Skip to content

chore: repin kura to v2.0.0 + update tests for compile_operation/2#6

Merged
Taure merged 1 commit into
mainfrom
chore/v2-kura-pin
May 10, 2026
Merged

chore: repin kura to v2.0.0 + update tests for compile_operation/2#6
Taure merged 1 commit into
mainfrom
chore/v2-kura-pin

Conversation

@Taure
Copy link
Copy Markdown
Owner

@Taure Taure commented May 10, 2026

Summary

  • Repin kura to v2.0.0 (v2.4.0 tag was deleted as part of the 2.x consolidation; nothing on Hex)
  • Update smoke tests for the v2.0 API: kura_migrator:compile_operation now takes RepoMod as the first arg

Notes

Audited string/binary handling here too - kura_pool_sqlite:to_filename/1 already accepts both forms, so no normalization fix is needed (unlike kura_postgres v0.4.2 which had binary_to_list calls that crashed on string configs).

Test plan

  • rebar3 fmt --check
  • rebar3 xref
  • rebar3 dialyzer
  • ~/bin/elp eqwalize-all
  • rebar3 eunit 39/39

@Taure
chore: repin kura to v2.0.0 + update tests for compile_operation/2
c8c4761 
The v2.4.0 tag was deleted as part of the kura 2.x consolidation
(nothing was on Hex). v2.0.0 is the new stable line.

Also fixes the smoke tests: kura_migrator:compile_operation took on
a RepoMod first arg in v2.0 to support per-repo dialect resolution.
Tests now thread a fake repo + configure the dialect via {repos, ...}.

String/binary handling in kura_pool_sqlite:to_filename/1 was already
correct - no normalization fix needed (unlike kura_postgres v0.4.2).
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 10, 2026

🟠 Code Coverage — 58.9%

103 of 175 lines covered.

🟡 ELP Lint — 1 warning

2 diagnostics found. See job logs for details.

ℹ️ 11 OTP CVEs auto-ignored (already fixed in running version)

These CVEs are patched in the installed OTP version but NVD data
has not been updated to reflect this. They are excluded from the
scan via an auto-generated .trivyignore.

CVE Details
CVE-2026-23943 Fixed in 28.4.1, running 28.4.1 — Pre-auth SSH DoS via unbounded zlib inflate
CVE-2026-23942 Fixed in 28.4.1, running 28.4.1 — SFTP root escape via component-agnostic prefix check in ssh_sftpd
CVE-2026-23941 Fixed in 28.4.1, running 28.4.1 — Request smuggling via first-wins Content-Length parsing in inets httpd
CVE-2026-21620 Fixed in 28.3.2, running 28.4.1 — TFTP Path Traversal
CVE-2016-1000107 Fixed in 28.0.4, running 28.4.1 — Httpd CGI Scripts Environment Variable Pollution AKA "httpoxy"
CVE-2025-58050 Fixed in 28.0.3, running 28.4.1 — Buffer Read Overflow on Regular Expressions with (*scs:) and (*ACCEPT)
CVE-2025-48038 Fixed in 28.0.3, running 28.4.1 — SSH Unverified File Handles can Cause Excessive Use of System Resources
CVE-2025-48039 Fixed in 28.0.3, running 28.4.1 — SSH Unverified Paths can Cause Excessive Use of System Resources
CVE-2025-48040 Fixed in 28.0.3, running 28.4.1 — SSH Malicious Key Exchange Messages may Lead to Excessive Resource Consumption
CVE-2025-48041 Fixed in 28.0.3, running 28.4.1 — SSH_FXP_OPENDIR may Lead to Exhaustion of File Handles
CVE-2025-4748 Fixed in 28.0.1, running 28.4.1 — Absolute Path in Zip Module

@Taure Taure merged commit d3f5cc1 into main May 10, 2026
16 checks passed
@Taure Taure deleted the chore/v2-kura-pin branch May 10, 2026 18:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Taure