Mirrors/servo
1
0
Fork 0
mirror of https://github.com/servo/servo.git synced 2025-09-04 03:58:23 +01:00
Code Issues Projects Releases Packages Wiki Activity
The Servo Browser Engine
52637 commits 160 branches 5 tags 1.6 GiB
Find a file
dependabot[bot] 4a4a615eb7
build(deps): bump tracing-subscriber from 0.3.19 to 0.3.20 (#39030) 
Bumps [tracing-subscriber](https://github.com/tokio-rs/tracing) from
0.3.19 to 0.3.20.
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/tokio-rs/tracing/releases">tracing-subscriber's
releases</a>.</em></p>
<blockquote>
<h2>tracing-subscriber 0.3.20</h2>
<p><strong>Security Fix</strong>: ANSI Escape Sequence Injection
(CVE-TBD)</p>
<h2>Impact</h2>
<p>Previous versions of tracing-subscriber were vulnerable to ANSI
escape sequence injection attacks. Untrusted user input containing ANSI
escape sequences could be injected into terminal output when logged,
potentially allowing attackers to:</p>
<ul>
<li>Manipulate terminal title bars</li>
<li>Clear screens or modify terminal display</li>
<li>Potentially mislead users through terminal manipulation</li>
</ul>
<p>In isolation, impact is minimal, however security issues have been
found in terminal emulators that enabled an attacker to use ANSI escape
sequences via logs to exploit vulnerabilities in the terminal
emulator.</p>
<h2>Solution</h2>
<p>Version 0.3.20 fixes this vulnerability by escaping ANSI control
characters in when writing events to destinations that may be printed to
the terminal.</p>
<h2>Affected Versions</h2>
<p>All versions of tracing-subscriber prior to 0.3.20 are affected by
this vulnerability.</p>
<h2>Recommendations</h2>
<p>Immediate Action Required: We recommend upgrading to
tracing-subscriber 0.3.20 immediately, especially if your
application:</p>
<ul>
<li>Logs user-provided input (form data, HTTP headers, query parameters,
etc.)</li>
<li>Runs in environments where terminal output is displayed to
users</li>
</ul>
<h2>Migration</h2>
<p>This is a patch release with no breaking API changes. Simply update
your Cargo.toml:</p>
<pre lang="toml"><code>[dependencies]
tracing-subscriber = &quot;0.3.20&quot;
</code></pre>
<h2>Acknowledgments</h2>
<p>We would like to thank <a href="http://github.com/zefr0x">zefr0x</a>
who responsibly reported the issue at
<code>security@tokio.rs</code>.</p>
<p>If you believe you have found a security vulnerability in any
tokio-rs project, please email us at <code>security@tokio.rs</code>.</p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="4c52ca5266"><code>4c52ca5</code></a>
fmt: fix ANSI escape sequence injection vulnerability (<a
href="https://redirect.github.com/tokio-rs/tracing/issues/3368">#3368</a>)</li>
<li><a
href="f71cebe41e"><code>f71cebe</code></a>
subscriber: impl Clone for EnvFilter (<a
href="https://redirect.github.com/tokio-rs/tracing/issues/3360">#3360</a>)</li>
<li><a
href="3a1f571102"><code>3a1f571</code></a>
Fix CI (<a
href="https://redirect.github.com/tokio-rs/tracing/issues/3361">#3361</a>)</li>
<li><a
href="e63ef57f3d"><code>e63ef57</code></a>
chore: prepare tracing-attributes 0.1.30 (<a
href="https://redirect.github.com/tokio-rs/tracing/issues/3316">#3316</a>)</li>
<li><a
href="6e59a13b1a"><code>6e59a13</code></a>
attributes: fix tracing::instrument regression around shadowing (<a
href="https://redirect.github.com/tokio-rs/tracing/issues/3311">#3311</a>)</li>
<li><a
href="e4df761275"><code>e4df761</code></a>
tracing: update core to 0.1.34 and attributes to 0.1.29 (<a
href="https://redirect.github.com/tokio-rs/tracing/issues/3305">#3305</a>)</li>
<li><a
href="643f392ebb"><code>643f392</code></a>
chore: prepare tracing-attributes 0.1.29 (<a
href="https://redirect.github.com/tokio-rs/tracing/issues/3304">#3304</a>)</li>
<li><a
href="d08e7a6eea"><code>d08e7a6</code></a>
chore: prepare tracing-core 0.1.34 (<a
href="https://redirect.github.com/tokio-rs/tracing/issues/3302">#3302</a>)</li>
<li><a
href="6e70c571d3"><code>6e70c57</code></a>
tracing-subscriber: count numbers of enters in <code>Timings</code> (<a
href="https://redirect.github.com/tokio-rs/tracing/issues/2944">#2944</a>)</li>
<li><a
href="c01d4fd9de"><code>c01d4fd</code></a>
fix docs and enable CI on <code>main</code> branch (<a
href="https://redirect.github.com/tokio-rs/tracing/issues/3295">#3295</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/tokio-rs/tracing/compare/tracing-subscriber-0.3.19...tracing-subscriber-0.3.20">compare
view</a></li>
</ul>
</details>
<br />


