fix(deps): update rust crate libsqlite3-sys to 0.25.1 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
libsqlite3-sys	dependencies	minor	0.9.1 -> 0.25.1

GitHub Vulnerability Alerts

CVE-2022-35737

SQLite 1.0.12 through 3.39.x before 3.39.2 sometimes allows an array-bounds overflow if billions of bytes are used in a string argument to a C API.

---

Release Notes

rusqlite/rusqlite (libsqlite3-sys)

v0.25.1: rusqlite 0.25.1, libsqlite3-sys 0.22.1

Compare Source

• Use SQLITE_TEMP_STORE=3 on android. (#​937)
• Upgrade to bindgen 0.58 (#​933)

v0.25.0: 0.25.0

Compare Source

• BREAKING CHANGE: Overhaul parameter API #​830 / #​609
• Add ToSql implementations for u64 and usize #​826 / #​821
• Implement FromSql for u64, usize and f32, and ToSql for f32 #​823 / #​822 / #​821
• Reduce required lifetime in create_scalar_function #​825
• Expose query progress information and introduce Batch iterator #​824 / #​803
• Add #[inline] and #[cold] in far more places #​834
• Fix create_collation #​839
• Remove #[non_exhaustive] attribute on IndexConstraintOp #​840 / #​783
• Document that optional() requires import of trait rusqlite::OptionalExtension #​842
• Update time to appease deps.rs #​849
• Upgrade to bindgen 0.57
• Improve busy handler documentation #​854
• Upgrade SQLite bundled version to 3.35.4
• Expands/cleans up documentation. Also renames (and documents) the so-far-undocumented LIBSQLITE3_FLAGS. #​861
• Add get_connection method to function context #​867
• Fix smallvec version #​896
• BREAKING CHANGE: Pass context to aggregate init and finalize #​866
• BREAKING CHANGE: Rename get_raw to get_ref_unwrap and get_raw_checked to get_ref #​838
• BREAKING CHANGE: Fix DateTime format #​886 / #​885 + Leniently parse rfc3339 timezones #​928

v0.24.2: rusqlite 0.24.2

Compare Source

v0.24.2 is identical to v0.24.1 except it allows building with an older version of smallvec, as the newer one caused meaningful performance issues in Firefox.

See https://github.com/rusqlite/rusqlite/pull/855 for more info.

v0.24.1: rusqlite 0.24.1, libsqlite3-sys 0.20.1

Compare Source

• The lru-cache crate has been replaced with hashlink, which may fix panics on Rust nightly caused by unsoundness in some versions of the lru-cache crate (#​811).

• A positional BLOB I/O API has been added, which more closely mirrors SQLites actual BLOB I/O api, and is similar to unix-style pwrite/pread. (#​780).

• A winsqlite3 feature as been added to both rusqlite and libsqlite3-sys which allows linking against the SQLite present in newer versions of Windows 10 (#​796).

• Rusqlite's iterator types are now #[must_use] (#​799).

• Several dependencies have been updated.

v0.24.0: rusqlite 0.24.0, libsqlite-sys 0.20.0

• BREAKING CHANGE: Upgrade to time v0.2 and put it behind a feature flag (#​653)
• impl TryFrom<&Row<'_>> for (...)
  This change implements TryFrom<&Row> for tuples up to 16 fields. This
  is a convenience function that can be used to map rows more easily.
• adding ability to work with sqlite compiled with SQLITE_OMIT_DECLTYPE (feature column_decltype)
• LIBSQLITE3_FLAGS hook
  Enables compiling bundled sources with different flags.
• Add cross-compilation with mingw (#​774)
• Support wasm32-wasi target (#​785)
• Implement our own sqlite3_execwhich supports unlock notify (#​767)
• Fix order of parameters in InvalidParameterCount message (#​779)
• Don't implement Into for Statement (#​763)
• Publically expose Map
• little speedup for bundled sqlite3.c on unix (HAVE_LOCALTIME_R)
• BREAKING CHANGE: VTabCursor lifetime should be bound to VTab lifetime (#​753)
• preupdate_hook feature requires buildtime_bindgen
• Upgrade SQLite bundled sources to 3.33.0
• Upgrade to bindgen 0.54
• Fix missing docs
• Add link to gitter channel (#​738)
• Include LICENSE into the libsqlite3-sys crate (#​736)

v0.23.1: rusqlite 0.23.1

Compare Source

Hotfix release for arm32 bustage (#​724)

v0.23.0: rusqlite 0.23.0, libsqlite-sys 0.18.0

The release primarily contains a number of security/memory safety fixes, which were mostly found due to an audit of the unsafe code in the crate. An advisory will be published for these shortly.

They mostly impact APIs exposed through features, so while there are a lot of them, if you're using rusqlite under default features, you're fine. None of them impact libsqlite3-sys.

It's a major release as these APIs were fundamentally unsound and could not be fixed without breaking changes.

• Make VTab / VTabCursor unsafe trait as implementing them on the wrong type is unsound rusqlite/rusqlite@c9ef5bd. (Note that a safe VTab API is planned in the future).
• Make create_module take a &'static Module as that's what the reference was treated as. rusqlite/rusqlite@3c6b57f
• Make UnlockNotification hold the Mutex while notifying the CondVar. Also, ensure &mut is not used to reference a value shared across another thread. rusqlite/rusqlite@45fd77e
• Fix potential format string vuln in rusqlite::trace::log rusqlite/rusqlite@2327d3b
• Auxdata API has been changed and has new bounds.
  • Fix potential use-after-free and data race in auxdata api rusqlite/rusqlite@2ef3628
  • Fix repr(Rust) type being used as if it were repr(C) rusqlite/rusqlite@71b2f51
• Fix use-after-free in sessions.rs in rusqlite/rusqlite@ac30e16

Non-safety changes in this release:

• Bundled SQLite has been updated to 3.31.1 rusqlite/rusqlite@22564d3
• Non-unicode paths are now handled properly, at least on unix https://github.com/rusqlite/rusqlite/pull/692
• Functions using va_list are excluded from the bundled bindings, as these are platform specific. You can still use them if you enable the buildtime_bindgen feature. rusqlite/rusqlite@288aa96
• An unchecked_transaction function has been added which allows opting-out of compile time transaction checking. Despite it's name, it's still checked, it just downgrades a compilation error to a runtime one: https://github.com/rusqlite/rusqlite/pull/693
• std::error::Error::source is implemented in favor of std::error::Error::cause for all error types.

v0.22.0: rusqlite 0.22.0, libsqlite-sys 0.17.3

• Add ability to open sqlite connection with specified vfs (#​630)
• Fix i32 overflow in Connection::busy_timeout (#​604)
• Separate the modern_sqlite and bundled features. (#​613)
• Add FromSql for Box<str>, Rc<str> and Arc<str>
• Fix params macro (#​614)
• Fix error while executing ALTER statement (#​645)
• Ignore PATH change (#​435)
• Add playground metadata for rusqlite, hopefully fixing it (#​647)
• Don't perform threading mode checks on wasm32 (#​640)
• Upgraded the bundled SQLite version to 3.31.0. (#​619)
• Add support to function flags (#​622)
• Add missing IndexConstraintOp entries (#​623)
• Add missing error codes (#​624)
• Add missing constants (#​629)
• Introduce alloc to generate C string allocated by sqlite3 (#​644)
• rusqlite now exposes the bundled-windows feature, forwarding to libsqlite3-sys. (#​682)
• rusqlite::Result<T> is now defined as type Result<T, E = rusqlite::Error>. This avoids needing to access std::result::Result explicitly when rusqlite::Result is brought into scope. (#​678)
• Rows now support mapped and and_then functions which return Iterators. This is useful if you cannot use query_map or query_and_then for some reason. (#​676)
• A new error variant was added for using the wrong number of bound parameters. Previously this caused a panic (#​675).
• Many rusqlite enums have been made #[non_exhaustive] for better extensibility. (#​673)
• Various low-level Statement apis have been added to allow separating parameter binding and statement execution. (#​668)
• ToSql is implemented for various smart pointers (Box, Cow, Rc, Arc) in more cases. (#​660)
• bundled-full feature now exists to enable both bundled and other features which do not conflict. It is mainly intended to improve developer ergonomics for working on rusqlite (#​687)
• The features vtab_v3 and unstable are removed. The former is no longer necessary and the latter was only used for #[bench]. (#​687)
• rusqlite::Error now implements std::error::Error::source instead of only std::error::Error::cause. Use of cause will still work, as it goes through source by default. (#​683)

v0.20.0

Compare Source

• BREAKING CHANGE: Do not assume sqlite3_column_text is valid UTF-8. (#​548)
• Make Module impl Send (#​543)
• Upgrade bundled SQLite version to 3.29
• Upgrade bindgen to 0.51

v0.18.0

• Add support for Uuid (#​506)
• impl ToSql for Box<dyn ToSql> (#​500)
• Allow specifying both sqlcipher and bundled (#​511)
• Introduce Statement::columns (#​494)
• Rebuild when VCPKGRS_DYNAMIC changes (#​483)
• Upgrade to fallible-iterator 0.2

v0.17.0

Compare Source

• BREAKING CHANGE: Cannot insert heterogeneous elements with .execute #​462
  Add params/named_params macro, and expose ToSql from top level #​471
• BREAKING CHANGE: Do not panic by default #​485
  Replace Row::get by Row::get_checked,
  And rename original Row::get to Row::get_unwrap.
  Stmt::query_map, Stmt::query_map_named, Stmt::query_row,
  Conn::query_row and Conn::query_row_named callback parameter must return a Result.
• BREAKING CHANGE: Make Rows implement FallibleStreamingIterator #​478
  Rows::next returns Result<Option<&Row<'_>>> instead of Option<Result<Row<...>>>.
• Avoid unnecessary copies/allocations when passing strings to sqlite #​487
• Ease PRAGMA usage (#​273 and #​265) #​476
• Add optional support for rust-url #​491
• Impl PartialEq for Error #​416
• Make get_aux safe by storing the TypeId with the data.
• Introduce Connection::from_handle #​453
• Support for sqlite3_db_config #​468
• Make the libsqlite3_sys as ffi export pub #​469
• Derive Debug for Transaction #​470
• Upgrade bundled version to SQLite 3.27.2
• BREAKING CHANGE: Session extension
• Restore old bindgen for Diesel
• Upgrade to bindgen 0.48

v0.16.0

Compare Source

• Update README example.
• Allow build time bindgen of bundled SQLite
• Fix Timespec FromSql implementations (#​431)
• Add support for forcing cargo:rustc-link-lib to link as native
• BREAKING CHANGE: Callbacks must not be able to unwind into sqlite code
• Introduce OptionalExtension
• Upgrade bundled version to SQLite 3.26.0
• BREAKING CHANGE: remove deprecated stuff
• Fix compilation error with functions and i128 features
• Fix test_interrupt #​415
• Rust 2018
• Upgrade to bindgen 0.45

v0.15.0

Compare Source

• Allow getting a ValueRef out of Row and Context, fixes #​259
• Remove version check when bundled
• Add a feature for storing i128 as blobs.
• Add a method of interrupting a query executing on a separate thread, fixes #​407
• BREAKING CHANGE: Take IntoIterator rather than &[&ToSql] (#​312)
• Impossible to execute a pragma in 0.14.0 #​400
• BREAKING CHANGE: Remove old bindgens
• array feature should not require bundled #​384
• Upgrade SQLite bundled sources to 3.25.2
• Upgrade to bindgen 0.42

v0.14.0

Compare Source

• BREAKING CHANGE: ToSql implementation for time::Timespec uses RFC 3339 (%Y-%m-%dT%H:%M:%S.%fZ).
  Previous format was %Y-%m-%d %H:%M:%S:%f %Z.
• BREAKING CHANGE: Remove potentially conflicting impl of ToSqlOutput (#​313).
• BREAKING CHANGE: Replace column index/count type (i32) with usize.
• BREAKING CHANGE: Replace parameter index/count type (i32) with usize.
• BREAKING CHANGE: Replace row changes/count type (i32) with usize.
• BREAKING CHANGE: Scalar functions must be Sendable and 'static.
• Bugfix: Commit failure unhandled, database left in unusable state (#​366).
• Bugfix: free_boxed_hook does not work for fn.
• Update the bundled SQLite version to 3.24.0 (#​326).
• Add DropBehavior::Panic to enforce intentional commit or rollback.
• Implement sqlite3_update_hook (#​260, #​328), sqlite3_commit_hook and sqlite3_rollback_hook.
• Add support to unlock notification behind unlock_notify feature (#​294, #​331).
• Make Statement::column_index case-insensitive (#​330).
• Add comment to justify &mut Connection in Transaction.
• Fix tyvar_behind_raw_pointer warnings.
• Fix handful of clippy warnings.
• Fix Connection::open documentation (#​332)
• Add binding to sqlite3_get_autocommit and sqlite3_stmt_busy.
• Add binding to sqlite3_busy_timeout and sqlite3_busy_handler.
• Add binding to sqlite3_expanded_sql.
• Use rerun-if-env-changed in libsqlite3-sys (#​329).
• Return an InvalidQuery error when SQL is not read only.

v0.13.0

Compare Source

• Added ToSqlConversionFailure case to Error enum.
• Now depends on chrono 0.4, bitflags 1.0, and (optionally) cc 1.0 / bindgen 0.31.
• The ToSql/FromSql implementations for time::Timespec now include
  and expect fractional seconds and timezone in the serialized string.
• The RowIndex type used in Row::get is now publicly exported.
• New sqlcipher feature allows linking against SQLCipher instead of SQLite.
• Doc link in README now point to docs.rs.

v0.12.0

• Defines HAVE_USLEEP when building with a bundled SQLite (#​263).
• Updates dependencies to their latest versions, particularly serde to 1.0.
• Adds support for vcpkg on Windows.
• Adds ToSql impls for str and [u8].

v0.11.0

Compare Source

• Avoid publicly exporting SQLite constants multiple times from libsqlite3-sys.
• Adds FromSql and ToSql impls for isize. Documents why usize and u64 are not included.

v0.10.0

• Re-export the ErrorCode enum from libsqlite3-sys.
• Adds version() and version_number() functions for querying the version of SQLite in use.
• Adds the limits feature, exposing limit() and set_limit() methods on Connection.
• Updates to libsqlite3-sys 0.7.0, which runs rust-bindgen at build-time instead of assuming the
  presence of all expected SQLite constants and functions.
• Clarifies supported SQLite versions. Running with SQLite older than 3.6.8 now panics, and
  some features will not compile unless a sufficiently-recent SQLite version is used. See
  the README for requirements of particular features.
• When running with SQLite 3.6.x, rusqlite attempts to perform SQLite initialization. If it fails,
  rusqlite will panic since it cannot ensure the threading mode for SQLite. This check can be
  skipped by calling the unsafe function rusqlite::bypass_sqlite_initialization(). This is
  technically a breaking change but is unlikely to affect anyone in practice, since prior to this
  version the check that rusqlite was using would cause a segfault if linked against a SQLite
  older than 3.7.0.
• rusqlite now performs a one-time check (prior to the first connection attempt) that the runtime
  SQLite version is at least as new as the SQLite version found at buildtime. This check can be
  skipped by calling the unsafe function rusqlite::bypass_sqlite_version_check().
• Removes the libc dependency in favor of using std::os::raw

v0.9.4

• Update dependencies.

v0.9.3

Compare Source

• Make ToSqlOutput itself implement ToSql.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path crates/whirl_db/Cargo.toml --workspace
error: current package believes it's in a workspace when it's not:
current:   /tmp/renovate/repos/github/Whirlsplash/whirl/crates/whirl_db/Cargo.toml
workspace: /tmp/renovate/repos/github/Whirlsplash/whirl/Cargo.toml

this may be fixable by adding `crates/whirl_db` to the `workspace.members` array of the manifest located at: /tmp/renovate/repos/github/Whirlsplash/whirl/Cargo.toml
Alternatively, to keep it out of the workspace, add the package to the `workspace.exclude` array, or add an empty `[workspace]` table to the package's manifest.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (0.25.1). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.