Skip to content

gitoxide

vgix-discover-v0.52.0 scope: gix-discover Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 9d Version Control
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 1 known CVE

Topics

blazingly-fast built-with-rust cli git version-control

ReleasePort's take

Moderate signal
editorial:auto 8d

The gix‑fs module resolves a symlink prefix reuse and worktree escape vulnerability.

Why it matters: Fixes a critical security flaw (severity 95) affecting any deployment using gix‑fs; upgrade immediately.

Summary

AI summary

Updates Commit Details, Commit Statistics, and https://www.conventionalcommits.org across a mixed release.

Changes in this release

Security Critical

Fixes symlink prefix reuse and worktree escape vulnerability.

Fixes symlink prefix reuse and worktree escape vulnerability.

Source: llm_adapter@2026-05-26

Confidence: high
Feature Low

Release gix-fs v0.21.1.

Release gix-fs v0.21.1.

Source: llm_adapter@2026-05-26

Confidence: high
Dependency Low

Update crates to Rust 2024 edition.

Update crates to Rust 2024 edition.

Source: llm_adapter@2026-05-26

Confidence: high
Dependency Low

Raise MSRV for hash dependency updates.

Raise MSRV for hash dependency updates.

Source: llm_adapter@2026-05-26

Confidence: high
Refactor Low

Cleanup `sha1` feature in `gix` to just set what's needed.

Cleanup `sha1` feature in `gix` to just set what's needed.

Source: llm_adapter@2026-05-26

Confidence: high
Refactor Low

Remove rust_2018_idioms lint declarations.

Remove rust_2018_idioms lint declarations.

Source: llm_adapter@2026-05-26

Confidence: high
Full changelog

Commit Statistics

  • 12 commits contributed to the release over the course of 28 calendar days.
  • 28 days passed between releases.
  • 0 commits were understood as conventional.
  • 0 issues like '(#ID)' were seen in commit messages

Commit Details

view details
  • Uncategorized
    • Merge pull request #2573 from cruessler/run-gix-traverse-tests-with-sha-256 (278d7ec)
    • Cleanup sha1 feature in gix to just set what's needed. (16a6fc4)
    • Merge pull request #2575 from SarthakB11/fix/issue-2316 (4743361)
    • Review (1980190)
    • Document why each fixture archive is .gitignored (e3d5a04)
    • Merge pull request #2568 from GitoxideLabs/dependabot/cargo/cargo-56d6b174d8 (ab2fee1)
    • Update crates to Rust 2024 edition (2cb17b2)
    • Remove rust_2018_idioms lint declarations (e10d5f6)
    • Raise MSRV for hash dependency updates (3675a8d)
    • Merge pull request #2559 from GitoxideLabs/fix/symlink-prefix-reuse-worktree-escape-ghsa-f89h-2fjh-2r9q (3af9b4a)
    • Release gix-fs v0.21.1 (d3e4c17)
    • Merge pull request #2546 from GitoxideLabs/fix-2545 (adb8328)

Security Fixes

  • Merge pull request #2559 – fixes symlink prefix reuse worktree escape (GHSA‑F89H‑2FJH‑2R9Q)
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track gitoxide

Get notified when new releases ship.

Sign up free

About gitoxide

An idiomatic, lean, fast & safe pure Rust implementation of Git

All releases →

Related context

Earlier breaking changes

  • vgix-v0.84.0 Allow checkouts of empty repositories; `destination_must_be_empty` becomes `Option<bool>`
  • vgix-worktree-stream-v0.33.0 Changes API of `Stream::add_entry_from_path` to require `hash_kind` argument.
  • vgix-object-v0.61.0 Renames `Data::hash_kind` to `Data::object_hash` for consistency.

Beta — feedback welcome: [email protected]