git.ipfire.org Git - thirdparty/libarchive.git/log

build: use standard HAVE_ pattern for ZSTD compression check (#2111)

Follow-on to #1649: this just changes the name of the preprocessor macro
to use the standard pattern HAVE_<function name>

In particular: newer ZSTD implementations have a growing variety of
compression functions; the standard pattern will make it easier to
select among those someday.

contrib/untar.c: cleanup (#2112)

This reworks PR #1613 (commit a902fcd4), addressing the same issues as that
earlier PR, but in a simpler and more portable fashion.

Co-authored-by: Martin Matuška <martin@matuska.org>

Revert "zip: update AppleDouble support for directories (#2100)"

This reverts commit 390d83012fdba8c8db7fc9915338805882b0597a.
PR reopened back for review.

zip: update AppleDouble support for directories (#2100)

rar5: don't continue if the last block produced no data (#2105)

There appear to be RAR5 archives out in the wild that have blocks at the
end of files that don't produce any data. The code in libarchive has an
infinite loop that won't break until it processes a block that produces
data, which will end up reading past the end of the file if the last
block in the file produces no data.

ci: use liblzma 1.5.5 in MSVC build until fix from upstream (#2105)

Signed-off-by: Duncan Horn

cmake: look for libxml2 only if HAVE_ICONV is set (#2105)

Signed-off-by: Duncan Horn

read 64bit instead of 32bit integer in fallback code in archive_read_support_format_zip.c (#2104)

Ancillary issue discovered while auditing some old PRs.

A 64-bit size value was being read as a 32-bit value.

tar: make error reporting more robust and use correct errno (#2101)

As discussed in #1609.

bump zstd version: 1.5.5 -> 1.5.6 (#2099)

https://github.com/facebook/zstd/releases/tag/v1.5.6

https://github.com/facebook/zstd/issues/3999

Remove the write_all_states() return type (#1995)

The return value is never used, so let's change it to void.

Overhaul Zip end-of-data marker parsing (#2042)

This significantly changes how end-of-data markers are parsed.

In particular, the spec allows the end-of-data marker to have either
32-bit or 64-bit size values, and there is basically no indication which
is being used. (The spec mentions "Zip64 mode" in many places, but there
is no definitive way for a Zip reader to know whether the writer is
using this mode or not. My mis-reading of another part of the spec
caused me to believe that the Zip64 Extra Data field was such a marker,
but I've been patiently corrected. ;-)

So a Zip reader just has to guess: Try every possible end-of-data marker
format and accept it if any of the four possible forms is correct. In
libarchive's case, this required some non-trivial additional refactoring
to ensure that the CRC32, compressed size, and uncompressed size
statistics are always updated _before_ we need to look for an
end-of-data marker.

This generally follows the strategy outlined by Mark Adler for his
`sunzip` streaming unzip implementation.

While testing this, I played with pmqs/zipdetails which pointed out a
discrepancy in how libarchive writes the `UT` extra field. I folded a
fix for that in here as well.

Resolves #1834

TODO: It would be nice to augment the test suite with some static files
created by Java's implementation to verify that we can read those when
they hold entries of +/- 4GiB. The existing
`test_write_format_zip_large` uses an ad hoc RLE encoding trick to
exercise writing and reading back multi-gigabyte entries. I wonder if
that could be generalized to support deflate-compressed Zip data stored
in test files?

Fix syntax error of DONT_FAIL_ON_CRC_ERROR in archive_read_support_fo… (#2066)

Following code snippet in
`libarchive/archive_read_support_format_7zip.c` causing a build fail
while enable the `DONT_FAIL_ON_CRC_ERROR`

```
/* Check the EncodedHeader CRC.*/
if (r == 0 && zip->header_crc32 != next_header_crc) {
archive_set_error(&a->archive, -1,
#ifndef DONT_FAIL_ON_CRC_ERROR
"Damaged 7-Zip archive");
r = -1;
#endif
```

I fix it like this:

```
/* Check the EncodedHeader CRC.*/
if (r == 0 && zip->header_crc32 != next_header_crc) {
#ifndef DONT_FAIL_ON_CRC_ERROR
archive_set_error(&a->archive, -1,
"Damaged 7-Zip archive");
r = -1;
#endif
```

Co-authored-by: Huka <huka@DEVCORE.local>

CMake: Add missing include directories for archive_static (#2078)

When one tries to link with archive_static when cross compiling,
compiler cannot find header files.
This PR adds TARGET_INCLUDE_DIRECTORIES for archive_static target,
similar as it is done for shared target.

Similar issues:
https://github.com/libarchive/libarchive/issues/1328

https://discourse.cmake.org/t/cannot-find-library-header-files-when-cross-compiling/5926

Co-authored-by: asolawa <asolawa@cern.ch>

build(deps): bump the all-actions group with 4 updates (#2094)

Bumps the all-actions group with 4 updates:
[actions/checkout](https://github.com/actions/checkout),
[actions/upload-artifact](https://github.com/actions/upload-artifact),
[github/codeql-action](https://github.com/github/codeql-action) and
[ossf/scorecard-action](https://github.com/ossf/scorecard-action).