[![Dependabot compatibility
score](https://dependabot-badges.githubapp.com/badges/compatibility_score?dependency-name=tracing-subscriber&package-manager=cargo&previous-version=0.3.19&new-version=0.3.20)](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores)

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore this major version` will close this PR and stop
Dependabot creating any more for this major version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop
Dependabot creating any more for this minor version (unless you reopen
the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop
Dependabot creating any more for this dependency (unless you reopen the
PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the
[Security Alerts page](https://github.com/servo/servo/network/alerts).

</details>

---------

Signed-off-by: dependabot[bot] <support@github.com>
Signed-off-by: Euclid Ye <euclid.ye@huawei.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Euclid Ye <euclid.ye@huawei.com>
2025-08-30 02:38:23 +00:00
.cargo Move various reflector types and traits to script_bindings (#35279) 2025-02-04 06:58:08 +00:00
.github dependabot: Specify time and reduce PR limit (#38947) 2025-08-27 06:22:05 +00:00
.vscode use ruff rather than flake8 for python code linting (#37045) 2025-05-24 14:19:47 +00:00
components webgpu: Add the dedicated WebGPU task source (#39020) 2025-08-29 20:09:03 +00:00
docs Update in-tree docs to point to the new book (#32743) 2024-07-09 15:42:00 +00:00
etc Support WPT subsuites in agregating and flake detection (#37584) 2025-07-04 16:58:42 +00:00
ports/servoshell EmbedderMsg: port reply channels to GenericChannel (#39018) 2025-08-29 12:44:21 +00:00
python devtools: Fix flaky source list test assertions (#38969) 2025-08-27 13:19:58 +00:00
resources devtools: Fix available breakpoint positions with nested scripts (#38826) 2025-08-21 11:00:32 +00:00
support cargo: Bump rustc to 1.89 (#36818) 2025-08-19 11:07:53 +00:00
tests compositor: Allow canvas to upload rendered contents asynchronously (#37776) 2025-08-29 10:04:41 +00:00
third_party script_binding: Add type check on servo script bindings (#38161) 2025-08-01 04:34:24 +00:00
.gitattributes openharmony: add servoshell for ohos (#33295) 2024-09-20 08:20:27 +00:00
.gitignore Add justfile to gitignore (#37621) 2025-06-23 02:37:04 +00:00
.mailmap Update Tetsuharu OHZEKI's entry in mailmap 2019-11-15 00:46:45 +09:00
.python-version Set python version to 3.11 (#34707) 2024-12-19 18:42:36 +00:00
Cargo.lock build(deps): bump tracing-subscriber from 0.3.19 to 0.3.20 (#39030) 2025-08-30 02:38:23 +00:00
Cargo.toml build(deps): bump tracing-subscriber from 0.3.19 to 0.3.20 (#39030) 2025-08-30 02:38:23 +00:00
CODE_OF_CONDUCT.md Clarify the Code of Conduct (closes servo/servo.org#164) (#32835) 2024-07-23 09:12:03 +00:00
CONTRIBUTING.md Update in-tree docs to point to the new book (#32743) 2024-07-09 15:42:00 +00:00
deny.toml build(deps): bump tracing-subscriber from 0.3.19 to 0.3.20 (#39030) 2025-08-30 02:38:23 +00:00
Info.plist remove bhtml 2018-02-11 08:02:39 +01:00
LICENSE Update MPL license to https (part 1) 2018-11-19 14:46:43 +01:00
LICENSE_WHATWG_SPECS Add license for WHATWG specifications in code (#36282) 2025-04-03 04:33:06 +00:00
mach Mergeruff.toml into pyproject.toml (#37741) 2025-07-04 12:21:48 +00:00
mach.bat Mergeruff.toml into pyproject.toml (#37741) 2025-07-04 12:21:48 +00:00
PULL_REQUEST_TEMPLATE.md Use a simpler GitHub pull request template (#36203) 2025-03-30 10:14:13 +00:00
pyproject.toml uv: Fix warning by adding project table to pyproject.toml (#38774) 2025-08-19 06:38:00 +00:00
README.md Add missing backtick in README.md (#38757) 2025-08-18 11:53:08 +00:00
rust-toolchain.toml cargo: Bump rustc to 1.89 (#36818) 2025-08-19 11:07:53 +00:00
rustfmt.toml Update rustfmt to the 2024 style edition (#35764) 2025-03-03 11:26:53 +00:00
SECURITY.md docs(security): avoid possible misconception in the security policy (#37032) 2025-05-16 21:27:42 +00:00
servo-tidy.toml tests: Vendor blink perf tests (#38654) 2025-08-17 09:54:04 +00:00
servobuild.example Fix DBus warning when running mach (#37818) 2025-07-02 23:17:01 +00:00
shell.nix cargo: Bump rustc to 1.89 (#36818) 2025-08-19 11:07:53 +00:00
taplo.toml Format toml files (#30112) 2023-08-17 15:07:43 +00:00
uv.toml uv: Use native-tls (#36564) 2025-04-16 11:47:49 +00:00

README.md

The Servo Parallel Browser Engine Project

Servo is a prototype web browser engine written in the Rust language. It is currently developed on 64-bit macOS, 64-bit Linux, 64-bit Windows, 64-bit OpenHarmony, and Android.

Servo welcomes contribution from everyone. Check out:

Coordination of Servo development happens:

Getting started

For more detailed build instructions, see the Servo book under Setting up your environment, Building Servo, Building for Android and Building for OpenHarmony.

macOS

  • Download and install Xcode and brew.
  • Install uv: curl -LsSf https://astral.sh/uv/install.sh | sh
  • Install rustup: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
  • Restart your shell to make sure cargo is available
  • Install the other dependencies: ./mach bootstrap
  • Build servoshell: ./mach build

Linux

  • Install curl:
    • Arch: sudo pacman -S --needed curl
    • Debian, Ubuntu: sudo apt install curl
    • Fedora: sudo dnf install curl
    • Gentoo: sudo emerge net-misc/curl
  • Install uv: curl -LsSf https://astral.sh/uv/install.sh | sh
  • Install rustup: curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
  • Restart your shell to make sure cargo is available
  • Install the other dependencies: ./mach bootstrap
  • Build servoshell: ./mach build

Windows

  • Download uv, choco, and rustup
    • Be sure to select Quick install via the Visual Studio Community installer
  • In the Visual Studio Installer, ensure the following components are installed:
    • Windows 10/11 SDK (anything >= 10.0.19041.0) (Microsoft.VisualStudio.Component.Windows{10, 11}SDK.{>=19041})
    • MSVC v143 - VS 2022 C++ x64/x86 build tools (Latest) (Microsoft.VisualStudio.Component.VC.Tools.x86.x64)
    • C++ ATL for latest v143 build tools (x86 & x64) (Microsoft.VisualStudio.Component.VC.ATL)
    • C++ MFC for latest v143 build tools (x86 & x64) (Microsoft.VisualStudio.Component.VC.ATLMFC)
  • Restart your shell to make sure cargo is available
  • Install the other dependencies: .\mach bootstrap
  • Build servoshell: .\mach build

Android

  • Ensure that the following environment variables are set:
    • ANDROID_SDK_ROOT
    • ANDROID_NDK_ROOT: $ANDROID_SDK_ROOT/ndk/26.2.11394342/ ANDROID_SDK_ROOT can be any directory (such as ~/android-sdk). All of the Android build dependencies will be installed there.
  • Install the latest version of the Android command-line tools to $ANDROID_SDK_ROOT/cmdline-tools/latest.
  • Run the following command to install the necessary components: 
    sudo $ANDROID_SDK_ROOT/cmdline-tools/latest/bin/sdkmanager --install \
 "build-tools;34.0.0" \
 "emulator" \
 "ndk;26.2.11394342" \
 "platform-tools" \
 "platforms;android-33" \
 "system-images;android-33;google_apis;x86_64"
  • Follow the instructions above for the platform you are building on

OpenHarmony

  • Follow the instructions above for the platform you are building on to prepare the environment.
  • Depending on the target distribution (e.g. HarmonyOS NEXT vs pure OpenHarmony) the build configuration will differ slightly.
  • Ensure that the following environment variables are set
    • DEVECO_SDK_HOME (Required when targeting HarmonyOS NEXT)
    • OHOS_BASE_SDK_HOME (Required when targeting OpenHarmony)
    • OHOS_SDK_NATIVE (e.g. ${DEVECO_SDK_HOME}/default/openharmony/native or ${OHOS_BASE_SDK_HOME}/${API_VERSION}/native)
    • SERVO_OHOS_SIGNING_CONFIG: Path to json file containing a valid signing configuration for the demo app.
  • Review the detailed instructions at Building for OpenHarmony.
  • The target distribution can be modified by passing --flavor=<default|harmonyos> to mach <build|package|install>.