Prepare/2.2.3

.github/workflows/release.yml

@@ -1,3 +1,5 @@
+# This file was autogenerated by cargo-dist: https://opensource.axo.dev/cargo-dist/
+#
 # Copyright 2022-2024, axodotdev
 # SPDX-License-Identifier: MIT or Apache-2.0
 #
@@ -12,9 +14,8 @@
 # with the appropriate title/body, and will be undrafted for you.
 
 name: Release
-
 permissions:
-  contents: write
+  "contents": "write"
 
 # This task will run whenever you push a git tag that looks like a version
 # like "1.0.0", "v0.1.0-prerelease.1", "my-app/0.1.0", "releases/v1.0.0", etc.
@@ -38,15 +39,15 @@ permissions:
 # If there's a prerelease-style suffix to the version, then the release(s)
 # will be marked as a prerelease.
 on:
+  pull_request:
   push:
     tags:
       - '**[0-9]+.[0-9]+.[0-9]+*'
-  pull_request:
 
 jobs:
   # Run 'cargo dist plan' (or host) to determine what tasks we need to do
   plan:
-    runs-on: ubuntu-latest
+    runs-on: "ubuntu-20.04"
     outputs:
       val: ${{ steps.plan.outputs.manifest }}
       tag: ${{ !github.event.pull_request && github.ref_name || '' }}
@@ -62,7 +63,12 @@ jobs:
         # we specify bash to get pipefail; it guards against the `curl` command
         # failing. otherwise `sh` won't catch that `curl` returned non-0
         shell: bash
-        run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.14.1/cargo-dist-installer.sh | sh"
+        run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.21.1/cargo-dist-installer.sh | sh"
+      - name: Cache cargo-dist
+        uses: actions/upload-artifact@v4
+        with:
+          name: cargo-dist-cache
+          path: ~/.cargo/bin/cargo-dist
       # sure would be cool if github gave us proper conditionals...
       # so here's a doubly-nested ternary-via-truthiness to try to provide the best possible
       # functionality based on whether this is a pull_request, and whether it's from a fork.
@@ -111,9 +117,6 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: recursive
-      - uses: swatinem/rust-cache@v2
-        with:
-          key: ${{ join(matrix.targets, '-') }}
       - name: Install cargo-dist
         run: ${{ matrix.install_dist }}
       # Get the dist-manifest
@@ -165,9 +168,12 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: recursive
-      - name: Install cargo-dist
-        shell: bash
-        run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.14.1/cargo-dist-installer.sh | sh"
+      - name: Install cached cargo-dist
+        uses: actions/download-artifact@v4
+        with:
+          name: cargo-dist-cache
+          path: ~/.cargo/bin/
+      - run: chmod +x ~/.cargo/bin/cargo-dist
       # Get all the local artifacts for the global tasks to use (for e.g. checksums)
       - name: Fetch local artifacts
         uses: actions/download-artifact@v4
@@ -211,16 +217,19 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: recursive
-      - name: Install cargo-dist
-        run: "curl --proto '=https' --tlsv1.2 -LsSf https://github.com/axodotdev/cargo-dist/releases/download/v0.14.1/cargo-dist-installer.sh | sh"
+      - name: Install cached cargo-dist
+        uses: actions/download-artifact@v4
+        with:
+          name: cargo-dist-cache
+          path: ~/.cargo/bin/
+      - run: chmod +x ~/.cargo/bin/cargo-dist
       # Fetch artifacts from scratch-storage
       - name: Fetch artifacts
         uses: actions/download-artifact@v4
         with:
           pattern: artifacts-*
           path: target/distrib/
           merge-multiple: true
-      # This is a harmless no-op for GitHub Releases, hosting for that happens in "announce"
       - id: host
         shell: bash
         run: |
@@ -234,8 +243,27 @@ jobs:
           # Overwrite the previous copy
           name: artifacts-dist-manifest
           path: dist-manifest.json
+      # Create a GitHub Release while uploading all files to it
+      - name: "Download GitHub Artifacts"
+        uses: actions/download-artifact@v4
+        with:
+          pattern: artifacts-*
+          path: artifacts
+          merge-multiple: true
+      - name: Cleanup
+        run: |
+          # Remove the granular manifests
+          rm -f artifacts/*-dist-manifest.json
+      - name: Create GitHub Release
+        env:
+          PRERELEASE_FLAG: "${{ fromJson(steps.host.outputs.manifest).announcement_is_prerelease && '--prerelease' || '' }}"
+          RELEASE_COMMIT: "${{ github.sha }}"
+        run: |
+          # If we're editing a release in place, we need to upload things ahead of time
+          gh release upload "${{ needs.plan.outputs.tag }}" artifacts/*
+
+          gh release edit "${{ needs.plan.outputs.tag }}" --target "$RELEASE_COMMIT" $PRERELEASE_FLAG --draft=false
 
