Upgrade xapian to 1.4.31 and add sha256 check to avoid supply chain attack

2026-03-31 07:49:39 +00:00 · 2026-03-29 13:13:57 +02:00
parent fcce34fde5
commit 05d2fcf4d0
3 changed files with 30 additions and 6 deletions
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -92,7 +92,12 @@ docs = [
 default-groups = ["dev", "tests", "docs"]

 [tool.xapian]
-version = "1.4.29"
+version = "1.4.31"
+# Those hashes are here to protect against supply chains attacks
+# They are obtained by downloawing xapian-core and xapian-bindings from xapian.org
+# and running `sha256sum` on the downloaded compressed files
+core-sha256 = "fecf609ea2efdc8a64be369715aac733336a11f7480a6545244964ae6bc80811"
+bindings-sha256 = "a38cc7ba4188cc0bd27dc7369f03906772047087a1c54f1b93355d5e9103c304"

 [tool.ruff]
 output-format = "concise" # makes ruff error logs easier to read