Update gix 0.70 to avoid RUSTSEC-2025-0001 (#742)

Fixes https://osv.dev/vulnerability/RUSTSEC-2025-0001

Depends on EmbarkStudios/tame-index#78

---------

Co-authored-by: Jake Shadle <[email protected]>

Cargo.toml

@@ -105,7 +105,7 @@ spdx = "0.10"
 # Lazy
 strum = { version = "0.26", features = ["derive"] }
 # Index retrieval and querying
-tame-index = { version = "0.16", default-features = false, features = [
+tame-index = { version = "0.17", default-features = false, features = [
   "git",
   "local",
   "sparse",
@@ -116,7 +116,7 @@ time = { version = "0.3", default-features = false, features = [
   "macros",
 ] }
 # Deserialization of configuration files and crate manifests
-toml-span = { version = "0.3", features = ["reporting"] }
+toml-span = { version = "0.4", features = ["reporting"] }
 # Small fast hash crate
 twox-hash = { version = "2.0", default-features = false, features = ["xxhash32"] }
 # Url parsing/manipulation
@@ -126,7 +126,7 @@ walkdir = "2.3"
 
 # We clone/fetch advisory databases
 [dependencies.gix]
-version = "0.68"
+version = "0.70"
 default-features = false
 features = [
   "blocking-http-transport-reqwest",
@@ -140,9 +140,9 @@ features = [
 fs_extra = "1.3"
 # Snapshot testing
 insta = { version = "1.41", features = ["json"] }
-tame-index = { version = "0.16", features = ["local-builder"] }
+tame-index = { version = "0.17", features = ["local-builder"] }
 time = { version = "0.3", features = ["serde"] }
-toml-span = { version = "0.3", features = ["serde"] }
+toml-span = { version = "0.4", features = ["serde"] }
 # We use this for creating fake crate directories for crawling license files on disk
 tempfile = "3.14"
 # divan = "0.1"

src/advisories/helpers/db.rs

@@ -407,10 +407,10 @@ fn fetch_via_gix(url: &Url, db_path: &Path) -> anyhow::Result<()> {
         .ok()
         .map(|repo| repo.to_thread_local())
         .filter(|repo| {
-            repo.find_remote("origin").map_or(false, |remote| {
+            repo.find_remote("origin").is_ok_and(|remote| {
                 remote
                     .url(DIR)
-                    .map_or(false, |remote_url| remote_url.to_bstring() == url.as_str())
+                    .is_some_and(|remote_url| remote_url.to_bstring() == url.as_str())
             })
         })
         .or_else(|| gix::open_opts(db_path, open_with_complete_config).ok());

src/bans/cfg.rs

@@ -499,7 +499,7 @@ impl crate::cfg::UnvalidatedConfig for Config {
                         }
                     }
 
-                    if dmv.map_or(false, |d| d.value) {
+                    if dmv.is_some_and(|d| d.value) {
                         dmulti.push(spec);
                         continue;
                     }

src/cargo-deny/stats.rs

@@ -77,7 +77,7 @@ fn stats_to_exit_code(stats: AllStats) -> Option<i32> {
         .into_iter()
         .enumerate()
         .fold(0, |mut acc, (i, stats)| {
-            if stats.map_or(false, |s| s.errors > 0) {
+            if stats.is_some_and(|s| s.errors > 0) {
                 acc |= 1 << i;
             }
             acc

src/diag/krate_spans.rs

@@ -792,7 +792,7 @@ fn read_workspace_deps<'k>(
                         }
                     } else if dir
                         .strip_prefix(krates.workspace_root())
-                        .map_or(false, |dir| dir != path)
+                        .is_ok_and(|dir| dir != path)
                     {
                         return None;
                     }

