gitoxide

vgix-index-v0.52.0 scope: gix-index Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 9d Version Control

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

blazingly-fast built-with-rust cli git version-control

ReleasePort's take

Moderate signal

editorial:auto 8d

Version 0.52.0 of gix-index fixes several decoding bugs and overflows while upgrading the Rust edition and MSRV, and it patches a high‑severity vulnerability in `State::from_tree()`.

Why it matters: The release resolves three critical bugfixes (including a TREE extension overflow) and addresses a severity 90 security vulnerability in `State::from_tree()`, requiring immediate attention from developers and SREs.

Summary

AI summary

Broad release touches Commit Details, Commit Statistics, Bug Fixes, and New Features.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Address vulnerability of `State::from_tree()`. Address vulnerability of `State::from_tree()`. Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Low	Greatly improve the index `File` debug output. Greatly improve the index `File` debug output. Source: llm_adapter@2026-05-26 Confidence: high	—
Dependency
Dependency	Low	Update crates to Rust 2024 edition. Update crates to Rust 2024 edition. Source: llm_adapter@2026-05-26 Confidence: high	—
Dependency	Low	Raise MSRV for hash dependency updates. Raise MSRV for hash dependency updates. Source: llm_adapter@2026-05-26 Confidence: high	—
Dependency	Low	Bump the cargo group across 1 directory with 10 updates. Bump the cargo group across 1 directory with 10 updates. Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix
Bugfix	High	Avoid TREE extension write overflow. Avoid TREE extension write overflow. Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	Correctly decode untracked extension. Correctly decode untracked extension. Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	Fix ctime/mtime flip in stat decoding. Fix ctime/mtime flip in stat decoding. Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	Fix incomplete decoding to mirror git, with associated ported git test. Fix incomplete decoding to mirror git, with associated ported git test. Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Low	Stabilize UNTR fixture stat times. Stabilize UNTR fixture stat times. Source: llm_adapter@2026-05-26 Confidence: low	—

Full changelog

Documentation

improve docs to make clear they need repo-relative slash separated paths.

New Features

greatly improve the index File debug output.
This allows tests to rely on it more with insta, and not miss a thing.

Bug Fixes

correctly decode untracked extension
- Fix ctime/mtime flip in stat decoding
- Fix incomplete decoding to mirror git, with associated ported git test

Commit Statistics

29 commits contributed to the release over the course of 28 calendar days.
28 days passed between releases.
3 commits were understood as conventional.
0 issues like '(#ID)' were seen in commit messages

Commit Details

view details

Uncategorized
- Merge pull request #2591 from AaronMoat/untracked-extension-reading (85c6087)
- Greatly improve the index File debug output. (e4bdd1f)
- Stabilize UNTR fixture stat times (69d644e)
- Review (7f4d492)
- Correctly decode untracked extension (08f22e5)
- Merge pull request #2590 from GitoxideLabs/independent-testtools (575113d)
- Adapt to changes in gix-testtools (ce9e6bd)
- Merge pull request #2582 from GitoxideLabs/fix/gix-index-tree-write-overflow (a0a3acb)
- Avoid TREE extension write overflow (f6f74e0)
- Merge pull request #2573 from cruessler/run-gix-traverse-tests-with-sha-256 (278d7ec)
- sha1 and sha256 forwardings for all crates (09b982c)
- Merge pull request #2575 from SarthakB11/fix/issue-2316 (4743361)
- Review (1980190)
- Document why each fixture archive is .gitignored (e3d5a04)
- Merge pull request #2568 from GitoxideLabs/dependabot/cargo/cargo-56d6b174d8 (ab2fee1)
- Update crates to Rust 2024 edition (2cb17b2)
- Remove rust_2018_idioms lint declarations (e10d5f6)
- Raise MSRV for hash dependency updates (3675a8d)
- Bump the cargo group across 1 directory with 10 updates (4c77f81)
- Merge pull request #2559 from GitoxideLabs/fix/symlink-prefix-reuse-worktree-escape-ghsa-f89h-2fjh-2r9q (3af9b4a)
- Release gix-fs v0.21.1 (d3e4c17)
- Address auto-review (1d9bae2)
- Document vulnerability of State::from_tree() (f3cc6b9)
- Add `State::from_tree()`` benchmark coverage (05f36c4)
- Merge pull request #2543 from cruessler/run-gix-worktree-stream-tests-with-sha-256 (23af41a)
- Adapt to changes in gix-testtoolsand rename hash_kind -> object_hash (d9648e8)
- Merge pull request #2555 from GitoxideLabs/index-docs (048e8df)
- Improve docs to make clear they need repo-relative slash separated paths. (7a426e7)
- Merge pull request #2546 from GitoxideLabs/fix-2545 (adb8328)

Security Fixes

Documented vulnerability of `State::from_tree()` and added benchmark coverage (GHSA context)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track gitoxide

Get notified when new releases ship.

About gitoxide

An idiomatic, lean, fast & safe pure Rust implementation of Git

All releases →

Related context

Related tools

Earlier breaking changes

vgix-v0.84.0 Allow checkouts of empty repositories; `destination_must_be_empty` becomes `Option<bool>`
vgix-worktree-stream-v0.33.0 Changes API of `Stream::add_entry_from_path` to require `hash_kind` argument.
vgix-object-v0.61.0 Renames `Data::hash_kind` to `Data::object_hash` for consistency.