Skip to content

Bump cmake from 0.1.57 to 0.1.58#345

Merged
hoffmang9 merged 1 commit intomainfrom
dependabot/cargo/cmake-0.1.58
Apr 7, 2026
Merged

Bump cmake from 0.1.57 to 0.1.58#345
hoffmang9 merged 1 commit intomainfrom
dependabot/cargo/cmake-0.1.58

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 7, 2026
edited by cursor Bot
Loading

Bumps cmake from 0.1.57 to 0.1.58.

Release notes

Sourced from cmake's releases.

v0.1.58

Fixed

  • Fix i686-windows system import (#276)
Changelog

Sourced from cmake's changelog.

0.1.58 - 2026-03-26

Fixed

  • Fix i686-windows system import (#276)
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note

Low Risk
Low risk dependency bump limited to the Rust build toolchain; primary impact is on CMake-driven builds, especially Windows i686 import handling.

Overview
Updates the Rust bindings build dependency cmake from 0.1.57 to 0.1.58 (including the corresponding Cargo.lock entry/checksum), pulling in upstream fixes for CMake build integration.

Reviewed by Cursor Bugbot for commit e3057b6. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot
Bump cmake from 0.1.57 to 0.1.58
e3057b6 
Bumps [cmake](https://github.com/rust-lang/cmake-rs) from 0.1.57 to 0.1.58.
- [Release notes](https://github.com/rust-lang/cmake-rs/releases)
- [Changelog](https://github.com/rust-lang/cmake-rs/blob/main/CHANGELOG.md)
- [Commits](rust-lang/cmake-rs@v0.1.57...v0.1.58)

---
updated-dependencies:
- dependency-name: cmake
  dependency-version: 0.1.58
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file rust Pull requests that update Rust code labels Apr 7, 2026
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 7, 2026

🤖 Cursor Dependency Analysis

Supply-Chain Malware Review

Verifying upstream changes between cmake 0.1.57 and 0.1.58 to support the malware review.

Verdict: benign

What changed upstream (0.1.57 → 0.1.58)

  • Runtime code: Only src/lib.rs: conditional #[link] for kernel32 so i686 Windows uses import_name_type = "undecorated"; other arches keep the previous attribute. That matches the published fix (compare).
  • Metadata: Version bump in Cargo.toml and CHANGELOG.md.
  • CI: .github/workflows/* only renames default branch references (mastermain for checkout and publish). No new steps, secrets, or third-party actions.

Checklist vs evidence

  • Obfuscation / exfil / persistence / unexpected networking: None in the diff; no new build.rs tricks or encoded payloads.
  • Invisible Unicode: Scanner reports 0 unicode/confusable findings after allowlist.
  • Dependency integrity: cmake still depends only on cc; no new transitive crates in the lockfile snippet you have. Patch semver bump; crates.io checksum in Cargo.lock is consistent with a normal publish.
  • Workflow changes: Present but content is benign (branch alignment with main). The scanner’s workflow_path_touch is expected here and does not indicate compromise by itself.

Scanner vs manual read

  • maintainer_drift 0.1.57→0.1.58: Expected noise on any version bump; not evidence of account drift.
  • workflow_path_touch: Explained by the documented “Switch to main” maintenance change, not by malicious CI.

Actionable takeaway: Safe to merge from a supply-chain perspective; the functional risk surface is Windows i686 linking if you care about that target; Linux/macOS/other targets are unchanged aside from consuming the same crate version.

Compatibility Analysis

Verifying how the cmake crate is used and inspecting upstream changes for 0.1.57 → 0.1.58.

1) Where cmake (crate) is used

  • Declared as a build dependency in rust_bindings/Cargo.toml (cmake = "0.1.58").
  • Used only in rust_bindings/build.rs: use cmake::Config; then Config::new, .build_target, .define, .env, and .build() — standard cmake-rs build script flow.

Other “cmake” hits in the repo are the system CMake tool (cmake CLI), CMakeLists, Find modules, CI, etc., not the Rust crate.

2) Overlap with 0.1.58 changes

Upstream 0.1.57 → 0.1.58 only adjusts an internal Windows FFI helper (fix_build_dir): GetFullPathNameW / kernel32 linking is split so i686 (target_arch = "x86") uses import_name_type = "undecorated"; other arches keep the previous #[link(...)].

That does not change Config’s public API or the methods you call in build.rs. Your usage does not intersect with anything that was intentionally changed except indirectly if you build on 32-bit Windows MSVC, where behavior should improve (fix, not break).

3) Risks / unknowns

  • Low for typical targets (Linux/macOS/Windows x64): code path for non-x86 Windows is unchanged from 0.1.57 for that block.
  • Residual: any niche Windows i686 build is the only place touched; risk there is low and aligned with an upstream bugfix.
  • No semver concern: patch release; lockfile already pins the crate version.

4) Recommendation

Merge — patch bump with a narrow internal Windows/i686 fix; no API churn relevant to rust_bindings/build.rs.

Malware Scan Summary

  • Status: warn
  • Warn only mode: true
  • Changed upstream files scanned: 5
  • Resolution strategy: tag_range
  • Changed node/vendor paths: 0
  • Changed lockfiles: 0
  • Resolved upstream range: 434afe6a30aa10a28b9a0a05082a5d4fc749074a..63190697197b34e5e5cd3cabf17da4fcab348bef
  • Resolved refs: from=434afe6a30aa10a28b9a0a05082a5d4fc749074a to=63190697197b34e5e5cd3cabf17da4fcab348bef
  • Unicode findings (post-allowlist): 0
  • Confusable findings (post-allowlist): 0
  • IOC findings (post-allowlist): 0
  • Heuristic findings (post-allowlist): 3

Top findings

  • .github/workflows/main.yml:0 workflow_path_touch :: path-touch
  • .github/workflows/publish.yml:0 workflow_path_touch :: path-touch
  • cmake:0 maintainer_drift :: 0.1.57->0.1.58

@socket-security
Copy link
Copy Markdown

socket-security Bot commented Apr 7, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedcargo/​cmake@​0.1.57 ⏵ 0.1.589810093100100

View full report

@hoffmang9 hoffmang9 merged commit a04c94d into main Apr 7, 2026
67 checks passed
@hoffmang9 hoffmang9 deleted the dependabot/cargo/cmake-0.1.58 branch April 7, 2026 20:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hoffmang9 hoffmang9 hoffmang9 approved these changes

Assignees

No one assigned

Labels

Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file rust Pull requests that update Rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hoffmang9