src/lib.rs

@@ -61,6 +61,7 @@ macro_rules! enum_deser {
                     return Err(toml_span::Error::from((
                         toml_span::ErrorKind::UnexpectedValue {
                             expected: <$enum as VariantNames>::VARIANTS,
+                            value: None,
                         },
                         value.span,
                     ))
@@ -134,9 +135,9 @@ impl Source {
             "registry" => {
                 if url_str == tame_index::CRATES_IO_INDEX {
                     // registry/src/index.crates.io-6f17d22bba15001f/crate-version/Cargo.toml
-                    let is_sparse = manifest_path.ancestors().nth(2).map_or(false, |dir| {
+                    let is_sparse = manifest_path.ancestors().nth(2).is_some_and(|dir| {
                         dir.file_name()
-                            .map_or(false, |dir_name| dir_name == CRATES_IO_SPARSE_DIR)
+                            .is_some_and(|dir_name| dir_name == CRATES_IO_SPARSE_DIR)
                     });
                     Ok(Self::crates_io(is_sparse))
                 } else {
@@ -359,7 +360,7 @@ impl Krate {
     /// Returns true if the crate is marked as `publish = false`, or
     /// it is only published to the specified private registries
     pub(crate) fn is_private(&self, private_registries: &[&str]) -> bool {
-        self.publish.as_ref().map_or(false, |v| {
+        self.publish.as_ref().is_some_and(|v| {
             if v.is_empty() {
                 true
             } else {
@@ -395,17 +396,17 @@ impl Krate {
 
     #[inline]
     pub(crate) fn is_crates_io(&self) -> bool {
-        self.source.as_ref().map_or(false, |src| src.is_crates_io())
+        self.source.as_ref().is_some_and(|src| src.is_crates_io())
     }
 
     #[inline]
     pub(crate) fn is_git_source(&self) -> bool {
-        self.source.as_ref().map_or(false, |src| src.is_git())
+        self.source.as_ref().is_some_and(|src| src.is_git())
     }
 
     #[inline]
     pub(crate) fn is_registry(&self) -> bool {
-        self.source.as_ref().map_or(false, |src| src.is_registry())
+        self.source.as_ref().is_some_and(|src| src.is_registry())
     }
 }
 

src/licenses/gather.rs

@@ -41,9 +41,8 @@ fn find_license_files(dir: &Path) -> Result<Vec<PathBuf>, std::io::Error> {
                 };
 
                 if p.is_file()
-                    && p.file_name().map_or(false, |f| {
-                        f.starts_with("LICENSE") || f.starts_with("COPYING")
-                    })
+                    && p.file_name()
+                        .is_some_and(|f| f.starts_with("LICENSE") || f.starts_with("COPYING"))
                 {
                     Some(p.strip_prefix(dir).unwrap().to_owned())
                 } else {
@@ -488,7 +487,7 @@ impl Gatherer {
         let files_lock = std::sync::Arc::new(parking_lot::RwLock::new(files));
 
         // Most users will not care about licenses for dev dependencies
-        let krates = if cfg.map_or(false, |cfg| cfg.include_dev) {
+        let krates = if cfg.is_some_and(|cfg| cfg.include_dev) {
             krates.krates().collect()
         } else {
             krates.krates_filtered(krates::DepKind::Dev)

tests/advisories.rs

@@ -165,7 +165,7 @@ ignore = [
         .filter(|v| {
             v.pointer("/fields/code")
                 .and_then(|s| s.as_str())
-                .map_or(false, |s| s == "advisory-ignored")
+                .is_some_and(|s| s == "advisory-ignored")
         })
         .collect();
 
@@ -228,7 +228,7 @@ fn detects_yanked() {
             .filter(|v| {
                 v.pointer("/fields/message")
                     .and_then(|v| v.as_str())
-                    .map_or(false, |v| v.starts_with("detected yanked crate"))
+                    .is_some_and(|v| v.starts_with("detected yanked crate"))
             })
             .collect();
 
@@ -264,7 +264,7 @@ ignore = [
             .filter(|v| {
                 v.pointer("/fields/message")
                     .and_then(|v| v.as_str())
-                    .map_or(false, |v| {
+                    .is_some_and(|v| {
                         v.starts_with("detected yanked crate") || v.starts_with("yanked crate")
                     })
             })
@@ -695,7 +695,7 @@ fn crates_io_source_replacement() {
         .filter(|v| {
             v.pointer("/fields/message")
                 .and_then(|v| v.as_str())
-                .map_or(false, |v| v.starts_with("detected yanked crate"))
+                .is_some_and(|v| v.starts_with("detected yanked crate"))
         })
         .collect();