This release keeps dependencies and maintenance posture current for teams operating this tool.
✓ No known CVEs patched in this version
Topics
ReleasePort's take
Light signalThe release fixes a symlink prefix reuse and worktree escape vulnerability in gix‑worktree stream tests. It also updates all crates to the Rust 2024 edition and raises the MSRV for hash dependency updates.
Why it matters: Addresses a security‑critical bug (severity 40) affecting gix‑worktree streams; upgrading resolves the vulnerability. Updating to Rust 2024 edition requires projects to meet the raised minimum supported Rust version for hash dependencies.
Summary
AI summaryUpdates Commit Details, Commit Statistics, and https://www.conventionalcommits.org across a mixed release.
Changes in this release
| Type | Severity | Summary | CVE |
|---|---|---|---|
| Feature | Low |
Runs gix‑traverse tests with SHA‑256. Runs gix‑traverse tests with SHA‑256. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Feature | Low |
Runs gix‑worktree stream tests with SHA‑256. Runs gix‑worktree stream tests with SHA‑256. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Feature | Low |
Releases gix‑fs v0.21.1. Releases gix‑fs v0.21.1. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Dependency | Low |
Updates crates to Rust 2024 edition. Updates crates to Rust 2024 edition. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Dependency | Low |
Raises MSRV for hash dependency updates. Raises MSRV for hash dependency updates. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Bugfix | Medium |
Fixes symlink prefix reuse and worktree escape vulnerability. Fixes symlink prefix reuse and worktree escape vulnerability. Source: llm_adapter@2026-05-26 Confidence: low |
— |
| Bugfix | Medium |
Adapts to changes in `gix_object::Data`. Adapts to changes in `gix_object::Data`. Source: llm_adapter@2026-05-26 Confidence: low |
— |
| Refactor | Low |
Adds `sha1` and `sha256` forwardings for all crates. Adds `sha1` and `sha256` forwardings for all crates. Source: llm_adapter@2026-05-26 Confidence: high |
— |
| Refactor | Low |
Removes `rust_2018_idioms` lint declarations. Removes `rust_2018_idioms` lint declarations. Source: llm_adapter@2026-05-26 Confidence: high |
— |
Full changelog
Commit Statistics
- 11 commits contributed to the release over the course of 28 calendar days.
- 28 days passed between releases.
- 0 commits were understood as conventional.
- 0 issues like '(#ID)' were seen in commit messages
Commit Details
view details- Uncategorized
- Merge pull request #2573 from cruessler/run-gix-traverse-tests-with-sha-256 (278d7ec)
sha1andsha256forwardings for all crates (09b982c)- Merge pull request #2568 from GitoxideLabs/dependabot/cargo/cargo-56d6b174d8 (ab2fee1)
- Update crates to Rust 2024 edition (2cb17b2)
- Remove rust_2018_idioms lint declarations (e10d5f6)
- Raise MSRV for hash dependency updates (3675a8d)
- Merge pull request #2559 from GitoxideLabs/fix/symlink-prefix-reuse-worktree-escape-ghsa-f89h-2fjh-2r9q (3af9b4a)
- Release gix-fs v0.21.1 (d3e4c17)
- Merge pull request #2543 from cruessler/run-gix-worktree-stream-tests-with-sha-256 (23af41a)
- Adapt to changes in
gix_object::Data(4309fa4) - Merge pull request #2546 from GitoxideLabs/fix-2545 (adb8328)
Weekly OSS security release digest.
The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.
No spam, unsubscribe anytime.
Share this release
Related context
Related tools
Earlier breaking changes
- vgix-v0.84.0 Allow checkouts of empty repositories; `destination_must_be_empty` becomes `Option<bool>`
- vgix-worktree-stream-v0.33.0 Changes API of `Stream::add_entry_from_path` to require `hash_kind` argument.
- vgix-object-v0.61.0 Renames `Data::hash_kind` to `Data::object_hash` for consistency.
Beta — feedback welcome: [email protected]