DevComp/zip-rs-wasm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Clarify purpose and checks

Browse source 
Signed-off-by: Chris Hennick <4961925+Pr0methean@users.noreply.github.com>
This commit is contained in:
Chris Hennick 2024-05-09 19:59:51 -07:00 committed by GitHub
parent a29d125ee7
commit 431b4cdf2b
Signed by: DevComp
GPG key ID: B5690EEEBB952194
1 changed files with 12 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
pull_request_template.md
View file

@ -2,8 +2,8 @@
We welcome your pull request, but because this crate is downloaded about 1.7 million times per month (see https://crates.io/crates/zip),
and because ZIP file processing has caused security issues in the past (see
https://www.cvedetails.com/vulnerability-search.php?f=1&vendor=&product=zip&cweid=&cvssscoremin=&cvssscoremax=&publishdatestart=&publishdateend=&updatedatestart=&updatedateend=&cisaaddstart=&cisaaddend=&cisaduestart=&cisadueend=&page=1
for the gory details), we have some requirements that help ensure the crate remains secure and panic-free, and that a lot of PRs
don't meet.
for the gory details), we have some requirements that help ensure the crate remains trustworthy and panic-free, and we've seen
a lot of PRs that don't meet those requirements.
We don't filter out "ZIP bombs" because extreme compression ratios and shallow file copies have legitimate uses; but
we expect the tools we provide for checking that extraction is safe, such as the `ZipArchive::decompressed_size` method in
@ -20,12 +20,16 @@ These are our requirements for PRs, in addition to the usual functionality and r
conflicts, but this is best-effort.
- Please make sure the repo your PR targets is `zip-rs/zip2` and not `zip-rs/zip-old`. The latter
repo is no longer maintained and will be archived once the pre-existing issues are closed.
- Your changes must build against the MSRV (see README.md) AND the latest stable Rust version AND the latest nightly Rust version,
with `--no-default-features` AND with `--all-features` AND with the default features.
- PRs must pass `cargo clippy --all-targets` and `cargo fmt --check --all`,
with `--no-default-features` AND with `--all-features` AND with the default features.
If you need to add a new `#[allow]` attribute, please place a comment on the same line or just above it, explaining what the
exception applies to and why it's needed.
- Your changes must build against the MSRV (see README.md) AND the latest stable Rust version AND the latest nightly Rust version.
- PRs must pass all the checks specified in `.github/workflows/ci.yaml`, which include:
- Unit tests, run with `--no-default-features` AND with `--all-features` AND with the default features, each run
against the MSRV (see README.md) AND the latest stable Rust version AND the latest nightly Rust version, on Windows, MacOS
AND Ubuntu (yes, that's a 3-dimensional matrix).
- `cargo clippy --all-targets` and `cargo doc --no-deps` must pass with `--no-default-features` AND with `--all-features`
AND with the default features.
- `cargo fmt --check --all` must pass.
- If the above checks force you to add a new `#[allow]` attribute, please place a comment on the same line or just above it,
explaining what the exception applies to and why it's needed.
- Commit messages and the PR title must conform to [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) and start
with one of the types specified by the [Angular convention](https://github.com/angular/angular/blob/22b96b9/CONTRIBUTING.md#type).
- All commits must be signed and display a "Verified" badge; see