[stable 1.94] Update tar to 0.4.45 by ehuss · Pull Request #16769 · rust-lang/cargo

ehuss · 2026-03-20T00:24:13Z

This updates tar to 0.4.45 to fix CVE-2026-33055 and CVE-2026-33056.

This also includes backports to get CI passing:

test(replace): Mark a test as non-deterministic #16700 -- test(replace): Mark a test as non-deterministic
test(git): Mark a test as non-deterministic #16706 -- test(git): Mark a test as non-deterministic
fix(script): surpress unused_features lint for embedded #16714 -- fix(script): surpress unused_features lint for embedded (fix(script): surpress unused_features lint for embedded #16714)
fix: --remap-path-scope stabilized in 1.95-nightly #16536 -- fix: --remap-path-scope stabilized in 1.95-nightly
test(build-std): Update error message #16658 -- test(build-std): Update error message
chore: Updated compiler errors for Rust 1.93 #16543 -- chore: Updated compiler errors for Rust 1.93
Don't check the specific build-std output #16551 -- Don't check the specific build-std output
Don't check the specific build-std output #16551 -- Increase cache_lock test timeout
test: Remove unused docker ip_address #16636 -- test: Remove unused docker ip_address

And includes the additional commits:

Disabled target-spec-json tests since I don't want to backport support for that to 1.94.
Updated cargo-semver-checks to 0.47.0.

### What does this PR try to resolve? Blocks a compiler change, see [#t-cargo > &rust-lang#96;replace::use_a_spec_to_select&rust-lang#96; test failure @ 💬](https://rust-lang.zulipchat.com/#narrow/channel/246057-t-cargo/topic/.60replace.3A.3Ause_a_spec_to_select.60.20test.20failure/near/577341461) ### How to test and review this PR?

### What does this PR try to resolve? Fixes rust-lang#16704 ### How to test and review this PR?

…16714) ### What does this PR try to resolve? rust-lang/rust#152164 added a warn-by-default `unused_features` lint. Cargo injects `#![feature(frontmatter)]` for all embedded scripts, but scripts without frontmatter syntax never trigger feature gate check, and causes causing the lint warning. Given the stabilization FCP of frontmatter [is complete](rust-lang/rust#148051 (comment)) already, we could expect it will soon be stabilized (?). It should be fine we suppress this new unstable lint. ### How to test and review this PR? Test suite passes. See <rust-lang#16713 (comment)> for more.

See <rust-lang/rust#147611>.

I do not want to backport the unstable JSON spec support to 1.94, and these tests do not pass CI on the latest nightly.

### What does this PR try to resolve? Unblocking CI. Maybe other work is needed for submodule sync but resolving that doesn't have to block fixing CI. ### How to test and review this PR?

This updates cargo-semver-checks so that it can work correctly in CI because 0.45.0 doesn't seem to support Rust 1.94.

@weihanglo

### What does this PR try to resolve? Fixes the docs CI jobs that are currently failing since Rust 1.93 was released Example failed job: https://github.com/rust-lang/cargo/actions/runs/21252805301/job/61158769843?pr=16542 ### How to test and review this PR? See the CI jobs status r? @weihanglo

This particular test was failing occasionally because the order of the output is not deterministic. Sometimes `test` would run first, and sometimes `rustc-std-workspace-std` would run first. This is because they start in parallel, and it is a race which one prints first. The exact output here isn't particularly interesting. I would prefer to not check the particular structure of the standard library, so this just elides all the output.

We've been seeing occasional failures on CI with these tests timing out. I'm guessing that the runners are too overloaded and are unable to complete the test within 1 second. This bumps up the timeout to 10s to see if that will resolve the problem.

The schema seems to have changed and this is no longer working.

This adds a test for a registry package where it has a symlink and a directory with the same name. The `tar` crate is incorrectly changing the permissions of the destination of the symlink (which can be anywhere on the filesystem).

This updates tar to 0.4.45 to fix CVE-2026-33055 and CVE-2026-33056.

rustbot · 2026-03-20T00:24:19Z

r? @epage

rustbot has assigned @epage.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

Why was this reviewer chosen?

The reviewer was selected based on:

Owners of files modified in this PR: @ehuss, @epage, @weihanglo
@ehuss, @epage, @weihanglo expanded to ehuss, epage, weihanglo
Random selection from epage, weihanglo

rustbot · 2026-03-20T00:24:21Z

⚠️ Warning ⚠️

Pull requests are usually filed against the master branch for this repo, but this one is against rust-1.94.0. Please double check that you specified the right target!

epage · 2026-03-20T00:31:32Z

Cargo.toml

 cargo-platform = { path = "crates/cargo-platform", version = "0.3.0" }
 cargo-test-macro = { version = "0.4.9", path = "crates/cargo-test-macro" }
-cargo-test-support = { version = "0.10.0", path = "crates/cargo-test-support" }
+cargo-test-support = { version = "0.11.0", path = "crates/cargo-test-support" }


This is safe across the different branches?