-  # Create a GitHub Release while uploading all files to it
   announce:
     needs:
       - plan
@@ -251,23 +279,3 @@ jobs:
       - uses: actions/checkout@v4
         with:
           submodules: recursive
-      - name: "Download GitHub Artifacts"
-        uses: actions/download-artifact@v4
-        with:
-          pattern: artifacts-*
-          path: artifacts
-          merge-multiple: true
-      - name: Cleanup
-        run: |
-          # Remove the granular manifests
-          rm -f artifacts/*-dist-manifest.json
-      - name: Create GitHub Release
-        uses: ncipollo/release-action@v1
-        with:
-          tag: ${{ needs.plan.outputs.tag }}
-          allowUpdates: true
-          updateOnlyUnreleased: true
-          omitBodyDuringUpdate: true
-          omitNameDuringUpdate: true
-          prerelease: ${{ fromJson(needs.host.outputs.val).announcement_is_prerelease }}
-          artifacts: "artifacts/*"

CHANGELOG.md

@@ -10,6 +10,15 @@ Increasing the minimal supported Rust version will always be coupled at least wi
 
 ## Unreleased
 
+## [2.2.3] 2024-08-23
+
+### Fixed
+
+* Support for libsqlite3-sys 0.30.0
+* Fixed a possible vulnerability in how Diesel handled protocol level bind parameters. 
+  See the [SQL Injection isn't Dead: Smuggling Queries at Protocol Level](http://web.archive.org/web/20240812130923/https://media.defcon.org/DEF%20CON%2032/DEF%20CON%2032%20presentations/DEF%20CON%2032%20-%20Paul%20Gerste%20-%20SQL%20Injection%20Isn't%20Dead%20Smuggling%20Queries%20at%20the%20Protocol%20Level.pdf>) presentation from DEF CON for details
+* Fixed an issue with a possibly ambiguous trait resolution in `#[derive(QueryableByName)]`
+
 ## [2.2.2] 2024-07-19
 
 ### Fixed
@@ -2127,3 +2136,4 @@ queries or set `PIPES_AS_CONCAT` manually.
 [2.2.0]: https://github.com/diesel-rs/diesel/compare/v.2.1.0...v2.2.0
 [2.2.1]: https://github.com/diesel-rs/diesel/compare/v.2.2.0...v2.2.1
 [2.2.2]: https://github.com/diesel-rs/diesel/compare/v.2.2.1...v2.2.2
+[2.2.2]: https://github.com/diesel-rs/diesel/compare/v.2.2.2...v2.2.3

Cargo.toml

@@ -35,24 +35,26 @@ rust-version = "1.78.0"
 include = ["src/**/*.rs", "tests/**/*.rs", "LICENSE-*", "README.md"]
 
 [workspace.dependencies]
-libsqlite3-sys = "0.29"
+libsqlite3-sys = "0.30.1"
 
 # Config for 'cargo dist'
 [workspace.metadata.dist]
 # The preferred cargo-dist version to use in CI (Cargo.toml SemVer syntax)
-cargo-dist-version = "0.14.1"
+cargo-dist-version = "0.21.1"
 # CI backends to support
 ci = "github"
 # The installers to generate for each app
 installers = ["shell", "powershell"]
 # Target platforms to build apps for (Rust target-triple syntax)
 targets = ["aarch64-apple-darwin", "x86_64-apple-darwin", "x86_64-unknown-linux-gnu", "x86_64-pc-windows-msvc"]
-# Publish jobs to run in CI
+# Which actions to run on pull requests
 pr-run-mode = "plan"
 # Whether cargo-dist should create a Github Release or use an existing draft
 create-release = false
 # Whether to install an updater program
 install-updater = false
+# Path that installers should place binaries in
+install-path = "CARGO_HOME"
 
