Bump thin-vec to 0.2.18 to address RUSTSEC-2026-0103#158072
Merged
Merged
Conversation
thin-vec versions before 0.2.16 have a use-after-free / double-free in `IntoIter::drop` and `ThinVec::clear` when an element's `Drop` panics (RUSTSEC-2026-0103). The requirement now sits past the affected range.
Collaborator
|
Some changes occurred in compiler/rustc_attr_parsing cc @jdonszelmann, @JonathanBrouwer These commits modify the If this was unintentional then you should revert the changes before this PR is merged. The parser was modified, potentially altering the grammar of (stable) Rust cc @fmease |
Collaborator
|
rustbot has assigned @nikomatsakis. Use Why was this reviewer chosen?The reviewer was selected based on:
|
Member
|
r? me @bors r+ rollup |
Contributor
JonathanBrouwer
added a commit
to JonathanBrouwer/rust
that referenced
this pull request
Jun 18, 2026
Bump thin-vec to 0.2.18 to address RUSTSEC-2026-0103 thin-vec versions before 0.2.16 have a use-after-free / double-free in `IntoIter::drop` and `ThinVec::clear` when an element's `Drop` panics ([RUSTSEC-2026-0103](https://rustsec.org/advisories/RUSTSEC-2026-0103)). This bumps the requirement in the compiler crates from `0.2.15` to `0.2.18` and updates `Cargo.lock` accordingly, moving past the affected range.
rust-bors Bot
pushed a commit
that referenced
this pull request
Jun 18, 2026
…uwer Rollup of 5 pull requests Successful merges: - #157935 (Make `proc_macro::ConversionErrorKind` non exhaustive) - #158002 (Replace `unwrap` with `expect` in `get_module_children`) - #158071 (Update actions/checkout action to v6) - #158072 (Bump thin-vec to 0.2.18 to address RUSTSEC-2026-0103) - #158077 (rustdoc-json-types: Replace bincode dev-dependency with postcard)
JonathanBrouwer
added a commit
to JonathanBrouwer/rust
that referenced
this pull request
Jun 18, 2026
Bump thin-vec to 0.2.18 to address RUSTSEC-2026-0103 thin-vec versions before 0.2.16 have a use-after-free / double-free in `IntoIter::drop` and `ThinVec::clear` when an element's `Drop` panics ([RUSTSEC-2026-0103](https://rustsec.org/advisories/RUSTSEC-2026-0103)). This bumps the requirement in the compiler crates from `0.2.15` to `0.2.18` and updates `Cargo.lock` accordingly, moving past the affected range.
rust-bors Bot
pushed a commit
that referenced
this pull request
Jun 18, 2026
…uwer Rollup of 10 pull requests Successful merges: - #158026 (`RegionValues`: disable unnecessary range check) - #156795 (Handle generic reborrow in expression-use adjustment walking) - #157694 (Enhance documentation on wake call memory ordering) - #157935 (Make `proc_macro::ConversionErrorKind` non exhaustive) - #158002 (Replace `unwrap` with `expect` in `get_module_children`) - #158034 (Fix reborrow source expression visits) - #158072 (Bump thin-vec to 0.2.18 to address RUSTSEC-2026-0103) - #158074 (Document transient connection errors from TcpListener::accept) - #158077 (rustdoc-json-types: Replace bincode dev-dependency with postcard) - #158086 (renovate: Loosen dashboard approval and adopt recommended config)
rust-bors Bot
pushed a commit
that referenced
this pull request
Jun 18, 2026
…uwer Rollup of 10 pull requests Successful merges: - #158026 (`RegionValues`: disable unnecessary range check) - #156795 (Handle generic reborrow in expression-use adjustment walking) - #157694 (Enhance documentation on wake call memory ordering) - #157935 (Make `proc_macro::ConversionErrorKind` non exhaustive) - #158002 (Replace `unwrap` with `expect` in `get_module_children`) - #158034 (Fix reborrow source expression visits) - #158072 (Bump thin-vec to 0.2.18 to address RUSTSEC-2026-0103) - #158074 (Document transient connection errors from TcpListener::accept) - #158077 (rustdoc-json-types: Replace bincode dev-dependency with postcard) - #158086 (renovate: Loosen dashboard approval and adopt recommended config)
rust-bors Bot
pushed a commit
that referenced
this pull request
Jun 18, 2026
Rollup of 12 pull requests Successful merges: - #156795 (Handle generic reborrow in expression-use adjustment walking) - #157694 (Enhance documentation on wake call memory ordering) - #157935 (Make `proc_macro::ConversionErrorKind` non exhaustive) - #158002 (Replace `unwrap` with `expect` in `get_module_children`) - #158009 (Reject `impl const Trait` since the right syntax is `const impl Trait` now) - #158034 (Fix reborrow source expression visits) - #158072 (Bump thin-vec to 0.2.18 to address RUSTSEC-2026-0103) - #158074 (Document transient connection errors from TcpListener::accept) - #158077 (rustdoc-json-types: Replace bincode dev-dependency with postcard) - #158086 (renovate: Loosen dashboard approval and adopt recommended config) - #158088 (codegen_ssa: no dbginfo for scalable vec local w/ `-O0`) - #158089 (Fix invalid "jump-to-def" doc link generation when an item has a `derive` proc-macro)
rust-timer
added a commit
that referenced
this pull request
Jun 18, 2026
Rollup merge of #158072 - Turbo87:update-thin-vec, r=lqd Bump thin-vec to 0.2.18 to address RUSTSEC-2026-0103 thin-vec versions before 0.2.16 have a use-after-free / double-free in `IntoIter::drop` and `ThinVec::clear` when an element's `Drop` panics ([RUSTSEC-2026-0103](https://rustsec.org/advisories/RUSTSEC-2026-0103)). This bumps the requirement in the compiler crates from `0.2.15` to `0.2.18` and updates `Cargo.lock` accordingly, moving past the affected range.
github-actions Bot
pushed a commit
to rust-lang/stdarch
that referenced
this pull request
Jun 19, 2026
Rollup of 12 pull requests Successful merges: - rust-lang/rust#156795 (Handle generic reborrow in expression-use adjustment walking) - rust-lang/rust#157694 (Enhance documentation on wake call memory ordering) - rust-lang/rust#157935 (Make `proc_macro::ConversionErrorKind` non exhaustive) - rust-lang/rust#158002 (Replace `unwrap` with `expect` in `get_module_children`) - rust-lang/rust#158009 (Reject `impl const Trait` since the right syntax is `const impl Trait` now) - rust-lang/rust#158034 (Fix reborrow source expression visits) - rust-lang/rust#158072 (Bump thin-vec to 0.2.18 to address RUSTSEC-2026-0103) - rust-lang/rust#158074 (Document transient connection errors from TcpListener::accept) - rust-lang/rust#158077 (rustdoc-json-types: Replace bincode dev-dependency with postcard) - rust-lang/rust#158086 (renovate: Loosen dashboard approval and adopt recommended config) - rust-lang/rust#158088 (codegen_ssa: no dbginfo for scalable vec local w/ `-O0`) - rust-lang/rust#158089 (Fix invalid "jump-to-def" doc link generation when an item has a `derive` proc-macro)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
thin-vec versions before 0.2.16 have a use-after-free / double-free in
IntoIter::dropandThinVec::clearwhen an element'sDroppanics (RUSTSEC-2026-0103).This bumps the requirement in the compiler crates from
0.2.15to0.2.18and updatesCargo.lockaccordingly, moving past the affected range.