I believe so. The only other differences on the beta branch are:

diff -r crates/cargo-test-support/Cargo.toml /Users/eric/Proj/rust/cargo2/crates/cargo-test-support/Cargo.toml 5c5 < rust-version = "1.92" # MSRV:1 --- > rust-version = "1.93" # MSRV:1 7d6 < homepage.workspace = true

which I think should be fine to ignore.

What will happen is that when the stable patch release is made, 0.11.0 will get published. Since there are no differences that really matter, when 1.95 is published, it will just skip cargo-test-support. That should be fine since there are no semver incompatibilities.

The bump version script will fail but that isn't blocking at this time

The stable branch bumped cargo-test-support to 0.11.0 in rust-lang#16769. Because there are some minor differences shown below, the bump-check is failing on the beta branch. I've updated the patch version since this is a relatively inconsequential change. ```diff diff -r crates/cargo-test-support/Cargo.toml /Users/eric/Proj/rust/cargo2/crates/cargo-test-support/Cargo.toml 5c5 < rust-version = "1.92" # MSRV:1 --- > rust-version = "1.93" # MSRV:1 7d6 < homepage.workspace = true ``` This is already on master via rust-lang#16710. I'm not sure if this will require also bumping master to 0.11.2, but I will look at that later.

[stable] 1.94.1 release This backports: * [STABLE] library: wasm32-wasip1-threads has functional pthreads #153634 * Move freeze_* methods to OpenOptionsExt2 #153491 * [Clippy] Fix ICE in match_same_arms rust-lang/rust-clippy#16685 Cargo: * [stable 1.94] Fix symlink_and_directory when running in a long target dir name (rust-lang/cargo#16777) * Fix symlink_and_directory when running in a long target dir name (rust-lang/cargo#16775) * [stable 1.94] Update tar to 0.4.45 (rust-lang/cargo#16769) * test: Remove unused docker ip_address (rust-lang/cargo#16636) * Increase cache_lock test timeout (rust-lang/cargo#16545) * chore: Updated compiler errors for Rust 1.93 (rust-lang/cargo#16543) * test(build-std): Update error message (rust-lang/cargo#16658) * fix: `--remap-path-scope` stabilized in 1.95-nightly (rust-lang/cargo#16536) * fix(script): surpress `unused_features` lint for embedded (rust-lang/cargo#16714) * test(git): Mark a test as non-deterministic (rust-lang/cargo#16706) * test(replace): Mark a test as non-deterministic (rust-lang/cargo#16700)

From the [blog post](https://blog.rust-lang.org/2026/03/26/1.94.1-release/) ## What's in 1.94.1 Rust 1.94.1 resolves three regressions that were introduced in the 1.94.0 release. - [Fix std::thread::spawn on wasm32-wasip1-threads](rust-lang/rust#153634) - [Remove new methods added to std::os::windows::fs::OpenOptionsExt](rust-lang/rust#153491) The new methods were unstable, but the trait itself is not sealed and so cannot be extended with non-default methods. - [Clippy: fix ICE in match_same_arms](rust-lang/rust-clippy#16685) - [Cargo: downgrade curl-sys to 0.4.83](rust-lang/cargo#16787) This fixes certificate validation error for some users on some versions of FreeBSD. See [this issue](rust-lang/cargo#16357) for more details. And a security fix: - [Cargo: Update tar to 0.4.45](rust-lang/cargo#16769) This resolves [CVE-2026-33055](https://www.cve.org/CVERecord?id=CVE-2026-33055) and [CVE-2026-33056](https://www.cve.org/CVERecord?id=CVE-2026-33056). Users of crates.io are not affected. See [blog](https://blog.rust-lang.org/2026/03/21/cve-2026-33056/) for more details.

This MR contains the following updates: | Package | Update | Change | |---|---|---| | [rust](https://github.com/rust-lang/rust) | patch | `1.94.0` → `1.94.1` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>rust-lang/rust (rust)</summary> ### [`v1.94.1`](https://github.com/rust-lang/rust/blob/HEAD/RELEASES.md#Version-1941-2026-03-26) [Compare Source](rust-lang/rust@1.94.0...1.94.1) \=========================== <a id="1.94.1"></a> - [Fix `std::thread::spawn` on wasm32-wasip1-threads](rust-lang/rust#153634) - [Remove new methods added to `std::os::windows::fs::OpenOptionsExt`](rust-lang/rust#153491) The new methods were unstable, but the trait itself is not sealed and so cannot be extended with non-default methods. - [Clippy: fix ICE in `match_same_arms`](rust-lang/rust-clippy#16685) - [Cargo: update tar to 0.4.45](rust-lang/cargo#16769) This resolves CVE-2026-33055 and CVE-2026-33056. Users of crates.io are not affected. See [blog](https://blog.rust-lang.org/2026/03/21/cve-2026-33056/) for more details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever MR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).

