mirror of
https://github.com/nushell/nushell
synced 2024-12-27 05:23:11 +00:00
3a39e3df22
This was prompted by CVE-2024-24576 - https://nvd.nist.gov/vuln/detail/CVE-2024-24576 - https://blog.rust-lang.org/2024/04/09/cve-2024-24576.html - https://flatt.tech/research/posts/batbadbut-you-cant-securely-execute-commands-on-windows/ Affected is launching commands on Windows with arbitrary arguments, which is the case for Nushell's external invocation on Windows Rust has fixed this quoting vulnerability in 1.77.2 (latest stable at time of commit) We will thus use this version for our builds and recommend all our packaging/distribution maintainers to use this version of Rust when building Nushell.
19 lines
1.1 KiB
TOML
19 lines
1.1 KiB
TOML
# So, you want to update the Rust toolchain...
|
|
# The key is making sure all our dependencies support the version of Rust we're using,
|
|
# and that nushell compiles on all the platforms tested in our CI.
|
|
|
|
# Here's some documentation on how to use this file:
|
|
# https://rust-lang.github.io/rustup/overrides.html#the-toolchain-file
|
|
|
|
[toolchain]
|
|
# The default profile includes rustc, rust-std, cargo, rust-docs, rustfmt and clippy.
|
|
# https://rust-lang.github.io/rustup/concepts/profiles.html
|
|
profile = "default"
|
|
# The current plan is to be 2 releases behind the latest stable release. So, if the
|
|
# latest stable release is 1.72.0, the channel should be 1.70.0. We want to do this
|
|
# so that we give repo maintainers and package managers a chance to update to a more
|
|
# recent version of rust. However, if there is a "cool new feature" that we want to
|
|
# use in nushell, we may opt to use the bleeding edge stable version of rust.
|
|
# I believe rust is on a 6 week release cycle and nushell is on a 4 week release cycle.
|
|
# So, every two nushell releases, this version number should be bumped by one.
|
|
channel = "1.77.2"
|