forgejo-contrib/forgejo-cli
20
408
Fork
You've already forked forgejo-cli
51

Update Rust crate open to v5.4.0 #566

Open
viceice-bot wants to merge 1 commit from renovate/open-5.x-lockfile into main
pull from: renovate/open-5.x-lockfile
merge into: forgejo-contrib:main
forgejo-contrib:main
forgejo-contrib:renovate/comrak-0.x
forgejo-contrib:renovate/uuid-1.x-lockfile
forgejo-contrib:renovate/lock-file-maintenance
forgejo-contrib:docs/contributing
forgejo-contrib:no-port-in-refspec
forgejo-contrib:login/v16.next.forgejo.org
forgejo-contrib:crates-io-publish
forgejo-contrib:0.5.x
forgejo-contrib:compile-time-fluent
forgejo-contrib:0.4.x
forgejo-contrib:localization-alias-demo
forgejo-contrib:api_url_field

This PR contains the following updates:

Package Type Update Change
open dependencies minor 5.3.65.4.0

Release Notes

Byron/open-rs (open)

v5.4.0

Compare Source

New Features
  • cargo run now shows the exact commands that were tried when opening.
    This is useful for debugging, mainly.
Bug Fixes
  • Align WSL PowerShell invocation with Windows
    Pass the WSL open target to PowerShell through the OPEN_RS_TARGET
    environment variable instead of embedding it in the command string and
    escaping it as a single-quoted PowerShell value.

    This matches the safer invocation already used by the native Windows
    backend. Keeping the PowerShell program fixed ensures that paths and URLs
    are treated purely as data, even when they contain quotes, semicolons, or
    other PowerShell metacharacters. It also removes the need for custom
    PowerShell quoting and avoids converting the target through
    to_string_lossy() during command construction.

    Add -NonInteractive for consistency with the Windows launcher and update
    the WSL tests to verify both the fixed command and the unchanged
    environment-variable value.

  • prevent launcher option and shell injection
    Opening an attacker-controlled dash-leading path could be interpreted as
    launcher options. On Windows, cmd /c start also parsed embedded quotes and
    metacharacters as command language, while the legacy gnome-open fallback
    could load a module even after a double-dash separator.

    Add command-construction regressions for malicious option-shaped paths and
    Windows shell metacharacters. Use supported separators on macOS and KDE, and
    rewrite dash-leading relative paths for launchers without separator support.
    Keep Windows values out of shell syntax by passing the default target through
    the environment and invoking custom applications directly, with explorer.exe
    as a PowerShell-free fallback.

    Exclude cmd-based opening by default, while providing an
    explicit insecure Cargo feature for users who need compatibility it
    and accept their unsafe handling of untrusted input.

    Validated with default and all-feature cargo tests, clippy, and cross-target
    cargo check --tests for aarch64 Linux and Windows.

Commit Statistics
  • 5 commits contributed to the release.
  • 3 commits were understood as conventional.
  • 1 unique issue was worked on: #​124
Commit Details
view details
  • #​124
    • Prevent launcher option and shell injection (fd29861)
  • Uncategorized
    • Merge pull request #​126 from Byron/fix-wsl (bdc3397)
    • Align WSL PowerShell invocation with Windows (7265cae)
    • Merge pull request #​125 from Byron/open-with-dash-dash (407b058)
    • cargo run now shows the exact commands that were tried when opening. (7c19c0a)

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • Between 12:00 AM and 03:59 AM (* 0-3 * * *)
  • Automerge
    • Between 12:00 AM and 03:59 AM (* 0-3 * * *)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [open](https://github.com/Byron/open-rs) | dependencies | minor | `5.3.6` → `5.4.0` | --- ### Release Notes <details> <summary>Byron/open-rs (open)</summary> ### [`v5.4.0`](https://github.com/Byron/open-rs/blob/HEAD/changelog.md#540-2026年07月12日) [Compare Source](https://github.com/Byron/open-rs/compare/v5.3.6...v5.4.0) ##### New Features - <csr-id-7c19c0a1a810326b9a9e7542a0992d80adf0a365/> `cargo run` now shows the exact commands that were tried when opening. This is useful for debugging, mainly. ##### Bug Fixes - <csr-id-7265cae8c19180c1022d8b1a7fbec815d0264909/> Align WSL PowerShell invocation with Windows Pass the WSL open target to PowerShell through the OPEN\_RS\_TARGET environment variable instead of embedding it in the command string and escaping it as a single-quoted PowerShell value. This matches the safer invocation already used by the native Windows backend. Keeping the PowerShell program fixed ensures that paths and URLs are treated purely as data, even when they contain quotes, semicolons, or other PowerShell metacharacters. It also removes the need for custom PowerShell quoting and avoids converting the target through to\_string\_lossy() during command construction. Add -NonInteractive for consistency with the Windows launcher and update the WSL tests to verify both the fixed command and the unchanged environment-variable value. - <csr-id-fd29861355bfb981aecdb94d0915f4e41c2686ee/> prevent launcher option and shell injection Opening an attacker-controlled dash-leading path could be interpreted as launcher options. On Windows, cmd /c start also parsed embedded quotes and metacharacters as command language, while the legacy gnome-open fallback could load a module even after a double-dash separator. Add command-construction regressions for malicious option-shaped paths and Windows shell metacharacters. Use supported separators on macOS and KDE, and rewrite dash-leading relative paths for launchers without separator support. Keep Windows values out of shell syntax by passing the default target through the environment and invoking custom applications directly, with explorer.exe as a PowerShell-free fallback. Exclude cmd-based opening by default, while providing an explicit insecure Cargo feature for users who need compatibility it and accept their unsafe handling of untrusted input. Validated with default and all-feature cargo tests, clippy, and cross-target cargo check --tests for aarch64 Linux and Windows. ##### Commit Statistics <csr-read-only-do-not-edit/> - 5 commits contributed to the release. - 3 commits were understood as [conventional](https://www.conventionalcommits.org). - 1 unique issue was worked on: [#&#8203;124](https://github.com/Byron/open-rs/issues/124) ##### Commit Details <csr-read-only-do-not-edit/> <details><summary>view details</summary> - **[#&#8203;124](https://github.com/Byron/open-rs/issues/124)** - Prevent launcher option and shell injection ([`fd29861`](https://github.com/Byron/open-rs/commit/fd29861355bfb981aecdb94d0915f4e41c2686ee)) - **Uncategorized** - Merge pull request [#&#8203;126](https://github.com/Byron/open-rs/issues/126) from Byron/fix-wsl ([`bdc3397`](https://github.com/Byron/open-rs/commit/bdc33978cdbfa1defef31e23659af4ba4a8913b0)) - Align WSL PowerShell invocation with Windows ([`7265cae`](https://github.com/Byron/open-rs/commit/7265cae8c19180c1022d8b1a7fbec815d0264909)) - Merge pull request [#&#8203;125](https://github.com/Byron/open-rs/issues/125) from Byron/open-with-dash-dash ([`407b058`](https://github.com/Byron/open-rs/commit/407b05879efb2b33c4e51fa15d77b49fa748a241)) - `cargo run` now shows the exact commands that were tried when opening. ([`7c19c0a`](https://github.com/Byron/open-rs/commit/7c19c0a1a810326b9a9e7542a0992d80adf0a365)) </details> </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`) - Automerge - Between 12:00 AM and 03:59 AM (`* 0-3 * * *`) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yNjAuMCIsInVwZGF0ZWRJblZlciI6IjQzLjI2MC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Update Rust crate open to v5.4.0
All checks were successful
ci/woodpecker/pr/check-typos Pipeline was successful
ci/woodpecker/pr/check Pipeline was successful
ci/woodpecker/pr/check-clippy Pipeline was successful
4666f395bf
All checks were successful
ci/woodpecker/pr/check-typos Pipeline was successful
ci/woodpecker/pr/check Pipeline was successful
Required
Details
ci/woodpecker/pr/check-clippy Pipeline was successful
This pull request can be merged automatically.
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin renovate/open-5.x-lockfile:renovate/open-5.x-lockfile
git switch renovate/open-5.x-lockfile
Sign in to join this conversation.
No reviewers
Labels
Clear labels
Kind/Breaking
Breaking change that won't be backward compatible
Kind/Bug
Something is not working
Kind/Design
Discussion about UI/UX design
Kind/Documentation
Documentation changes
Kind/Enhancement
Improve existing functionality
Kind/Feature
New functionality
Kind/Security
This is security issue
Kind/Testing
Issue or pull request related to testing
Kind/Upstream
This is an issue with upstream software (Forgejo) that is probably not our fault
Priority
Critical
The priority is critical
Priority
High
The priority is high
Priority
Low
The priority is low
Priority
Medium
The priority is medium
Reviewed
Confirmed
Issue has been confirmed
Reviewed
Duplicate
This issue or pull request already exists
Reviewed
Invalid
Invalid issue
Reviewed
Won't Fix
This issue won't be fixed
Status
Abandoned
Somebody has started to work on this but abandoned work
Status
Blocked
Something is blocking this issue or pull request
Status
Need More Info
Feedback is required to reproduce issue or to continue work
Suspicious
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
forgejo-contrib/forgejo-cli!566
Reference in a new issue
forgejo-contrib/forgejo-cli
No description provided.
Delete branch "renovate/open-5.x-lockfile"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?