Skip to content

Update Rust crate cxx to v1.0.195 [SECURITY]#8653

Merged
robert3005 merged 1 commit into
developfrom
renovate/crate-cxx-vulnerability
Jul 6, 2026
Merged

Update Rust crate cxx to v1.0.195 [SECURITY]#8653
robert3005 merged 1 commit into
developfrom
renovate/crate-cxx-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 5, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
cxx (source) dependencies patch 1.0.1941.0.195

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


let_cxx_string! uses uninitialized value due to exception safety violations

RUSTSEC-2026-0202

More information

Details

In affected versions of this crate, let_cxx_string! is not exception safe. After creating the StackString, if match $value panics, the content of StackString is not yet initialized, while the drop implementation of StackString unconditionally deinitializes the content, leading to use of uninitialized value.

The soundness issue was fixed in version 1.0.195 by moving drop logics to separate drop guard after initializing the StackString.

Severity

Unknown

References

This data is provided by OSV and the Rust Advisory Database (CC0 1.0).


Release Notes

dtolnay/cxx (cxx)

v1.0.195

Compare Source

  • Fix use of uninitialized value in let_cxx_string! on panic inside initialization expression (#​1729, #​1731)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team July 5, 2026 09:35
@renovate renovate Bot added the changelog/chore A trivial change label Jul 5, 2026
@codspeed-hq

codspeed-hq Bot commented Jul 5, 2026

Copy link
Copy Markdown

Merging this PR will not alter performance

⚠️ Unknown Walltime execution environment detected

Using the Walltime instrument on standard Hosted Runners will lead to inconsistent data.

For the most accurate results, we recommend using CodSpeed Macro Runners: bare-metal machines fine-tuned for performance measurement consistency.

⚡ 5 improved benchmarks
❌ 2 regressed benchmarks
✅ 1590 untouched benchmarks
⏩ 4 skipped benchmarks1

Warning

Please fix the performance issues or acknowledge them on CodSpeed.

Performance Changes

Mode Benchmark BASE HEAD Efficiency
Simulation chunked_varbinview_into_canonical[(1000, 10)] 169.9 µs 206 µs -17.53%
Simulation bitwise_not_vortex_buffer_mut[128] 244.4 ns 273.6 ns -10.66%
Simulation chunked_varbinview_canonical_into[(1000, 10)] 190.6 µs 154.7 µs +23.14%
Simulation encode_varbin[(1000, 32)] 164.7 µs 144.3 µs +14.17%
Simulation encode_varbin[(1000, 8)] 158 µs 139.1 µs +13.57%
Simulation encode_varbin[(1000, 4)] 153.1 µs 138.6 µs +10.44%
Simulation encode_varbin[(1000, 2)] 152.3 µs 138.4 µs +10.11%

Tip

Investigate this regression by commenting @codspeedbot fix this regression on this PR, or directly use the CodSpeed MCP with your agent.


Comparing renovate/crate-cxx-vulnerability (943db82) with develop (f8b18d9)

Open in CodSpeed

Footnotes

  1. 4 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

@robert3005 robert3005 enabled auto-merge (squash) July 6, 2026 10:21
@robert3005 robert3005 merged commit a390ad2 into develop Jul 6, 2026
79 of 83 checks passed
@robert3005 robert3005 deleted the renovate/crate-cxx-vulnerability branch July 6, 2026 10:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

changelog/chore A trivial change

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant