gitoxide

vgix-worktree-state-v0.31.0 scope: gix-worktree-state Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 9d Version Control

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

This release patches 1 known CVE

Topics

blazingly-fast built-with-rust cli git version-control

ReleasePort's take

Moderate signal

editorial:auto 8d

The release fixes a critical symlink prefix reuse and worktree escape vulnerability in the `gix` crate (GHSA-f89h-2fjh-2r9q).

Why it matters: Severity 90 security fix addresses a high‑impact GHSA vulnerability; upgrade immediately to prevent exploitation.

Summary

AI summary

Broad release touches Commit Details, Commit Statistics, https://www.conventionalcommits.org, and 575113d.

Changes in this release

Type	Severity	Summary	CVE
Security	Critical	Fix symlink prefix reuse and worktree escape vulnerability (GHSA-f89h-2fjh-2r9q). Fix symlink prefix reuse and worktree escape vulnerability (GHSA-f89h-2fjh-2r9q). Source: llm_adapter@2026-05-26 Confidence: high	—
Feature	Low	Release gix-fs v0.21.1. Release gix-fs v0.21.1. Source: llm_adapter@2026-05-26 Confidence: high	—
Dependency
Dependency	Low	Raise MSRV for hash dependency updates. Raise MSRV for hash dependency updates. Source: llm_adapter@2026-05-26 Confidence: high	—
Dependency	Low	Update crates to Rust 2024 edition. Update crates to Rust 2024 edition. Source: llm_adapter@2026-05-26 Confidence: low	—
Dependency	Low	Update crates via Dependabot cargo action. Update crates via Dependabot cargo action. Source: llm_adapter@2026-05-26 Confidence: low	—
Bugfix
Bugfix	Medium	Stabilize filter-driver example use in parallel tests to remove flake. Stabilize filter-driver example use in parallel tests to remove flake. Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	Fix status handling in unborn repository. Fix status handling in unborn repository. Source: llm_adapter@2026-05-26 Confidence: high	—
Bugfix	Medium	Fix issue #2545. Fix issue #2545. Source: llm_adapter@2026-05-26 Confidence: high	—
Refactor	Low	Cleanup `sha1` feature in `gix` to just set what's needed. Cleanup `sha1` feature in `gix` to just set what's needed. Source: llm_adapter@2026-05-26 Confidence: high	—
Refactor	Low	Remove rust_2018_idioms lint declarations. Remove rust_2018_idioms lint declarations. Source: llm_adapter@2026-05-26 Confidence: high	—

Full changelog

Commit Statistics

16 commits contributed to the release over the course of 28 calendar days.
28 days passed between releases.
0 commits were understood as conventional.
0 issues like '(#ID)' were seen in commit messages

Commit Details

view details

Uncategorized
- Merge pull request #2590 from GitoxideLabs/independent-testtools (575113d)
- Adapt to changes in gix-testtools (ce9e6bd)
- Merge pull request #2589 from GitoxideLabs/fix-status-in-unborn-repo (ba7d9a4)
- Stabilize filter-driver example use in parallel tests to remove flake (db16a05)
- Merge pull request #2573 from cruessler/run-gix-traverse-tests-with-sha-256 (278d7ec)
- Cleanup sha1 feature in gix to just set what's needed. (16a6fc4)
- Merge pull request #2575 from SarthakB11/fix/issue-2316 (4743361)
- Review (1980190)
- Document why each fixture archive is .gitignored (e3d5a04)
- Merge pull request #2568 from GitoxideLabs/dependabot/cargo/cargo-56d6b174d8 (ab2fee1)
- Update crates to Rust 2024 edition (2cb17b2)
- Remove rust_2018_idioms lint declarations (e10d5f6)
- Raise MSRV for hash dependency updates (3675a8d)
- Merge pull request #2559 from GitoxideLabs/fix/symlink-prefix-reuse-worktree-escape-ghsa-f89h-2fjh-2r9q (3af9b4a)
- Release gix-fs v0.21.1 (d3e4c17)
- Merge pull request #2546 from GitoxideLabs/fix-2545 (adb8328)

Security Fixes

Fix symlink prefix reuse to prevent worktree escape (GHSA f89h‑2fjh‑2r9q)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track gitoxide

Get notified when new releases ship.

About gitoxide

An idiomatic, lean, fast & safe pure Rust implementation of Git

All releases →

Related context

Related tools

Earlier breaking changes

vgix-v0.84.0 Allow checkouts of empty repositories; `destination_must_be_empty` becomes `Option<bool>`
vgix-worktree-stream-v0.33.0 Changes API of `Stream::add_entry_from_path` to require `hash_kind` argument.
vgix-object-v0.61.0 Renames `Data::hash_kind` to `Data::object_hash` for consistency.