From e15b7160f2e079484f7b998687a179aa55413fcc Mon Sep 17 00:00:00 2001 From: squidfunk Date: Fri, 3 Jul 2026 12:35:35 +0200 Subject: [PATCH 1/4] fix: `Specificity` does not compare equal on `0` Signed-off-by: squidfunk --- crates/zrx-id/src/id/specificity.rs | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/crates/zrx-id/src/id/specificity.rs b/crates/zrx-id/src/id/specificity.rs index 3893bc68..e4668a64 100644 --- a/crates/zrx-id/src/id/specificity.rs +++ b/crates/zrx-id/src/id/specificity.rs @@ -135,8 +135,8 @@ impl Specificity { /// Computes the sum of both specificities. #[inline] fn sum(self, other: Self) -> Self { - let Specificity(a1, b1, c1, l1) = self; - let Specificity(a2, b2, c2, l2) = other; + let Self(a1, b1, c1, l1) = self; + let Self(a2, b2, c2, l2) = other; Self( a1.saturating_add(a2), b1.saturating_add(b2), @@ -158,6 +158,13 @@ impl Specificity { spec.3 = self.3.saturating_add(other.3); spec } + + /// Returns whether the specificity is zero. + #[inline] + fn is_zero(self) -> bool { + let Self(a, b, c, l) = self; + a | b | c | l == 0 + } } // ---------------------------------------------------------------------------- @@ -229,16 +236,14 @@ impl Ord for Specificity { /// ``` #[inline] fn cmp(&self, other: &Self) -> Ordering { - let Specificity(a1, b1, c1, l1) = self; - let Specificity(a2, b2, c2, l2) = other; + let Self(a1, b1, c1, l1) = self; + let Self(a2, b2, c2, l2) = other; - // An all-zero specificity is the least specific and must always be the - // first in order, so check if this applies to any of the specificities - if a1 | b1 | c1 | l1 == 0 { - return Ordering::Less; - } - if a2 | b2 | c2 | l2 == 0 { - return Ordering::Greater; + // An all-zero specificity is always less specific than a non-zero + // specificity, but two all-zero specificities must compare equal + let ordering = other.is_zero().cmp(&self.is_zero()); + if !ordering.is_eq() { + return ordering; } // Otherwise, compare each component, where `c` is reversed since fewer From 6ecb0b2a829e660da014fecad2ff4fc6752c1ccf Mon Sep 17 00:00:00 2001 From: squidfunk Date: Fri, 3 Jul 2026 13:09:33 +0200 Subject: [PATCH 2/4] test: add `Filter::candidates` test for `Expression::default` Signed-off-by: squidfunk --- .../src/id/expression/filter/candidates.rs | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/crates/zrx-id/src/id/expression/filter/candidates.rs b/crates/zrx-id/src/id/expression/filter/candidates.rs index 38bac25f..3841e030 100644 --- a/crates/zrx-id/src/id/expression/filter/candidates.rs +++ b/crates/zrx-id/src/id/expression/filter/candidates.rs @@ -318,5 +318,22 @@ mod tests { } Ok(()) } + + #[test] + fn handles_default() -> Result { + let mut builder = Filter::builder(); + let _ = builder.insert(Expression::default()); + let filter = builder.build()?; + for (id, check) in [ + ("zri:file:::docs:index.md:", vec![0]), + ("zri:git:::docs:image.jpg:", vec![0]), + ] { + assert_eq!( + filter.candidates(&id)?.collect::>(), // fmt + check + ); + } + Ok(()) + } } } From c327a22710fc588caeae60fd550fb121d234d93f Mon Sep 17 00:00:00 2001 From: squidfunk Date: Mon, 13 Jul 2026 12:29:06 +0200 Subject: [PATCH 3/4] chore: move security audit into `security.yml` Signed-off-by: squidfunk --- .github/workflows/check.yml | 19 -------------- .github/workflows/security.yml | 48 ++++++++++++++++++++++++++++++++++ 2 files changed, 48 insertions(+), 19 deletions(-) create mode 100644 .github/workflows/security.yml diff --git a/.github/workflows/check.yml b/.github/workflows/check.yml index 23a44208..831e4f06 100644 --- a/.github/workflows/check.yml +++ b/.github/workflows/check.yml @@ -65,22 +65,3 @@ jobs: - name: Run rustfmt run: find crates -name "*.rs" -exec rustfmt --check {} \; - - security: - name: Audit - runs-on: ubuntu-latest - steps: - - name: Checkout repository - uses: actions/checkout@v6 - with: - ref: ${{ github.sha }} - - - name: Set up Rust cache - uses: Swatinem/rust-cache@v2 - - - name: Install cargo-audit - run: cargo install cargo-audit - - - name: Audit dependencies - run: cargo audit - diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml new file mode 100644 index 00000000..279a36c4 --- /dev/null +++ b/.github/workflows/security.yml @@ -0,0 +1,48 @@ +# Copyright (c) 2025-2026 Zensical and contributors + +# SPDX-License-Identifier: MIT +# Third-party contributions licensed under DCO + +# Permission is hereby granted, free of charge, to any person obtaining a copy +# of this software and associated documentation files (the "Software"), to +# deal in the Software without restriction, including without limitation the +# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or +# sell copies of the Software, and to permit persons to whom the Software is +# furnished to do so, subject to the following conditions: + +# The above copyright notice and this permission notice shall be included in +# all copies or substantial portions of the Software. + +# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +# FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE +# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING +# FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS +# IN THE SOFTWARE. + +name: Security + +on: + schedule: + - cron: "0 4 * * 1" + workflow_dispatch: + +jobs: + audit: + name: Audit + runs-on: ubuntu-latest + steps: + - name: Checkout repository + uses: actions/checkout@v6 + with: + ref: ${{ github.sha }} + + - name: Set up Rust cache + uses: Swatinem/rust-cache@v2 + + - name: Install cargo-audit + run: cargo install cargo-audit + + - name: Audit dependencies + run: cargo audit From a9c005f8253badaef82fdb4735e81a75f9fc25d3 Mon Sep 17 00:00:00 2001 From: squidfunk Date: Mon, 13 Jul 2026 12:34:56 +0200 Subject: [PATCH 4/4] chore: update `anyhow` to mitigate CVE Signed-off-by: squidfunk --- Cargo.lock | 4 ++-- Cargo.toml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index d281da3a..dbf3483e 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -26,9 +26,9 @@ dependencies = [ [[package]] name = "anyhow" -version = "1.0.102" +version = "1.0.103" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7f202df86484c868dbad7eaa557ef785d5c66295e41b460ef922eca0723b842c" +checksum = "2a4385e2e34eb35d6b3efe798b9eb88096925d87726c0798709bf56d9ed84af3" [[package]] name = "bstr" diff --git a/Cargo.toml b/Cargo.toml index cbe2ba06..67f46dd7 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -50,7 +50,7 @@ zrx-store = { version = "0.0.10", path = "crates/zrx-store" } zrx-stream = { version = "0.0.22", path = "crates/zrx-stream" } ahash = "0.8.12" -anyhow = "1.0.102" +anyhow = "1.0.103" crossbeam = "0.8.4" file-id = "0.2.3" globset = "0.4.18"