404,7 @@ checksum = "927a765cd3fc26206e66b296465fa9d3e5ab003e651c1b3c060e7956d96b19d2"
dependencies = [ dependencies = [
"libc", "libc",
"log", "log",
"wasi 0.11.0+wasi-snapshot-preview1", "wasi",
"windows-sys 0.48.0", "windows-sys 0.48.0",
] ]
@ -2603,7 +2600,7 @@ dependencies = [
"signal-hook", "signal-hook",
"simplelog", "simplelog",
"tempfile", "tempfile",
"time 0.3.22", "time",
"winresource", "winresource",
] ]
@ -4679,7 +4676,7 @@ checksum = "970538704756fd0bb4ec8cb89f80674afb661e7c0fe716f9ba5be57717742300"
dependencies = [ dependencies = [
"const_format", "const_format",
"is_debug", "is_debug",
"time 0.3.22", "time",
] ]
[[package]] [[package]]
@ -4760,7 +4757,7 @@ checksum = "acee08041c5de3d5048c8b3f6f13fafb3026b24ba43c6a695a0c76179b844369"
dependencies = [ dependencies = [
"log", "log",
"termcolor", "termcolor",
"time 0.3.22", "time",
] ]
[[package]] [[package]]
@ -5157,17 +5154,6 @@ dependencies = [
"once_cell", "once_cell",
] ]
[[package]]
name = "time"
version = "0.1.45"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1b797afad3f312d1c66a56d11d0316f916356d11bd158fbc6ca6389ff6bf805a"
dependencies = [
"libc",
"wasi 0.10.0+wasi-snapshot-preview1",
"winapi",
]
[[package]] [[package]]
name = "time" name = "time"
version = "0.3.22" version = "0.3.22"
@ -5612,12 +5598,6 @@ dependencies = [
"try-lock", "try-lock",
] ]
[[package]]
name = "wasi"
version = "0.10.0+wasi-snapshot-preview1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1a143597ca7c7793eff794def352d41792a93c481eb1042423ff7ff72ba2c31f"
[[package]] [[package]]
name = "wasi" name = "wasi"
version = "0.11.0+wasi-snapshot-preview1" version = "0.11.0+wasi-snapshot-preview1"

View File

@ -34,13 +34,13 @@ byteorder = "1.4"
bytesize = "1.2" bytesize = "1.2"
calamine = "0.21" calamine = "0.21"
chrono = { version = "0.4", features = ["std", "unstable-locales"], default-features = false } chrono = { version = "0.4", features = ["std", "unstable-locales"], default-features = false }
chrono-humanize = "0.2" chrono-humanize = "0.2.3"
chrono-tz = "0.8" chrono-tz = "0.8"
crossterm = "0.26" crossterm = "0.26"
csv = "1.2" csv = "1.2"
dialoguer = { default-features = false, features = ["fuzzy-select"], version = "0.10" } dialoguer = { default-features = false, features = ["fuzzy-select"], version = "0.10" }
digest = { default-features = false, version = "0.10" } digest = { default-features = false, version = "0.10" }
dtparse = "1.5" dtparse = "2.0"
encoding_rs = "0.8" encoding_rs = "0.8"
fancy-regex = "0.11" fancy-regex = "0.11"
filesize = "0.2" filesize = "0.2"

View File

@ -28,7 +28,7 @@ libproc = "0.14"
mach2 = "0.4" mach2 = "0.4"
[target.'cfg(target_os = "windows")'.dependencies] [target.'cfg(target_os = "windows")'.dependencies]
chrono = "0.4" chrono = { version = "0.4", default-features = false }
ntapi = "0.4" ntapi = "0.4"
once_cell = "1.18" once_cell = "1.18"
winapi = { version = "0.3", features = [ winapi = { version = "0.3", features = [