Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package zvm for openSUSE:Factory checked in at 2026-05-25 21:57:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/zvm (Old) and /work/SRC/openSUSE:Factory/.zvm.new.2084 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "zvm" Mon May 25 21:57:42 2026 rev:12 rq:1355091 version:0.8.22 Changes: -------- --- /work/SRC/openSUSE:Factory/zvm/zvm.changes 2026-04-25 21:35:44.241784250 +0200 +++ /work/SRC/openSUSE:Factory/.zvm.new.2084/zvm.changes 2026-05-25 22:00:33.778244688 +0200 @@ -1,0 +2,8 @@ +Mon May 25 12:15:16 UTC 2026 - Lucas Mulling <[email protected]> + +- Update to 0.8.22: + * fix false path escape error +- Includes changes from 0.8.21: + * remove dependancy on system tar for xz and tar decompression + +------------------------------------------------------------------- Old: ---- zvm-0.8.20.tar.gz New: ---- zvm-0.8.22.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ zvm.spec ++++++ --- /var/tmp/diff_new_pack.UBtRR5/_old 2026-05-25 22:00:34.442272013 +0200 +++ /var/tmp/diff_new_pack.UBtRR5/_new 2026-05-25 22:00:34.442272013 +0200 @@ -17,7 +17,7 @@ Name: zvm -Version: 0.8.20 +Version: 0.8.22 Release: 0 Summary: Easily install/upgrade between different versions of Zig License: MIT @@ -25,7 +25,6 @@ Source: https://github.com/tristanisham/zvm/archive/refs/tags/v%{version}.tar.gz#/%{name}-%{version}.tar.gz Source1: vendor.tar.xz BuildRequires: golang(API) >= 1.22 -Requires: tar %description Zig Version Manager (zvm) is a tool for managing your Zig installs. With std ++++++ vendor.tar.xz ++++++ ++++ 13425 lines of diff (skipped) ++++++ zvm-0.8.20.tar.gz -> zvm-0.8.22.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zvm-0.8.20/.github/workflows/daily_canary.yml new/zvm-0.8.22/.github/workflows/daily_canary.yml --- old/zvm-0.8.20/.github/workflows/daily_canary.yml 2026-04-22 22:18:09.000000000 +0200 +++ new/zvm-0.8.22/.github/workflows/daily_canary.yml 2026-05-24 15:55:19.000000000 +0200 @@ -21,7 +21,7 @@ - name: Set up Go uses: actions/setup-go@v3 with: - go-version: 1.25.5 + go-version: 1.26 - name: Build ZVM run: go build -o zvm main.go diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zvm-0.8.20/.github/workflows/go.yml new/zvm-0.8.22/.github/workflows/go.yml --- old/zvm-0.8.20/.github/workflows/go.yml 2026-04-22 22:18:09.000000000 +0200 +++ new/zvm-0.8.22/.github/workflows/go.yml 2026-05-24 15:55:19.000000000 +0200 @@ -21,9 +21,10 @@ go-version: "1.26" - name: golangci-lint - uses: golangci/golangci-lint-action@v6 + uses: golangci/golangci-lint-action@v9 with: - version: latest + version: v2.12 + args: --disable=errcheck build: runs-on: ubuntu-latest diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zvm-0.8.20/cli/install.go new/zvm-0.8.22/cli/install.go --- old/zvm-0.8.20/cli/install.go 2026-04-22 22:18:09.000000000 +0200 +++ new/zvm-0.8.22/cli/install.go 2026-05-24 15:55:19.000000000 +0200 @@ -5,6 +5,7 @@ package cli import ( + "archive/tar" "archive/zip" "crypto/sha256" "crypto/tls" @@ -23,10 +24,12 @@ "runtime" "slices" "strings" + "time" "github.com/jedisct1/go-minisign" "github.com/schollz/progressbar/v3" "github.com/tristanisham/zvm/cli/meta" + "github.com/ulikunitz/xz" "github.com/charmbracelet/log" @@ -198,12 +201,13 @@ if err := ExtractBundle(tempFile.Name(), z.baseDir); err != nil { log.Fatal(err) } + + // TODO investigate why the CI thinks this is an error. var tarName string resultUrl, err := url.Parse(tarPath) if err != nil { log.Error(err) - tarName = version } // Maybe think of a better algorithm @@ -212,6 +216,10 @@ tarName = strings.TrimSuffix(tarName, ".tar.xz") tarName = strings.TrimSuffix(tarName, ".zip") + if tarName == "" { + tarName = version + } + if err := os.Rename(filepath.Join(z.baseDir, tarName), filepath.Join(z.baseDir, version)); err != nil { if _, err := os.Stat(filepath.Join(z.baseDir, version)); err == nil { // Room here to make the backup file. @@ -739,14 +747,84 @@ return fmt.Errorf("unknown format %v", extension) } -// untarXZ extracts a .tar.xz file to the specified output directory using the 'tar' command. +// untarXZ extracts a .tar.xz file to the specified output directory. func untarXZ(in, out string) error { - tar := exec.Command("tar", "-xf", in, "-C", out) - tar.Stdout = os.Stdout - tar.Stderr = os.Stderr - if err := tar.Run(); err != nil { - log.Debug("Error untarring bundle") - return err + var timer time.Time + if meta.Debug { + timer = time.Now() + } + + file, err := os.Open(in) + if err != nil { + return fmt.Errorf("failed to open archive %w", err) + } + defer file.Close() + + xzReader, err := xz.NewReader(file) + if err != nil { + return fmt.Errorf("failed to initalize xz reader %w", err) + } + + tarReader := tar.NewReader(xzReader) + + if err := os.MkdirAll(out, 0755); err != nil { + return fmt.Errorf("failed to create output directory: %w", err) + } + + root, err := os.OpenRoot(out) + if err != nil { + return fmt.Errorf("failed to open root: %w", err) + } + defer root.Close() + + for { + header, err := tarReader.Next() + if err == io.EOF { + break + } + if err != nil { + return fmt.Errorf("failed to read tar header %w", err) + } + + target := filepath.Clean(header.Name) + + switch header.Typeflag { + case tar.TypeDir: + if err := root.MkdirAll(target, header.FileInfo().Mode()&(^fs.ModeDir)); err != nil { + return fmt.Errorf("failed to create directory: %w", err) + } + + case tar.TypeReg: + // Should the mode just be 0755? + if err := root.MkdirAll(filepath.Dir(target), 0755); err != nil { + return fmt.Errorf("failed to create parent directory: %w", err) + } + + outFile, err := root.OpenFile(target, os.O_CREATE|os.O_RDWR|os.O_TRUNC, header.FileInfo().Mode()) + if err != nil { + return fmt.Errorf("failed to create file: %w", err) + } + + // Copy contents streaming from the tar reader + if _, err := io.Copy(outFile, tarReader); err != nil { + outFile.Close() + return fmt.Errorf("failed to write file content: %w", err) + } + outFile.Close() + + case tar.TypeSymlink: + if err := root.MkdirAll(filepath.Dir(target), 0755); err != nil { + return fmt.Errorf("failed to create parent directory: %w", err) + } + + if err := root.Symlink(header.Linkname, target); err != nil { + return fmt.Errorf("failed to create symlink: %w", err) + } + } + } + + if meta.Debug { + log.Debugf("untarXZ took %s", time.Since(timer)) } return nil } @@ -782,17 +860,19 @@ }() path := filepath.Join(destination, f.Name) - if !strings.HasPrefix(path, filepath.Clean(destination)+string(os.PathSeparator)) { - return fmt.Errorf("illegal file path: %s", path) + // TODO look into how to make this more efficient and to trim excess calls. + root, err := os.OpenRoot(path) + if err != nil { + return fmt.Errorf("failed to open root %w", err) } if f.FileInfo().IsDir() { - os.MkdirAll(path, f.Mode()) + root.MkdirAll(path, f.Mode()) } else { - os.MkdirAll(filepath.Dir(path), f.Mode()) - f, err := os.