SUSE-SU-2026:0506-1

This update for cargo-auditable fixes the following issues:

Update to version 0.7.2~0.

Security issues fixed:

• CVE-2026-25727: parsing of user-provided input by the RFC 2822 date parser can lead to stack exhaustion (bsc#1257906).

Other updates and bugfixes:

• Update to version 0.7.2~0:

  • mention cargo-dist in README
  • commit Cargo.lock
  • bump which dev-dependency to 8.0.0
  • bump object to 0.37
  • Upgrade cargo_metadata to 0.23
  • Expand the set of dist platforms in config

• Update to version 0.7.1~0:

  • Out out of unhelpful clippy lint
  • Satisfy clippy
  • Do not assume --crate-name and --out-dir are present in the rustc command, but show warnings if they aren't
  • Run apt-get update before trying to install packages
  • run cargo dist init on dist 0.30
  • Drop allow-dirty from dist config, should no longer be needed
  • Reorder paragraphs in README
  • Note the maintenance transition for the go extraction library
  • Editing pass on the adopters: scanners
  • clarify Docker support
  • Cargo clippy fix
  • Add Wolfi OS and Chainguard to adopters
  • Update mentions around Anchore tooling
  • README and documentation updates for nightly
  • Bump dependency version in rust-audit-info
  • More work on docs
  • Nicer formatting on format revision documentation
  • Bump versions
  • regenerate JSON schema
  • cargo fmt
  • Document format field
  • Make it more clear that RawVersionInfo is private
  • Add format field to the serialized data
  • cargo clippy fix
  • Add special handling for proc macros to treat them as the build dependencies they are
  • Add a test to ensure proc macros are reported as build dependencies
  • Add a test fixture for a crate with a proc macro dependency
  • parse fully qualified package ID specs from SBOMs
  • select first discovered SBOM file
  • cargo sbom integration
  • Get rid of unmaintained wee_alloc in test code to make people's scanners misled by GHSA chill out
  • Don't fail plan workflow due to manually changed release.yml
  • Bump Ubuntu version to hopefully fix release.yml workflow
  • Add test for stripped binary
  • Bump version to 0.6.7
  • Populate changelog
  • README.md: add auditable2cdx, more consistency in text
  • Placate clippy
  • Do not emit -Wl if a bare linker is in use
  • Get rid of a compiler warning
  • Add bare linker detection function
  • drop boilerplate from test that's no longer relevant
  • Add support for recovering rustc codegen options
  • More lenient parsing of rustc arguments
  • More descriptive error message in case rustc is killed abruptly
  • change formatting to fit rustfmt
  • More descriptive error message in case cargo is killed
  • Update REPLACING_CARGO.md to fix #195
  • Clarify osv-scanner support in README
  • Include the command required to view metadata
  • Mention wasm-tools support
  • Switch from broken generic cache action to a Rust-specific one
  • Fill in various fields in auditable2cdx Cargo.toml
  • Include osv-scanner in the list, with a caveat
  • Add link to blint repo to README
  • Mention that blint supports our data
  • Consolidate target definitions
  • Account for WASM test dependencies changing, commit the Cargo.lock so they would stop doing that
  • Migrate to a maintained toolchain action
  • Fix author specification
  • Add link to repository to resolverver Cargo.toml
  • Bump resolverver to 0.1.0
  • Add resolverver crate to the tree

• Update to version 0.6.6~0:

  • Note the object upgrade in the changelog
  • Upgrade cyclonedx-bom from 0.5 to 0.8 in auditable-cyclonedx
  • Upgrade object crate from 0.30 to 0.36 to reduce dependency footprint
  • Update dependencies in the lock file
  • Populate changelog
  • apply clippy lint
  • add another --emit parsing test
  • shorter code with cargo fmt
  • Actually fix cargo-c compatibility
  • Attempt to fix cargo-capi incompatibility
  • Refactoring in preparation for fixes
  • Also read the --emit flag to rustc
  • Fill in changelogs
  • Bump versions
  • Drop cfg'd out tests
  • Drop obsolete doc line
  • Move dependency cycle tests from auditable-serde to cargo-auditable crate
  • Remove cargo_metadata from auditable-serde API surface.
  • Apply clippy lint
  • Upgrade miniz_oxide to 0.8.0
  • Insulate our semver from miniz_oxide semver
  • Add support for Rust 2024 edition
  • Update tests
  • More robust OS detection for riscv feature detection
  • bump version
  • update changelog for auditable-extract 0.3.5
  • Fix wasm component auditable data extraction
  • Update blocker description in README.md
  • Add openSUSE to adopters
  • Update list of know adopters
  • Fix detection of riscv64-linux-android target features
  • Silence noisy lint
  • Bump version requirement in rust-audit-info
  • Fill in changelogs
  • Bump semver of auditable-info
  • Drop obsolete comment now that wasm is enabled by default
  • Remove dependency on cargo-lock
  • Brag about adoption in the README
  • Don't use LTO for cargo-dist builds to make them consistent with cargo install etc
  • Also build musl binaries
  • dist: update dist config for future releases
  • dist(cargo-auditable): ignore auditable2cdx for now
  • chore: add cargo-dist