Updates `actions/checkout` from 4.1.0 to 4.1.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/releases">actions/checkout's
releases</a>.</em></p>
<blockquote>
<h2>v4.1.2</h2>
<p>We are investigating the following issue with this release and have
rolled-back the <code>v4</code> tag to point to <code>v4.1.1</code></p>
<ul>
<li><code>sparse-checkout</code> is not available on git versions prior
to 2.27.0 (see <a
href="https://redirect.github.com/actions/checkout/issues/1651">actions/checkout#1651</a>)</li>
</ul>
<h2>What's Changed</h2>
<ul>
<li>Fix: Disable sparse checkout whenever <code>sparse-checkout</code>
option is not present <a
href="https://github.com/dscho"><code>@dscho</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1598">actions/checkout#1598</a></li>
<li>Bump tough-cookie from 4.0.0 to 4.1.3 by <a
href="https://github.com/dependabot"><code>@dependabot</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1406">actions/checkout#1406</a></li>
<li>Bump <code>@babel/traverse</code> from 7.20.5 to 7.24.0 by <a
href="https://github.com/dependabot"><code>@dependabot</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1642">actions/checkout#1642</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/jww3"><code>@jww3</code></a> made their
first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/1616">actions/checkout#1616</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v4.1.1...v4.1.2">https://github.com/actions/checkout/compare/v4.1.1...v4.1.2</a></p>
<h2>v4.1.1</h2>
<h2>What's Changed</h2>
<ul>
<li>Update CODEOWNERS to Launch team by <a
href="https://github.com/joshmgross"><code>@joshmgross</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1510">actions/checkout#1510</a></li>
<li>Correct link to GitHub Docs by <a
href="https://github.com/peterbe"><code>@peterbe</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1511">actions/checkout#1511</a></li>
<li>Link to release page from what's new section by <a
href="https://github.com/cory-miller"><code>@cory-miller</code></a> in
<a
href="https://redirect.github.com/actions/checkout/pull/1514">actions/checkout#1514</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/joshmgross"><code>@joshmgross</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/1510">actions/checkout#1510</a></li>
<li><a href="https://github.com/peterbe"><code>@peterbe</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/checkout/pull/1511">actions/checkout#1511</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/checkout/compare/v4.1.0...v4.1.1">https://github.com/actions/checkout/compare/v4.1.0...v4.1.1</a></p>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/actions/checkout/blob/main/CHANGELOG.md">actions/checkout's
changelog</a>.</em></p>
<blockquote>
<h1>Changelog</h1>
<h2>v4.1.2</h2>
<ul>
<li>Fix: Disable sparse checkout whenever <code>sparse-checkout</code>
option is not present <a
href="https://github.com/dscho"><code>@dscho</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1598">actions/checkout#1598</a></li>
</ul>
<h2>v4.1.1</h2>
<ul>
<li>Correct link to GitHub Docs by <a
href="https://github.com/peterbe"><code>@peterbe</code></a> in <a
href="https://redirect.github.com/actions/checkout/pull/1511">actions/checkout#1511</a></li>
<li>Link to release page from what's new section by <a
href="https://github.com/cory-miller"><code>@cory-miller</code></a> in
<a
href="https://redirect.github.com/actions/checkout/pull/1514">actions/checkout#1514</a></li>
</ul>
<h2>v4.1.0</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/1396">Add
support for partial checkout filters</a></li>
</ul>
<h2>v4.0.0</h2>
<ul>
<li><a
href="https://redirect.github.com/actions/checkout/pull/1067">Support
fetching without the --progress option</a></li>
<li><a
href="https://redirect.github.com/actions/checkout/pull/1436">Update to
node20</a></li>
</ul>
<h2>v3.6.0</h2>
<ul>
<li><a
href="https://redirect.github.com/actions/checkout/pull/1377">Fix: Mark
test scripts with Bash'isms to be run via Bash</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/579">Add
option to fetch tags even if fetch-depth > 0</a></li>
</ul>
<h2>v3.5.3</h2>
<ul>
<li><a
href="https://redirect.github.com/actions/checkout/pull/1196">Fix:
Checkout fail in self-hosted runners when faulty submodule are
checked-in</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/1287">Fix
typos found by codespell</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/1369">Add
support for sparse checkouts</a></li>
</ul>
<h2>v3.5.2</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/1289">Fix
api endpoint for GHES</a></li>
</ul>
<h2>v3.5.1</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/1246">Fix
slow checkout on Windows</a></li>
</ul>
<h2>v3.5.0</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/1237">Add
new public key for known_hosts</a></li>
</ul>
<h2>v3.4.0</h2>
<ul>
<li><a
href="https://redirect.github.com/actions/checkout/pull/1209">Upgrade
codeql actions to v2</a></li>
<li><a
href="https://redirect.github.com/actions/checkout/pull/1210">Upgrade
dependencies</a></li>
<li><a
href="https://redirect.github.com/actions/checkout/pull/1225">Upgrade
<code>@actions/io</code></a></li>
</ul>
<h2>v3.3.0</h2>
<ul>
<li><a
href="https://redirect.github.com/actions/checkout/pull/1045">Implement
branch list using callbacks from exec function</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/1050">Add
in explicit reference to private checkout options</a></li>
<li>[Fix comment typos (that got added in <a
href="https://redirect.github.com/actions/checkout/issues/770">#770</a>)](<a
href="https://redirect.github.com/actions/checkout/pull/1057">actions/checkout#1057</a>)</li>
</ul>
<h2>v3.2.0</h2>
<ul>
<li><a href="https://redirect.github.com/actions/checkout/pull/942">Add
GitHub Action to perform release</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/967">Fix
status badge</a></li>
<li><a
href="https://redirect.github.com/actions/checkout/pull/1002">Replace
datadog/squid with ubuntu/squid Docker image</a></li>
<li><a href="https://redirect.github.com/actions/checkout/pull/964">Wrap
pipeline commands for submoduleForeach in quotes</a></li>
<li><a
href="https://redirect.github.com/actions/checkout/pull/1029">Update
<code>@actions/io</code> to 1.1.2</a></li>
</ul>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/checkout/commit/9bb56186c3b09b4f86b1c65136769dd318469633"><code>9bb5618</code></a>
Prep for release of v4.1.2 (<a
href="https://redirect.github.com/actions/checkout/issues/1649">#1649</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/8eb1f6a495037164bea451156472f35fdd6bafc0"><code>8eb1f6a</code></a>
Bump <code>@babel/traverse</code> from 7.20.5 to 7.24.0 (<a
href="https://redirect.github.com/actions/checkout/issues/1642">#1642</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/556e4c3cb0b8b54b734286d5439adadcb0a8cb92"><code>556e4c3</code></a>
Bump tough-cookie from 4.0.0 to 4.1.3 (<a
href="https://redirect.github.com/actions/checkout/issues/1406">#1406</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/b32f140b0c872d58512e0a66172253c302617b90"><code>b32f140</code></a>
Warn on attempts to publish <code>test-ubuntu-git</code> from non-main
branch. (<a
href="https://redirect.github.com/actions/checkout/issues/1623">#1623</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/2650dbd060003e3b5ae211e4358852f336b682a7"><code>2650dbd</code></a>
Give <code>test-ubuntu-git</code> its own <code>README</code> (<a
href="https://redirect.github.com/actions/checkout/issues/1620">#1620</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/aadec899646c8e0f34c52d9219c2faac36626b55"><code>aadec89</code></a>
Explicitly disable sparse checkout unless asked for (<a
href="https://redirect.github.com/actions/checkout/issues/1598">#1598</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/df0bcddf6d6823307c716b56a7ef9c3b25078874"><code>df0bcdd</code></a>
Refine workflow for generating <code>test-ubuntu-git</code> (<a
href="https://redirect.github.com/actions/checkout/issues/1617">#1617</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/473055ba18d6d2da209cd46110aadb9275e3194e"><code>473055b</code></a>
Create <code>test-ubuntu-git</code> Docker Container for Proxy Tests (<a
href="https://redirect.github.com/actions/checkout/issues/1616">#1616</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/b4ffde65f46336ab88eb53be808477a3936bae11"><code>b4ffde6</code></a>
Link to release page from what's new section (<a
href="https://redirect.github.com/actions/checkout/issues/1514">#1514</a>)</li>
<li><a
href="https://github.com/actions/checkout/commit/8530928916aaef40f59e6f221989ccb31f5759e7"><code>8530928</code></a>
Correct link to GitHub Docs (<a
href="https://redirect.github.com/actions/checkout/issues/1511">#1511</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/actions/checkout/compare/8ade135a41bc03ea155e62e844d188df1ea18608...9bb56186c3b09b4f86b1c65136769dd318469633">compare
view</a></li>
</ul>
</details>
<br />

Updates `actions/upload-artifact` from 3.1.3 to 4.3.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/actions/upload-artifact/releases">actions/upload-artifact's
releases</a>.</em></p>
<blockquote>
<h2>v4.3.1</h2>
<ul>
<li>Bump <code>@actions/artifacts</code> to latest version to include
<a href="https://redirect.github.com/actions/toolkit/pull/1648">updated
GHES host check</a></li>
</ul>
<h2>v4.3.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Reorganize upload code in prep for merge logic & add more tests
by <a href="https://github.com/robherley"><code>@robherley</code></a>
in <a
href="https://redirect.github.com/actions/upload-artifact/pull/504">actions/upload-artifact#504</a></li>
<li>Add sub-action to merge artifacts by <a
href="https://github.com/robherley"><code>@robherley</code></a> in <a
href="https://redirect.github.com/actions/upload-artifact/pull/505">actions/upload-artifact#505</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/upload-artifact/compare/v4...v4.3.0">https://github.com/actions/upload-artifact/compare/v4...v4.3.0</a></p>
<h2>v4.2.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Ability to overwrite an Artifact by <a
href="https://github.com/robherley"><code>@robherley</code></a> in <a
href="https://redirect.github.com/actions/upload-artifact/pull/501">actions/upload-artifact#501</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/upload-artifact/compare/v4...v4.2.0">https://github.com/actions/upload-artifact/compare/v4...v4.2.0</a></p>
<h2>v4.1.0</h2>
<h2>What's Changed</h2>
<ul>
<li>Add migrations docs by <a
href="https://github.com/robherley"><code>@robherley</code></a> in <a
href="https://redirect.github.com/actions/upload-artifact/pull/482">actions/upload-artifact#482</a></li>
<li>Update README.md by <a
href="https://github.com/samuelwine"><code>@samuelwine</code></a> in <a
href="https://redirect.github.com/actions/upload-artifact/pull/492">actions/upload-artifact#492</a></li>
<li>Support artifact-url output by <a
href="https://github.com/konradpabjan"><code>@konradpabjan</code></a>
in <a
href="https://redirect.github.com/actions/upload-artifact/pull/496">actions/upload-artifact#496</a></li>
<li>Update readme to reflect new 500 artifact per job limit by <a
href="https://github.com/robherley"><code>@robherley</code></a> in <a
href="https://redirect.github.com/actions/upload-artifact/pull/497">actions/upload-artifact#497</a></li>
</ul>
<h2>New Contributors</h2>
<ul>
<li><a
href="https://github.com/samuelwine"><code>@samuelwine</code></a> made
their first contribution in <a
href="https://redirect.github.com/actions/upload-artifact/pull/492">actions/upload-artifact#492</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/upload-artifact/compare/v4...v4.1.0">https://github.com/actions/upload-artifact/compare/v4...v4.1.0</a></p>
<h2>v4.0.0</h2>
<h2>What's Changed</h2>
<p>The release of upload-artifact@v4 and download-artifact@v4 are major
changes to the backend architecture of Artifacts. They have numerous
performance and behavioral improvements.</p>
<p>ℹ️ However, this is a major update that includes breaking changes.
Artifacts created with versions v3 and below are not compatible with the
v4 actions. Uploads and downloads <em>must</em> use the same major
actions versions. There are also key differences from previous versions
that may require updates to your workflows.</p>
<p>For more information, please see:</p>
<ol>
<li>The <a
href="https://github.blog/changelog/2023-12-14-github-actions-artifacts-v4-is-now-generally-available/">changelog</a>
post.</li>
<li>The <a
href="https://github.com/actions/upload-artifact/blob/main/README.md">README</a>.</li>
<li>The <a
href="https://github.com/actions/upload-artifact/blob/main/docs/MIGRATION.md">migration
documentation</a>.</li>
<li>As well as the underlying npm package, <a
href="https://github.com/actions/toolkit/tree/main/packages/artifact"><code>@actions/artifact</code></a>
documentation.</li>
</ol>
<h2>New Contributors</h2>
<ul>
<li><a href="https://github.com/vmjoseph"><code>@vmjoseph</code></a>
made their first contribution in <a
href="https://redirect.github.com/actions/upload-artifact/pull/464">actions/upload-artifact#464</a></li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/actions/upload-artifact/compare/v3...v4.0.0">https://github.com/actions/upload-artifact/compare/v3...v4.0.0</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/actions/upload-artifact/commit/5d5d22a31266ced268874388b861e4b58bb5c2f3"><code>5d5d22a</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/upload-artifact/issues/515">#515</a>
from actions/eggyhead/update-artifact-v2.1.1</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/f1e993d9663a03508e7fc0370c744c4b963f0044"><code>f1e993d</code></a>
update artifact license</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/4881bfd3f27855c63733d8cfff17721cc0ad611f"><code>4881bfd</code></a>
updating dist:</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/a30777e2653648a0a7bbd3efb5c96ef9131b96cc"><code>a30777e</code></a>
<a href="https://github.com/eggyhead"><code>@eggyhead</code></a></li>
<li><a
href="https://github.com/actions/upload-artifact/commit/3a8048248f2f288c271830f8ecf2a1c5d8eb0e9a"><code>3a80482</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/upload-artifact/issues/511">#511</a>
from actions/robherley/migration-docs-typo</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/9d63e3f2f81d9dc4e13d83fc330408f8a94b79d1"><code>9d63e3f</code></a>
Merge branch 'main' into robherley/migration-docs-typo</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/dfa1ab292d2fdd78d056187f11c568c16ab53de9"><code>dfa1ab2</code></a>
fix typo with v3 artifact downloads in migration guide</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/d00351bf698398c17253d21cf8f90e57a344e14b"><code>d00351b</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/upload-artifact/issues/509">#509</a>
from markmssd/patch-1</li>
<li><a
href="https://github.com/actions/upload-artifact/commit/707f5a7b71e0fb01c5df1e16e9679a3292606ef2"><code>707f5a7</code></a>
Update limitation of <code>10</code> artifacts upload to
<code>500</code></li>
<li><a
href="https://github.com/actions/upload-artifact/commit/26f96dfa697d77e81fd5907df203aa23a56210a8"><code>26f96df</code></a>
Merge pull request <a
href="https://redirect.github.com/actions/upload-artifact/issues/505">#505</a>
from actions/robherley/merge-artifacts</li>
<li>Additional commits viewable in <a
href="https://github.com/actions/upload-artifact/compare/a8a3f3ad30e3422c9c7b888a15615d19a852ae32...5d5d22a31266ced268874388b861e4b58bb5c2f3">compare
view</a></li>
</ul>
</details>
<br />

Updates `github/codeql-action` from 2.22.1 to 3.24.8
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/github/codeql-action/blob/main/CHANGELOG.md">github/codeql-action's
changelog</a>.</em></p>
<blockquote>
<h1>CodeQL Action Changelog</h1>
<p>See the <a
href="https://github.com/github/codeql-action/releases">releases
page</a> for the relevant changes to the CodeQL CLI and language
packs.</p>
<p>Note that the only difference between <code>v2</code> and
<code>v3</code> of the CodeQL Action is the node version they support,
with <code>v3</code> running on node 20 while we continue to release
<code>v2</code> to support running on node 16. For example
<code>3.22.11</code> was the first <code>v3</code> release and is
functionally identical to <code>2.22.11</code>. This approach ensures an
easy way to track exactly which features are included in different
versions, indicated by the minor and patch version numbers.</p>
<h2>[UNRELEASED]</h2>
<p>No user facing changes.</p>
<h2>3.24.8 - 18 Mar 2024</h2>
<ul>
<li>Improve the ease of debugging extraction issues by increasing the
verbosity of the extractor logs when running in debug mode. <a
href="https://redirect.github.com/github/codeql-action/pull/2195">#2195</a></li>
</ul>
<h2>3.24.7 - 12 Mar 2024</h2>
<ul>
<li>Update default CodeQL bundle version to 2.16.4. <a
href="https://redirect.github.com/github/codeql-action/pull/2185">#2185</a></li>
</ul>
<h2>3.24.6 - 29 Feb 2024</h2>
<p>No user facing changes.</p>
<h2>3.24.5 - 23 Feb 2024</h2>
<ul>
<li>Update default CodeQL bundle version to 2.16.3. <a
href="https://redirect.github.com/github/codeql-action/pull/2156">#2156</a></li>
</ul>
<h2>3.24.4 - 21 Feb 2024</h2>
<ul>
<li>Fix an issue where an existing, but empty,
<code>/sys/fs/cgroup/cpuset.cpus</code> file always resulted in a
single-threaded run. <a
href="https://redirect.github.com/github/codeql-action/pull/2151">#2151</a></li>
</ul>
<h2>3.24.3 - 15 Feb 2024</h2>
<ul>
<li>Fix an issue where the CodeQL Action would fail to load a
configuration specified by the <code>config</code> input to the
<code>init</code> Action. <a
href="https://redirect.github.com/github/codeql-action/pull/2147">#2147</a></li>
</ul>
<h2>3.24.2 - 15 Feb 2024</h2>
<ul>
<li>Enable improved multi-threaded performance on larger runners for
GitHub Enterprise Server users. This feature is already available to
GitHub.com users. <a
href="https://redirect.github.com/github/codeql-action/pull/2141">#2141</a></li>
</ul>
<h2>3.24.1 - 13 Feb 2024</h2>
<ul>
<li>Update default CodeQL bundle version to 2.16.2. <a
href="https://redirect.github.com/github/codeql-action/pull/2124">#2124</a></li>
<li>The CodeQL action no longer fails if it can't write to the telemetry
api endpoint. <a
href="https://redirect.github.com/github/codeql-action/pull/2121">#2121</a></li>
</ul>
<h2>3.24.0 - 02 Feb 2024</h2>
<ul>
<li>CodeQL Python analysis will no longer install dependencies on GitHub
Enterprise Server, as is already the case for GitHub.com. See <a
href="https://github.com/github/codeql-action/blob/main/#3230---08-jan-2024">release
notes for 3.23.0</a> for more details. <a
href="https://redirect.github.com/github/codeql-action/pull/2106">#2106</a></li>
</ul>
<h2>3.23.2 - 26 Jan 2024</h2>
<ul>
<li>On Linux, the maximum possible value for the <code>--threads</code>
option now respects the CPU count as specified in <code>cgroup</code>
files to more accurately reflect the number of available cores when
running in containers. <a
href="https://redirect.github.com/github/codeql-action/pull/2083">#2083</a></li>
</ul>

</blockquote>
<p>... (truncated)</p>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/github/codeql-action/commit/05963f47d870e2cb19a537396c1f668a348c7d8f"><code>05963f4</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2200">#2200</a>
from github/update-v3.24.8-1ecc2779e</li>
<li><a
href="https://github.com/github/codeql-action/commit/2b9b521560767d809d8ee77b5025b01153ffe766"><code>2b9b521</code></a>
Update changelog for v3.24.8</li>
<li><a
href="https://github.com/github/codeql-action/commit/1ecc2779e9e8a1005dab2bfab0c908371cd4a830"><code>1ecc277</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2198">#2198</a>
from github/henrymercer/improve-tracking-autobuild-e...</li>
<li><a
href="https://github.com/github/codeql-action/commit/e28ae3a84c136adc8b7e8c73705c6aa4b1cd7b60"><code>e28ae3a</code></a>
Add config error for Swift build failures</li>
<li><a
href="https://github.com/github/codeql-action/commit/bddfc7c6d5f02cfb909b01104ebb039eab86ed0e"><code>bddfc7c</code></a>
Add config error for Gradle build failures</li>
<li><a
href="https://github.com/github/codeql-action/commit/3edd1bf725dc2142b5eecac26e3cc7ddab176aa2"><code>3edd1bf</code></a>
Truncate autobuild errors to 10 lines</li>
<li><a
href="https://github.com/github/codeql-action/commit/88a0b7abb3b047d4c1ef5f2762ce215fb098dc06"><code>88a0b7a</code></a>
Mark Maven build failures as configuration errors</li>
<li><a
href="https://github.com/github/codeql-action/commit/88b28eb70de0ce90819beb741e488921e89177e1"><code>88b28eb</code></a>
Surface autobuild errors from stderr stream</li>
<li><a
href="https://github.com/github/codeql-action/commit/f055b5e672ed1ea4fd98a276788e4bcb5a64ad17"><code>f055b5e</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2197">#2197</a>
from github/henrymercer/log-job-status</li>
<li><a
href="https://github.com/github/codeql-action/commit/0d680ab61c4b566d5870b32c2b4b1e65910864be"><code>0d680ab</code></a>
Merge pull request <a
href="https://redirect.github.com/github/codeql-action/issues/2196">#2196</a>
from github/henrymercer/update-packs-input-description</li>
<li>Additional commits viewable in <a
href="https://github.com/github/codeql-action/compare/fdcae64e1484d349b3366718cdfef3d404390e85...05963f47d870e2cb19a537396c1f668a348c7d8f">compare
view</a></li>
</ul>
</details>
<br />

Updates `ossf/scorecard-action` from 2.3.0 to 2.3.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/ossf/scorecard-action/releases">ossf/scorecard-action's
releases</a>.</em></p>
<blockquote>
<h2>v2.3.1</h2>
<h2>What's Changed</h2>
<ul>
<li>:seedling: Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1
by <a
href="https://github.com/spencerschrock"><code>@spencerschrock</code></a>
in <a
href="https://redirect.github.com/ossf/scorecard-action/pull/1282">ossf/scorecard-action#1282</a>
<ul>
<li>Adds additional Fuzzing detection and fixes a SAST bug related to
detecting CodeQL. For a full changelist of what this includes, see the
<a
href="https://github.com/ossf/scorecard/releases/tag/v4.13.1">v4.13.1</a>
release notes</li>
</ul>
</li>
</ul>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1">https://github.com/ossf/scorecard-action/compare/v2.3.0...v2.3.1</a></p>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/ossf/scorecard-action/commit/0864cf19026789058feabb7e87baa5f140aac736"><code>0864cf1</code></a>
:seedling: Bump docker tag to for v2.3.1 release (<a
href="https://redirect.github.com/ossf/scorecard-action/issues/1284">#1284</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/72df3bff668d052aaec251accaffec0b280410fb"><code>72df3bf</code></a>
:seedling: Bump github.com/ossf/scorecard/v4 from v4.13.0 to v4.13.1 (<a
href="https://redirect.github.com/ossf/scorecard-action/issues/1282">#1282</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/0ea411f94ac145b6fd793458b7f75ebbe7ae0a8f"><code>0ea411f</code></a>
:seedling: Bump the docker-images group with 1 update (<a
href="https://redirect.github.com/ossf/scorecard-action/issues/1281">#1281</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/dbfd042453ccc43ade96943685dbece2dd86bbae"><code>dbfd042</code></a>
:seedling: Bump the github-actions group with 1 update (<a
href="https://redirect.github.com/ossf/scorecard-action/issues/1280">#1280</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/2fa1e2fa153141e2950c7e1299ed05e2081ead0c"><code>2fa1e2f</code></a>
:seedling: Bump golang.org/x/net from 0.16.0 to 0.17.0 (<a
href="https://redirect.github.com/ossf/scorecard-action/issues/1278">#1278</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/652ddd06c802ac1ba4021a9f02978dc5150b223e"><code>652ddd0</code></a>
:seedling: Bump github.com/google/go-cmp from 0.5.9 to 0.6.0 (<a
href="https://redirect.github.com/ossf/scorecard-action/issues/1277">#1277</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/28d0c92b8bb9dd266a8cf4dde7bae71c06a0c62f"><code>28d0c92</code></a>
:seedling: Group Dependabot updates for GitHub Actions and Dockerfiles
(<a
href="https://redirect.github.com/ossf/scorecard-action/issues/1276">#1276</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/cb50491a46a858cb57669a16a720b7a00e1f9d29"><code>cb50491</code></a>
:seedling: Bump distroless/base from <code>a35b652</code> to
<code>b31a6e0</code> (<a
href="https://redirect.github.com/ossf/scorecard-action/issues/1275">#1275</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/87157ac77d7ec18a631049bc92fdac7ee63a471a"><code>87157ac</code></a>
:seedling: Bump github/codeql-action from 2.21.9 to 2.22.1 (<a
href="https://redirect.github.com/ossf/scorecard-action/issues/1274">#1274</a>)</li>
<li><a
href="https://github.com/ossf/scorecard-action/commit/7c1648b23e27a96acf7c3842fd1921d16bd8d4d2"><code>7c1648b</code></a>
:seedling: Bump step-security/harden-runner from 2.5.1 to 2.6.0 (<a
href="https://redirect.github.com/ossf/scorecard-action/issues/1273">#1273</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/ossf/scorecard-action/compare/483ef80eb98fb506c348f7d62e28055e49fe2398...0864cf19026789058feabb7e87baa5f140aac736">compare
view</a></li>
</ul>
</details>
<br />

Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after
your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating
it. You can achieve the same result by closing it manually
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

cmake: Set CMP0075 to NEW (#2067)

The new behavior of this policy makes check_include_file() and friends
use the CMAKE_REQUIRED_LIBRARIES variable before checking for headers.
This is used to check for cryptography algorithms provided by OpenSSL.

Signed-off-by: Collin Funk <collin.funk1@gmail.com>

Fix tests on Windows (#2091)

For the most part, a good number of
failing tests are failing because they make the assumption that archive
contents are read as utf-8 by default, which is not true for Windows,
which assumes OEM code page by default.

Set umask before testing `--exclude-vcs`. (#2082)

Improved control over frame size in zstd filter. (#2081)

Instead of just `min-frame-size` and `max-frame-size`, we now have four
separate options:

* `min-frame-in` delays the creation of a new frame on flush until the
uncompressed size of the current frame passes a certain threshold.

* `min-frame-out` delays the creation of a new frame on flush until the
compressed size of the current frame passes a certain threshold.

* `max-frame-in` forces the creation of a new frame as soon as possible
after the uncompressed size of the current frame reaches a certain
limit.

* `max-frame-out` forces the creation of a new frame as soon as possible
after the compressed size of the current frame reaches a certain limit.

We now also support `k`, `kB`, `M`, `MB`, `G` and `GB` suffixes for all
four options.

The old options are retained as aliases for the corresponding new
options.

tar: Warn when multiple --option values are specified (#2073)

The accepted way to specify multiple options is to list them all as one
comma-separated parameter. bsdtar would silently ignore all but the last
value, which can be very confusing. Print a warning in this scenario.

Update 'archive_mstring_update_utf8' to attempt UTF8->WCS conversion on Windows if MBS conversion fails (#1978)

Currently, functions like `archive_entry_pathname_w` etc. fail on
Windows for .rar files that contain entries with Unicode filenames that
cannot be represented by the active codepage. This is because
`archive_mstring_update_utf8` first attempts to perform a UTF8->MBS
conversion before doing an MBS->WCS conversion. The first conversion (to
MBS) fails, which short-circuits to return failure. Later when we try
and read the string, `archive_mstring_get_wcs` will fail because it
_also_ tries to do a UTF8->MBS followed by an MBS->WCS conversion. The
conversion to MBS will of course fail again.

One possible workaround is to call `setlocale` with something like
`"en_US.utf8"`, however this is not feasible for some consumers.

This change fixes this issue by adding a "fallback" in
'archive_mstring_update_utf8' which will attempt to do a UTF8->WCS
conversion on Windows if the MBS conversion failed. This is not too
dissimilar from the implementation of `archive_mstring_copy_mbs_len_l`
which most - if not all - other archive formats seem to take, which will
by default call `archive_wstring_append_from_mbs_in_codepage` if the
passed in `archive_string_conv` object is non-null

Fixes #1971

Fix archive_write_set_format_option for 7zip format (#2093)

A couple of small fixes to the documentation of the
`archive_write_set_format_option` for the 7zip format. See commits for
details.

Fix DONT_FAIL_ON_CRC_ERROR ifndef logic (#2079)

An `if` without curly braces guards the following statement.

When `#ifndef` removes that statement, the `if` now guards whatever
statement comes next.

I have not yet tested the changes.

Introduced in https://github.com/libarchive/libarchive/pull/1790.
CC people from original PR: @jvoisin @mmatuska

add support for CMAKE_BUILD_TYPE None (#2074)

closes https://github.com/libarchive/libarchive/issues/2060

tar: Add support for --group and --owner (#2054)

Closes: https://github.com/libarchive/libarchive/issues/278

Fix FILETIME truncation on `archive_write_finish_entry()` on Windows (#2050)

On Windows, `archive_write_finish_entry()` does not restore time
correctly.
It truncates the last digit of original FILETIME which is stored in the
archive.
This commit fixes this behavior.
See libarchive#2049 for detailed explanation on this issue.

CI: drop FreeBSD 12.4, as it is EOL (#2047)

Enable CTEST_OUTPUT_ON_FAILURE (#2044)

This provides more information when tests fail in CI.

document supported formats for `--mac-metadata` - see #2041 (#2046)

Doc fix to clarify that `--mac-metadata` is only supported for certain
formats. Hopefully just a short-term fix until support is added for
other formats. (See discussion on #2041)

Gardening: Fix the `begin` lines in many of the uuencoded test data (#2043)

The libarchive test harness always extracts these to the truncated
source filename, ignoring the name in the `begin` line. However, for
ease of experimentation, people will want to manually extract these with
`uudecode`, so the `begin` lines should have the correct filename.

CI: Add FreeBSD 14.0 (#2034)

Add a couple of missing HAVE_PCRE2POSIX_H ifdefs (#2033)

Followup to #2031.

Add trailing letter b to bsdtar substitute pattern (#2012)

The letter b stands for "from (b)eginning" and specifies that a
substitute expression should be matched from the beginning of the
string, regardless if and where a previous substitute expression
matched.

Example:
Transform filename from B-A to A-B and remove all underscores.

Attempt without option b:

    bsdtar -cft -s '/$.*$-$.*$/\2-\1/gp' -s "/_//g" ab_c-d_ef
    ab_c-d_ef >> d_ef-ab_c

With option b:

    bsdtar -cft -s '/$.*$-$.*$/\2-\1/gp' -s "/_//gb" ab_c-d_ef
    ab_c-d_ef >> def-abc

CI: install mingw and set correct path

Add support for PCRE2 (#2031)

The original PCRE is now end-of-life, and no longer actively maintained.

Implements #2013.

Fix encoding detection on platforms with nl_langinfo() (#2030)

libarchive relies on its host program to call setlocale() on platforms
with nl_langinfo() present in order to correctly detect the user
selected locale. This ensures that bsdunzip does so.

Minor __LA_NORETURN inspired fixes (#2028)

Earlier MR https://github.com/libarchive/libarchive/pull/2000 forgot to
annotate some functions as __LA_NORETURN. While fixing that I've noticed
that the bsdcat.h header could use some fixes so I've snuck those in.

Kind of make sense to group in one PR, but can split people prefer so.

/cc @AtariDreams fyi

---------

Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>

Replace __LA_DEAD with __LA_NORETURN (#2000)

Also add the MSC_VER version of the macro.

Perform "dead stripping" on macos (#1997)

Since Xcode 1.5, macos ld has a -dead_strip flag which is roughly
equivalent to --gc-sections in GNU style linkers, let's use it.

Reference:
https://opensource.apple.com/source/cctools/cctools-622.5.1/RelNotes/CompilerTools.html

Results from running the following command, before and after this
change, formatted for easy comparison (the actual values will vary with
toolchain and library versions used):
```
size bsdtar bsdcpio bsdunzip bsdcat .libs/libarchive.13.dylib

__TEXT __DATA __OBJC others     dec        hex

655360 16384  0      4295196672 4295868416 1000dc000 bsdtar # before
638976 16384  0      4295180288 4295835648 1000d4000 bsdtar # after

638976 32768  0      4295196672 4295868416 1000dc000 bsdcpio # before
606208 32768  0      4295163904 4295802880 1000cc000 bsdcpio # after

147456 16384  0      4295065600 4295229440 100040000 bsdunzip # before
114688 16384  0      4295032832 4295163904 100030000 bsdunzip # after

131072 16384  0      4295065600 4295213056 10003c000 bsdcat # before
49152 16384  0      4295016448 4295081984 10001c000 bsdcat # after

638976 16384  0          229376     884736     d8000 .libs/libarchive.13.dylib # before
622592 16384  0          229376     868352     d4000 .libs/libarchive.13.dylib # after
```

Including getopt.h if HAVE_GETOPT_OPTRESET is defined (#2007)

On platforms that uses optreset we must also include getopt.h to have it
defined

xz: fix incorrect eof at the end of an lzip member. (#2027)

xz filter returns incorrect eof if the end of an lzip member is at the
end of the read buffer (`state->stream.next_in`).
At next call of `xz_filter_read()`, following lzip members are never
read since `state->eof` is still flagged.
Fixes #2026.

unzip: Increment option count after swallowing -- (#2022)

* Option count is used later for the position of the file in the
arguments and otherwise it uses -- as the file.

---------

Signed-off-by: Alfred Wingate <parona@protonmail.com>

Prefer OPENSSL_cleanse to memset in OpenSSL code path (#2020)

`memset` can be optimized away. `OPENSSL_cleanse` is implemented in a
way that usually survives optimizations.

win32: ensure that the MSVC build doesn't terminate when MinGW fails (#2018)

For `matrix`-strategy builds, GitHub actions will terminate all related
matrix legs when one of them fails.

Disabling `fail-fast` knocks this behavior off.

Add a new Windows-only public API, archive_read_open_filenames_w (#2016)

There is a discrepancy between the w and non-w filename APIs, wherein a
consumer of libarchive can open a multi-volume set with names in the
current locale (on Windows) but not with UTF-16 names.

This patch addresses that issue.

archive_read_open_filename_w delegates its work to
archive_read_open_filenames_w.

Fixes #1728

Tested passing on Windows. In the meantime, I will also test on Linux.
I am hoping that the build agents can help me determine FreeBSD and
macOS coverage.

VCSid removal (#2017)

The libarchive source tree is littered with `__FBSDID("$FreeBSD.*")` and
'$FreeBSD$' tags left over from extracting it from FreeBSD's Subversion
repo. They never made sense for a git repo as git doesn't expand them
and FreeBSD has now removed `$FreeBSD$` from most local source files so
these stand out.