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode()) + root.MkdirAll(filepath.Dir(path), f.Mode()) + f, err := root.OpenFile(path, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, f.Mode()) if err != nil { - return err + return fmt.Errorf("failed to open file %w", err) } defer func() { @@ -803,7 +883,7 @@ _, err = io.Copy(f, rc) if err != nil { - return err + return fmt.Errorf("failed to copy zip archive %w", err) } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zvm-0.8.20/cli/meta/version.go new/zvm-0.8.22/cli/meta/version.go --- old/zvm-0.8.20/cli/meta/version.go 2026-04-22 22:18:09.000000000 +0200 +++ new/zvm-0.8.22/cli/meta/version.go 2026-05-24 15:55:19.000000000 +0200 @@ -5,14 +5,23 @@ import ( "fmt" + "os" "runtime" ) const ( - VERSION = "v0.8.20" + VERSION = "v0.8.22" // VERSION = "v0.0.0" // For testing zvm upgrade ) var VerCopy = fmt.Sprintf("%s %s/%s", VERSION, runtime.GOOS, runtime.GOARCH) + +var Debug bool + +func init() { + if _, ok := os.LookupEnv("ZVM_DEBUG"); ok { + Debug = true + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zvm-0.8.20/go.mod new/zvm-0.8.22/go.mod --- old/zvm-0.8.20/go.mod 2026-04-22 22:18:09.000000000 +0200 +++ new/zvm-0.8.22/go.mod 2026-05-24 15:55:19.000000000 +0200 @@ -9,32 +9,33 @@ github.com/nyaosorg/go-windows-junction v0.2.0 github.com/schollz/progressbar/v3 v3.19.0 github.com/tristanisham/clr v0.0.0-20221004001624-00ee60046d85 - golang.org/x/mod v0.34.0 - golang.org/x/sys v0.42.0 + github.com/ulikunitz/xz v0.5.15 + golang.org/x/mod v0.36.0 + golang.org/x/sys v0.45.0 ) require ( github.com/Microsoft/go-winio v0.6.2 // indirect github.com/charmbracelet/colorprofile v0.4.3 // indirect - github.com/charmbracelet/x/ansi v0.11.6 // indirect + github.com/charmbracelet/x/ansi v0.11.7 // indirect github.com/charmbracelet/x/cellbuf v0.0.15 // indirect github.com/charmbracelet/x/term v0.2.2 // indirect github.com/clipperhouse/displaywidth v0.11.0 // indirect github.com/clipperhouse/uax29/v2 v2.7.0 // indirect github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e // indirect - golang.org/x/crypto v0.49.0 // indirect + golang.org/x/crypto v0.52.0 // indirect ) require ( github.com/aymanbagabas/go-osc52/v2 v2.0.1 // indirect github.com/go-logfmt/logfmt v0.6.1 // indirect github.com/lucasb-eyer/go-colorful v1.4.0 // indirect - github.com/mattn/go-isatty v0.0.20 // indirect - github.com/mattn/go-runewidth v0.0.21 // indirect + github.com/mattn/go-isatty v0.0.22 // indirect + github.com/mattn/go-runewidth v0.0.23 // indirect github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db // indirect github.com/muesli/termenv v0.16.0 // indirect github.com/rivo/uniseg v0.4.7 // indirect - github.com/urfave/cli/v3 v3.8.0 - golang.org/x/exp v0.0.0-20260312153236-7ab1446f8b90 // indirect - golang.org/x/term