 [workspace.metadata.dist.github-custom-runners]
 aarch64-apple-darwin = "macos-14"

diesel/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "diesel"
-version = "2.2.2"
+version = "2.2.3"
 license = "MIT OR Apache-2.0"
 description = "A safe, extensible ORM and Query Builder for PostgreSQL, SQLite, and MySQL"
 readme = "README.md"
@@ -24,7 +24,7 @@ include = [
 byteorder = { version = "1.0", optional = true }
 chrono = { version = "0.4.20", optional = true, default-features = false, features = ["clock", "std"] }
 libc = { version = "0.2.0", optional = true }
-libsqlite3-sys = { version = ">=0.17.2, <0.30.0", optional = true, features = ["bundled_bindings"] }
+libsqlite3-sys = { version = ">=0.17.2, <0.31.0", optional = true, features = ["bundled_bindings"] }
 mysqlclient-sys = { version = ">=0.2.5, <0.5.0",  optional = true }
 mysqlclient-src = { version = "0.1.0", optional = true }
 pq-sys = { version = ">=0.4.0, <0.7.0", optional = true }

diesel/src/expression/array_comparison.rs

@@ -157,12 +157,12 @@ impl_selectable_expression!(NotIn<T, U>);
 /// Diesel provided several implementations here:
 ///
 ///  - An implementation for any [`Iterator`] over values
-///  that implement [`AsExpression<ST>`] for the corresponding
-///  sql type ST. The corresponding values clause will contain
-///  bind statements for each individual value.
+///    that implement [`AsExpression<ST>`] for the corresponding
+///    sql type ST. The corresponding values clause will contain
+///    bind statements for each individual value.
 ///  - An implementation for select statements, that returns
-///  a single field. The corresponding values clause will contain
-///  the sub query.
+///    a single field. The corresponding values clause will contain
+///    the sub query.
 ///
 ///  This trait is exposed for custom third party backends so
 ///  that they can restrict the [`QueryFragment`] implementations

diesel/src/lib.rs

@@ -151,64 +151,64 @@
 
 //!
 //! - `sqlite`: This feature enables the diesel sqlite backend. Enabling this feature requires per default
-//! a compatible copy of `libsqlite3` for your target architecture. Alternatively, you can add `libsqlite3-sys`
-//! with the `bundled` feature as a dependency to your crate so SQLite will be bundled:
-//! ```toml
-//! [dependencies]
-//! libsqlite3-sys = { version = "0.29", features = ["bundled"] }
-//! ```
+//!   a compatible copy of `libsqlite3` for your target architecture. Alternatively, you can add `libsqlite3-sys`
+//!   with the `bundled` feature as a dependency to your crate so SQLite will be bundled:
+//!   ```toml
+//!   [dependencies]
+//!   libsqlite3-sys = { version = "0.29", features = ["bundled"] }
+//!   ```
 //! - `postgres`: This feature enables the diesel postgres backend. Enabling this feature requires a compatible
-//! copy of `libpq` for your target architecture. This features implies `postgres_backend`
+//!   copy of `libpq` for your target architecture. This features implies `postgres_backend`
 //! - `mysql`: This feature enables the idesel mysql backend. Enabling this feature requires a compatible copy
-//! of `libmysqlclient` for your target architecture. This feature implies `mysql_backend`
+//!   of `libmysqlclient` for your target architecture. This feature implies `mysql_backend`
 //! - `postgres_backend`: This feature enables those parts of diesels postgres backend, that are not dependent
-//! on `libpq`. Diesel does not provide any connection implementation with only this feature enabled.
-//! This feature can be used to implement a custom implementation of diesels `Connection` trait for the
-//! postgres backend outside of diesel itself, while reusing the existing query dsl extensions for the
-//! postgres backend
+//!   on `libpq`. Diesel does not provide any connection implementation with only this feature enabled.
+//!   This feature can be used to implement a custom implementation of diesels `Connection` trait for the
+//!   postgres backend outside of diesel itself, while reusing the existing query dsl extensions for the
+//!   postgres backend
 //! - `mysql_backend`: This feature enables those parts of diesels mysql backend, that are not dependent
-//! on `libmysqlclient`. Diesel does not provide any connection implementation with only this feature enabled.
-//! This feature can be used to implement a custom implementation of diesels `Connection` trait for the
-//! mysql backend outside of diesel itself, while reusing the existing query dsl extensions for the
-//! mysql backend
+//!   on `libmysqlclient`. Diesel does not provide any connection implementation with only this feature enabled.
+//!   This feature can be used to implement a custom implementation of diesels `Connection` trait for the
+//!   mysql backend outside of diesel itself, while reusing the existing query dsl extensions for the
+//!   mysql backend
 //! - `returning_clauses_for_sqlite_3_35`: This feature enables support for `RETURNING` clauses in the sqlite backend.
-//! Enabling this feature requires sqlite 3.35.0 or newer.
+//!   Enabling this feature requires sqlite 3.35.0 or newer.
 //! - `32-column-tables`: This feature enables support for tables with up to 32 columns.
-//! This feature is enabled by default. Consider disabling this feature if you write a library crate
-//! providing general extensions for diesel or if you do not need to support tables with more than 16 columns
-//! and you want to minimize your compile times.
+//!   This feature is enabled by default. Consider disabling this feature if you write a library crate
+//!   providing general extensions for diesel or if you do not need to support tables with more than 16 columns
+//!   and you want to minimize your compile times.
 //! - `64-column-tables`: This feature enables support for tables with up to 64 columns. It implies the
-//! `32-column-tables` feature. Enabling this feature will increase your compile times.
+//!   `32-column-tables` feature. Enabling this feature will increase your compile times.
 //! - `128-column-tables`: This feature enables support for tables with up to 128 columns. It implies the
-//! `64-column-tables` feature. Enabling this feature will increase your compile times significantly.
+//!   `64-column-tables` feature. Enabling this feature will increase your compile times significantly.
 //! - `i-implement-a-third-party-backend-and-opt-into-breaking-changes`: This feature opens up some otherwise
-//! private API, that can be useful to implement a third party [`Backend`](crate::backend::Backend)
-//! or write a custom [`Connection`] implementation. **Do not use this feature for
-//! any other usecase**. By enabling this feature you explicitly opt out diesel stability guarantees. We explicitly
-//! reserve us the right to break API's exported under this feature flag in any upcoming minor version release.
-//! If you publish a crate depending on this feature flag consider to restrict the supported diesel version to the
-//! currently released minor version.
+//!   private API, that can be useful to implement a third party [`Backend`](crate::backend::Backend)
+//!   or write a custom [`Connection`] implementation. **Do not use this feature for
+//!   any other usecase**. By enabling this feature you explicitly opt out diesel stability guarantees. We explicitly
+//!   reserve us the right to break API's exported under this feature flag in any upcoming minor version release.
+//!   If you publish a crate depending on this feature flag consider to restrict the supported diesel version to the
+//!   currently released minor version.
 //! - `serde_json`: This feature flag enables support for (de)serializing json values from the database using
-//! types provided by `serde_json`.
+//!   types provided by `serde_json`.
 //! - `chrono`: This feature flags enables support for (de)serializing date/time values from the database using
-//! types provided by `chrono`
+//!   types provided by `chrono`
 //! - `uuid`: This feature flag enables support for (de)serializing uuid values from the database using types
-//! provided by `uuid`
+//!   provided by `uuid`
 //! - `network-address`: This feature flag enables support for (de)serializing
-//! IP values from the database using types provided by `ipnetwork`.
+//!   IP values from the database using types provided by `ipnetwork`.
 //! - `ipnet-address`: This feature flag enables support for (de)serializing IP
-//! values from the database using types provided by `ipnet`.
+//!   values from the database using types provided by `ipnet`.
 //! - `numeric`: This feature flag enables support for (de)serializing numeric values from the database using types
-//! provided by `bigdecimal`
+//!   provided by `bigdecimal`
 //! - `r2d2`: This feature flag enables support for the `r2d2` connection pool implementation.
 //! - `extras`: This feature enables the feature flagged support for any third party crate. This implies the
-//! following feature flags: `serde_json`, `chrono`, `uuid`, `network-address`, `numeric`, `r2d2`
+//!   following feature flags: `serde_json`, `chrono`, `uuid`, `network-address`, `numeric`, `r2d2`
 //! - `with-deprecated`: This feature enables items marked as `#[deprecated]`. It is enabled by default.
-//! disabling this feature explicitly opts out diesels stability guarantee.
+//!   disabling this feature explicitly opts out diesels stability guarantee.
 //! - `without-deprecated`: This feature disables any item marked as `#[deprecated]`. Enabling this feature
-//! explicitly opts out the stability guarantee given by diesel. This feature overrides the `with-deprecated`.
-//! Note that this may also remove items that are not shown as `#[deprecated]` in our documentation, due to
-//! various bugs in rustdoc. It can be used to check if you depend on any such hidden `#[deprecated]` item.
+//!   explicitly opts out the stability guarantee given by diesel. This feature overrides the `with-deprecated`.
+//!   Note that this may also remove items that are not shown as `#[deprecated]` in our documentation, due to
+//!   various bugs in rustdoc. It can be used to check if you depend on any such hidden `#[deprecated]` item.
 //!
 //! By default the following features are enabled:
 //!
@@ -244,7 +244,10 @@
     clippy::enum_glob_use,
     clippy::if_not_else,
     clippy::items_after_statements,
-    clippy::used_underscore_binding
+    clippy::used_underscore_binding,
+    clippy::cast_possible_wrap,
+    clippy::cast_possible_truncation,
+    clippy::cast_sign_loss
 )]
 #![deny(unsafe_code)]
 #![cfg_attr(test, allow(clippy::map_unwrap_or, clippy::unwrap_used))]