nushell/0.100.0-r0: cve remediation

[octo-sts]

nushell/0.100.0-r0: fix GHSA-wwq9-3cpr-mm53/GHSA-h97m-ww89-6jmq/

Advisory data: https://github.com/wolfi-dev/advisories/blob/main/nushell.advisories.yaml

[octo-sts]

Gen AI suggestions to solve the build error:

• Detected Error: "Error: failed to parse the pom file: failed to run cargo update 'error: There are multiple hashbrown packages in your project, and the specification hashbrown is ambiguous."

• Error Category: Dependency

• Failure Point: rust/cargobump step failing due to ambiguous hashbrown dependency versions

• Root Cause Analysis: The cargobump tool is unable to handle multiple versions of the hashbrown package (0.12.3, 0.14.5, and 0.15.0) in the dependency tree

• Suggested Fix:

1. Add a cargobump-deps.yaml file to specify the exact hashbrown version:

dependencies:
  - name: hashbrown
    version: "0.15.0"  # Use the latest version

2. Or modify the rust/cargobump step in the melange YAML to specify the version:

  - uses: rust/cargobump
    with:
      packages: "hashbrown@0.15.0"

• Explanation: The cargobump tool needs explicit version information when multiple versions of the same package exist in the dependency tree. By specifying the exact version, we remove the ambiguity that's causing the build failure.

• Additional Notes:

• 0.15.0 is recommended as it's the latest version
• This is a common issue in Rust projects with complex dependency trees
• The fix aligns with Wolfi's principle of using latest versions where possible

• References:

• https://github.com/wolfi-dev/wolfi-packages/issues
• https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html
• Pass edition to rustdoc. rust-lang/cargo#5299