v0.41.0 // indirect + github.com/urfave/cli/v3 v3.9.0 + golang.org/x/exp v0.0.0-20260508232706-74f9aab9d74a // indirect + golang.org/x/term v0.43.0 // indirect ) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zvm-0.8.20/go.sum new/zvm-0.8.22/go.sum --- old/zvm-0.8.20/go.sum 2026-04-22 22:18:09.000000000 +0200 +++ new/zvm-0.8.22/go.sum 2026-05-24 15:55:19.000000000 +0200 @@ -8,8 +8,8 @@ github.com/charmbracelet/lipgloss v1.1.0/go.mod h1:/6Q8FR2o+kj8rz4Dq0zQc3vYf7X+B0binUUBwA0aL30= github.com/charmbracelet/log v1.0.0 h1:HVVVMmfOorfj3BA9i8X8UL69Hoz9lI0PYwXfJvOdRc4= github.com/charmbracelet/log v1.0.0/go.mod h1:uYgY3SmLpwJWxmlrPwXvzVYujxis1vAKRV/0VQB7yWA= -github.com/charmbracelet/x/ansi v0.11.6 h1:GhV21SiDz/45W9AnV2R61xZMRri5NlLnl6CVF7ihZW8= -github.com/charmbracelet/x/ansi v0.11.6/go.mod h1:2JNYLgQUsyqaiLovhU2Rv/pb8r6ydXKS3NIttu3VGZQ= +github.com/charmbracelet/x/ansi v0.11.7 h1:kzv1kJvjg2S3r9KHo8hDdHFQLEqn4RBCb39dAYC84jI= +github.com/charmbracelet/x/ansi v0.11.7/go.mod h1:9qGpnAVYz+8ACONkZBUWPtL7lulP9No6p1epAihUZwQ= github.com/charmbracelet/x/cellbuf v0.0.15 h1:ur3pZy0o6z/R7EylET877CBxaiE1Sp1GMxoFPAIztPI= github.com/charmbracelet/x/cellbuf v0.0.15/go.mod h1:J1YVbR7MUuEGIFPCaaZ96KDl5NoS0DAWkskup+mOY+Q= github.com/charmbracelet/x/term v0.2.2 h1:xVRT/S2ZcKdhhOuSP4t5cLi5o+JxklsoEObBSgfgZRk= @@ -30,10 +30,10 @@ github.com/jedisct1/go-minisign v0.0.0-20241212093149-d2f9f49435c7/go.mod h1:BMxO138bOokdgt4UaxZiEfypcSHX0t6SIFimVP1oRfk= github.com/lucasb-eyer/go-colorful v1.4.0 h1:UtrWVfLdarDgc44HcS7pYloGHJUjHV/4FwW4TvVgFr4= github.com/lucasb-eyer/go-colorful v1.4.0/go.mod h1:R4dSotOR9KMtayYi1e77YzuveK+i7ruzyGqttikkLy0= -github.com/mattn/go-isatty v0.0.20 h1:xfD0iDuEKnDkl03q4limB+vH+GxLEtL/jb4xVJSWWEY= -github.com/mattn/go-isatty v0.0.20/go.mod h1:W+V8PltTTMOvKvAeJH7IuucS94S2C6jfK/D7dTCTo3Y= -github.com/mattn/go-runewidth v0.0.21 h1:jJKAZiQH+2mIinzCJIaIG9Be1+0NR+5sz/lYEEjdM8w= -github.com/mattn/go-runewidth v0.0.21/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs= +github.com/mattn/go-isatty v0.0.22 h1:j8l17JJ9i6VGPUFUYoTUKPSgKe/83EYU2zBC7YNKMw4= +github.com/mattn/go-isatty v0.0.22/go.mod h1:ZXfXG4SQHsB/w3ZeOYbR0PrPwLy+n6xiMrJlRFqopa4= +github.com/mattn/go-runewidth v0.0.23 h1:7ykA0T0jkPpzSvMS5i9uoNn2Xy3R383f9HDx3RybWcw= +github.com/mattn/go-runewidth v0.0.23/go.mod h1:XBkDxAl56ILZc9knddidhrOlY5R/pDhgLpndooCuJAs= github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db h1:62I3jR2EmQ4l5rM/4FEfDWcRD+abF5XlKShorW5LRoQ= github.com/mitchellh/colorstring v0.0.0-20190213212951-d06e56a500db/go.mod h1:l0dey0ia/Uv7NcFFVbCLtqEBQbrT4OCwCSKTEv6enCw= github.com/muesli/termenv v0.16.0 h1:S5AlUN9dENB57rsbnkPyfdGuWIlkmzJjbFf0Tf5FWUc= @@ -50,20 +50,21 @@ github.com/stretchr/testify v1.11.1/go.mod h1:wZwfW3scLgRK+23gO65QZefKpKQRnfz6sD981Nm4B6U= github.com/tristanisham/clr v0.0.0-20221004001624-00ee60046d85 h1:zD4b2hs7jZ2sJtgtNdpMZyo4D4/Ifct8SMxvPNNkHzs= github.com/tristanisham/clr v0.0.0-20221004001624-00ee60046d85/go.mod h1:cKn2HV8Beq81OHjb2gja2ZiU4HAEQ6LSuxyaIT5Mg7o= -github.com/urfave/cli/v3 v3.8.0 h1:XqKPrm0q4P0q5JpoclYoCAv0/MIvH/jZ2umzuf8pNTI= -github.com/urfave/cli/v3 v3.8.0/go.mod h1:ysVLtOEmg2tOy6PknnYVhDoouyC/6N42TMeoMzskhso= +github.com/ulikunitz/xz v0.5.15 