This PR contains the following updates: | Package | Update | Change | |---|---|---| | [rust](https://github.com/rust-lang/rust) | patch | `1.94.0` → `1.94.1` | --- ### Release Notes <details> <summary>rust-lang/rust (rust)</summary> ### [`v1.94.1`](https://github.com/rust-lang/rust/blob/HEAD/RELEASES.md#Version-1941-2026-03-26) [Compare Source](rust-lang/rust@1.94.0...1.94.1) \=========================== <a id="1.94.1"></a> - [Fix `std::thread::spawn` on wasm32-wasip1-threads](rust-lang/rust#153634) - [Remove new methods added to `std::os::windows::fs::OpenOptionsExt`](rust-lang/rust#153491) The new methods were unstable, but the trait itself is not sealed and so cannot be extended with non-default methods. - [Clippy: fix ICE in `match_same_arms`](rust-lang/rust-clippy#16685) - [Cargo: update tar to 0.4.45](rust-lang/cargo#16769) This resolves CVE-2026-33055 and CVE-2026-33056. Users of crates.io are not affected. See [blog](https://blog.rust-lang.org/2026/03/21/cve-2026-33056/) for more details. </details> --- ### Configuration 📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) in timezone Pacific/Auckland, Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) in timezone Pacific/Auckland. 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).  Reviewed-on: https://harton.dev/project-neon/neonfs/pulls/86 Co-authored-by: Renovate Bot <bot@harton.nz> Co-committed-by: Renovate Bot <bot@harton.nz>

weihanglo and others added 13 commits March 15, 2026 08:39

test(git): Mark a test as non-deterministic (rust-lang#16706)

e7b27c7

### What does this PR try to resolve? Fixes rust-lang#16704 ### How to test and review this PR?

fix: --remap-path-scope stabilized in 1.95-nightly (rust-lang#16536)

634668d

See <rust-lang/rust#147611>.

Disable custom target JSON spec test

a56abe1

I do not want to backport the unstable JSON spec support to 1.94, and these tests do not pass CI on the latest nightly.

test(build-std): Update error message (rust-lang#16658)

f7777c4

### What does this PR try to resolve? Unblocking CI. Maybe other work is needed for submodule sync but resolving that doesn't have to block fixing CI. ### How to test and review this PR?

Update cargo-semver-checks to 0.47.0

cb03b21

This updates cargo-semver-checks so that it can work correctly in CI because 0.45.0 doesn't seem to support Rust 1.94.

test: Remove unused docker ip_address (rust-lang#16636)

1ed9205

The schema seems to have changed and this is no longer working.

Update tar to 0.4.45

fec7f92

This updates tar to 0.4.45 to fix CVE-2026-33055 and CVE-2026-33056.

rustbot assigned epage Mar 20, 2026

rustbot added A-build-execution Area: anything dealing with executing the compiler A-documenting-cargo-itself Area: Cargo's documentation labels Mar 20, 2026

rustbot added A-infrastructure Area: infrastructure around the cargo repo, ci, releases, etc. A-testing-cargo-itself Area: cargo's tests S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Mar 20, 2026

epage reviewed Mar 20, 2026

View reviewed changes

epage approved these changes Mar 20, 2026

View reviewed changes

epage enabled auto-merge March 20, 2026 00:51

epage merged commit ce98781 into rust-lang:rust-1.94.0 Mar 20, 2026
31 checks passed

rustbot removed the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Mar 20, 2026

Mark-Simulacrum mentioned this pull request Mar 22, 2026

[stable] 1.94.1 release rust-lang/rust#154211

Merged

rustbot added this to the 1.94.1 milestone Mar 23, 2026

CleanCut mentioned this pull request Mar 26, 2026

Bump to Rust 1.94.1 Oxen-AI/Oxen#384

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[stable 1.94] Update tar to 0.4.45#16769

[stable 1.94] Update tar to 0.4.45#16769
epage merged 13 commits intorust-lang:rust-1.94.0from
ehuss:tar-update-stable-1.94

ehuss commented Mar 20, 2026

Uh oh!

rustbot commented Mar 20, 2026

Uh oh!

rustbot commented Mar 20, 2026

Uh oh!

epage Mar 20, 2026

Uh oh!

ehuss Mar 20, 2026

Uh oh!

epage Mar 20, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

Conversation

ehuss commented Mar 20, 2026

Uh oh!

rustbot commented Mar 20, 2026

Uh oh!

rustbot commented Mar 20, 2026

Uh oh!

epage Mar 20, 2026

Choose a reason for hiding this comment

Uh oh!

ehuss Mar 20, 2026

Choose a reason for hiding this comment

Uh oh!

epage Mar 20, 2026

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants