deps: replace unmaintained paste with pastey#161
Merged
Conversation
added 2 commits
April 29, 2026 14:48
`paste` (1.0.15) was archived in 2024 and is flagged by `cargo audit` / `cargo deny` as RUSTSEC-2024-0436. `pastey` is an actively maintained drop-in fork with the same `paste!` macro and case modifiers. Mechanical swap at the two internal call sites (`ext!` in `atom_ext.rs`, `nested!` in `atom.rs`); both macros are `pub(crate)` so this is not a public-API change. Closes kixelated#159.
The 0.1 pin in the prior commit landed on `pastey 0.1.1` because `0.2.x` is a separate semver line under cargo's caret rules. Every 0.2 release is around a new `replace` modifier we don't use, so this is a no-op for our two call sites but puts us on the actively-maintained line. Verified: `cargo test --all-features` (206 + 3 doc-tests), `cargo clippy --all-targets --all-features -- -D warnings`.
|
Warning Rate limit exceeded
To keep reviews running without waiting, you can enable usage-based add-on for your organization. This allows additional reviews beyond the hourly cap. Account admins can enable it under billing. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (3)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Review rate limit: 0/1 reviews remaining, refill in 43 minutes and 53 seconds.Comment |
bradh
approved these changes
Apr 29, 2026
Merged
4 tasks
rhoopr
pushed a commit
to rhoopr/kei
that referenced
this pull request
Apr 30, 2026
## Summary Bumps the `mp4-atom` rev pin from `d1e9e923` to `3366b086` (six commits ahead) to pick up three upstream fixes that resolve open kei issues: - **kixelated/mp4-atom#153** - `colr` cursor advance for `prof` / `rICC` ICC profiles. Fixes metadata-embed failure on HDR / wide-gamut HEICs (Display P3, Display P3 Linear). **Closes #276**; addresses #269. - **kixelated/mp4-atom#157** - bound `Vec::with_capacity` in `parse_vorbis_comment` / `Avcc`. Caps the OOM that the heif fuzz harness found (upstream #154). kei's by-header walk in `extract_xmp_bytes` stays as defense-in-depth for any sibling decoder that might regress in the same shape. - **kixelated/mp4-atom#161** - replace unmaintained `paste` with `pastey`. Drops `RUSTSEC-2024-0436` from the dependency graph. **Closes #310**. The non-mine commits in the range (#149 colr non-exhaustive, #155 colr test cleanup, **#145 unsized reads/writes refactor**) are picked up too. `#145` was the only API-shape risk; `cargo check --all-targets --all-features` is clean against the new pin. `0.11.0` release PR upstream is still open, so the pin stays on a git rev. The `Cargo.toml` comment now enumerates which fixes the rev brings in. ## Side cleanups - `.cargo/audit.toml` drops the `RUSTSEC-2024-0436` ignore (paste is gone from the lockfile). - `src/download/heif.rs`, `src/lib.rs`, `fuzz/README.md` reword `#154` comments from "filed upstream" to "fixed upstream in #157; defense-in-depth retained". - `CHANGELOG` Unreleased gets a `Fixed` (HDR HEIC embed) and a `Security` (paste) entry. ## Test plan - [x] `cargo check --all-targets --all-features` against the new pin - [x] `cargo audit --deny warnings` (exit 0 with the ignore removed) - [x] `just gate` (fmt + clippy + lib/cli/behavioral tests, 1894 + 131 + 102 passing) - [x] **Live HDR HEIC repro on the maintainer's account.** `--recent 30 --skip-videos --embed-xmp --set-exif-datetime --set-exif-rating` against the test account: 28 downloaded, 16 HEICs, 0 metadata-write failures. Spot-checked `IMG_0179.HEIC` - file has `colr prof` (the #276 affected shape) plus an embedded `<x:xmpmeta>` packet, which is exactly the case that pre-fix produced `under decode: colr`. ## Issue cleanup after merge - `#310` and `#276` auto-close via the `Closes` keywords above. - `#269` stays open until the reporter retests; the symptom shape ("Opening ... for XMP update") is xmp_toolkit's wrapper, so there's residual uncertainty even though the live repro looks promising.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #159.
Swaps
paste(archived 2024, RUSTSEC-2024-0436) forpastey, a maintained drop-in fork. Stopscargo audit/cargo denyfrom flagging the dependency for downstream users.Mechanical change at the two internal call sites:
Cargo.toml:paste = "1"->pastey = "0.2"src/atom_ext.rs:92andsrc/atom.rs:177:paste::paste!->pastey::paste!Both macros (
ext!andnested!) arepub(crate), so the dependency was never part of the public API and the swap doesn't show up in downstream code.Pinned to
0.2(latest is 0.2.2).Test plan
cargo test --all-features(206 pass + 3 doc-tests)cargo clippy --all-targets --all-features -- -D warningscleancargo fmt -- --checkclean