h1:9DNdB5s+SgV3bQ2ApL10xRc35ck0DuIX/isZvIk+ubY= +github.com/ulikunitz/xz v0.5.15/go.mod h1:nbz6k7qbPmH4IRqmfOplQw/tblSgqTqBwxkY0oWt/14= +github.com/urfave/cli/v3 v3.9.0 h1:AV9lIiPv3ukYnxunaCUsHnEozptYmDN2F0+yWqLMn/c= +github.com/urfave/cli/v3 v3.9.0/go.mod h1:ysVLtOEmg2tOy6PknnYVhDoouyC/6N42TMeoMzskhso= github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e h1:JVG44RsyaB9T2KIHavMF/ppJZNG9ZpyihvCd0w101no= github.com/xo/terminfo v0.0.0-20220910002029-abceb7e1c41e/go.mod h1:RbqR21r5mrJuqunuUZ/Dhy/avygyECGrLceyNeo4LiM= -golang.org/x/crypto v0.49.0 h1:+Ng2ULVvLHnJ/ZFEq4KdcDd/cfjrrjjNSXNzxg0Y4U4= -golang.org/x/crypto v0.49.0/go.mod h1:ErX4dUh2UM+CFYiXZRTcMpEcN8b/1gxEuv3nODoYtCA= -golang.org/x/exp v0.0.0-20260312153236-7ab1446f8b90 h1:jiDhWWeC7jfWqR9c/uplMOqJ0sbNlNWv0UkzE0vX1MA= -golang.org/x/exp v0.0.0-20260312153236-7ab1446f8b90/go.mod h1:xE1HEv6b+1SCZ5/uscMRjUBKtIxworgEcEi+/n9NQDQ= -golang.org/x/mod v0.34.0 h1:xIHgNUUnW6sYkcM5Jleh05DvLOtwc6RitGHbDk4akRI= -golang.org/x/mod v0.34.0/go.mod h1:ykgH52iCZe79kzLLMhyCUzhMci+nQj+0XkbXpNYtVjY= -golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= -golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo= -golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= -golang.org/x/term v0.41.0 h1:QCgPso/Q3RTJx2Th4bDLqML4W6iJiaXFq2/ftQF13YU= -golang.org/x/term v0.41.0/go.mod h1:3pfBgksrReYfZ5lvYM0kSO0LIkAl4Yl2bXOkKP7Ec2A= +golang.org/x/crypto v0.52.0 h1:RMs7fP2rXdep0CftQlK8Uf+kibLm7qkCcradZWYz988= +golang.org/x/crypto v0.52.0/go.mod h1:1QgfPxDqh0T2M/elOJtp9RvuR95kVjir0e6/BvEmGbc= +golang.org/x/exp v0.0.0-20260508232706-74f9aab9d74a h1:+3jdDGGB8NGb1Zktc737jlt3/A5f6UlwSzmvqUuufxw= +golang.org/x/exp v0.0.0-20260508232706-74f9aab9d74a/go.mod h1:d2fgXJLVs4dYDHUk5lwMIfzRzSrWCfGZb0ZqeLa/Vcw= +golang.org/x/mod v0.36.0 h1:JJjpVx6myfUsUdAzZuOSTTmRE0PfZeNWzzvKrP7amb4= +golang.org/x/mod v0.36.0/go.mod h1:moc6ELqsWcOw5Ef3xVprK5ul/MvtVvkIXLziUOICjUQ= +golang.org/x/sys v0.45.0 h1:dO4czNzziLiiXplLQgBCEpCvXQ3dnkn0SdaZSYdQ+FY= +golang.org/x/sys v0.45.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw= +golang.org/x/term v0.43.0 h1:S4RLU2sB31O/NCl+zFN9Aru9A/Cq2aqKpTZJ6B+DwT4= +golang.org/x/term v0.43.0/go.mod h1:lrhlHNdQJHO+1qVYiHfFKVuVioJIheAc3fBSMFYEIsk= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/zvm-0.8.20/main.go new/zvm-0.8.22/main.go --- old/zvm-0.8.20/main.go 2026-04-22 22:18:09.000000000 +0200 +++ new/zvm-0.8.22/main.go 2026-05-24 15:55:19.000000000 +0200 @@ -26,12 +26,12 @@ ) var zvmApp = &opts.Command{ - Name: "zvm", - Usage: "Zig Version Manager", - Description: "zvm lets you easily install, upgrade, and switch between different versions of Zig.", - Version: meta.VerCopy, - Copyright: fmt.Sprintf("Copyright © %d Tristan Isham", time.Now().Year()), - Suggest: true, + Name: "zvm", + Usage: "Zig Version Manager", + Description: "zvm lets you easily install, upgrade, and switch between different versions of Zig.", + Version: meta.VerCopy, + Copyright: fmt.Sprintf("Copyright © %d Tristan Isham", time.Now().Year()), + Suggest: true, EnableShellCompletion: true, ConfigureShellCompletionCommand: func(cmd *opts.Command) { cmd.Hidden = false @@ -389,7 +389,7 @@ } func main() { - if _, ok := os.LookupEnv("ZVM_DEBUG"); ok { + if meta.Debug { log.SetLevel(log.DebugLevel) }