In addition to `__FBSDID` I've removed `__RCSID` which was used once for
a `$NetBSD$` expansion. There might be more of a case to be made for
preserving this one as a diff-reduction measure, but it seems mostly
pointless.

This builds and tests pass except for
libarchive_test_read_disk_directory_traversals which failed on master as
well.

Use calloc arguments that correspond with the variable's true purpose (#1993)

First argument is number of times to allocate a region of the second
size, which is the size of the element being allocated.

build(deps): bump the all-actions group with 3 updates (#1989)

actions/checkout from 4.0.0 to 4.1.0r
github/codeql-action from 2.21.7 to 2.22.1
ossf/scorecard-action from 2.2.0 to 2.3.0

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

fix detection of lzma_stream_encoder_mt with Werror (#1965)

the function is marked as warn-unused-result, so by default in a Debug
build with cmake, when Werror is set, this fails to detect. do the same
for autotools.

build(deps): bump the all-actions group with 1 update (#1975)

github/codeql-action v2.21.5 -> v2.21.7

Preserve the natural order in ISO9660 archives for linked files (#1974)

When an ISO9660 archive contains hard links or sym links, the order of
the files in the output of 'bsdtar -tf filename' is not the natural
order.

With an extension to the key (while still supporting ISO files up to 2^48
bytes) the sorting order is guaranteed for ISO files that contain linked
files for up to 2^16 files in total.

Co-authored-by: Martin Matuska <martin@matuska.de>

Add Scorecard GHA (#1973)

Fixes #1972

This adds the Scorecard GitHub Action to monitor the project's
supply-chain security posture.

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

build(deps): bump the all-actions group with 1 update (#1967)

Signed-off-by: dependabot[bot] <support@github.com>

tests: fix zstd long option test for 32-bit architectures

Fixes #1968

CI: update Windows zlib build dependency to 1.3

Hash-pin GitHub Actions, keep them updated with dependabot (#1960)

Fixes #1959.

This PR hash-pins GitHub Actions used in workflows and sets up
dependabot to keep the Actions up-to-date.

I've configured dependabot to group all Actions together. So if it ever
discovers that multiple Actions have new versions, it'll only send a
single PR to bump them all together.

---------

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

Add --long write option for zstd (#1962)

Fixes #1795

Set read-only workflow tokens (#1958)

Fixes #1957.

This PR ensures all workflows run with minimal permissions, instead of
with `write-all` permissions. This will protect the project from
supply-chain attacks.

The change to codeql.yml is for consistency and future-proofing. Should
another job eventually be added to the workflow, it will run with just
`contents: read`.

Signed-off-by: Pedro Kaj Kjellerup Nacht <pnacht@google.com>

Fix MSVC warnings on x64 (#1956)

On Windows x64, `long` & `ulong` are 4 bytes instead of 8 bytes like
everywhere else

Co-authored-by: Jarred Sumner

Add threads write option for zstd to man pages (#1952)

The threads option of zstd is supported by libarchive, but it is missing
in the man pages.
Fixes #1951

7zip reader: improve error message when encountering the ARM64 codec in an unexpected place (#1950)

This is a small followup to #1918.

uudecode filter: free name if already allocated before allocating

uudecode filter: add missing check for failed malloc

uudecode filter: fix memory allocation and name length calculation

uudecode filter: fix file name length calculation

uudecode filter: in raw mode decode file name and file mode

Fixes #1941

contrib/archivetest: add raw archive support and print file modes

7zip reader: translate windows permissions to unix permissions (#1943)

7z archives created on windows 7zip can lack unix permission info. In
this case, we need to translate the windows permissions into reasonable
unix equivalents.

pax writer: fix multiple security vulnerabilities

Security vulnerabilities:
1. Heap overflow in url_encode() in archive_write_set_format_pax.c
2. NULL dereference in archive_write_pax_header_xattrs()
3. Another NULL dereference in archive_write_pax_header_xattrs()
4. NULL dereference in archive_write_pax_header_xattr()

The vulnerabilities can be triggered when writing pax archives
with extended attributes (SCHILY or LIBARCHIVE) by feeding attribute
names longer than INT_MAX or attribute names that fail to be encoded
properly.

Reported-by: Bahaa Naamneh of Crosspoint Labs

CI: update Windows build dependencies

Update zlib to 1.2.13, xz to 1.4.4 and zstd to 1.5.5

unzip: correctly handle arguments following an -x after zipfile

build: add missing HAVE_STRUCT_STATFS to build/cmake/config.h.in

Fixes #1937

unzip: correctly define bsdunzip_optind

unzip: use libarchive-style getopt() implementation

unzip: support --version argument

cat: fix references and variable names in cmdline.c

contrib/unter: use vendor-dependent number format for size_t (#1613)

Use BUF_SIZE constant instead of explicit number

tar: respect --strip-components and -s patterns in cru modes on read (#1731)

cpio: multiple fixes in list_item_verbose()

Do not call strftime() with NULL timeptr
Adjust uids and gids buffers as cpio_i64toa() may return up to 22 bytes

Fixes #1934
Fixes #1935

unzip: fix include order in la_getline.c

Check if clang has __builtin_bswap16 (#1932)

Some older versions of clang do not in fact have this builtin.

Co-authored-by: Toby Peterson <toby@macports.org>

build: update config_freebsd.h

unzip: add NetBSD implementation of getline() if not supported

Fixes #1933

unzip: remove optreset from bsdunzip_platform.h

Correct assignment to r when checking for result of reading archive data (#1929)

It is impossible for if (r == ARCHIVE_FATAL) to be true otherwise.

unzip: Pull in upstream updates (#1926)

Fixes #1873

Fix various VS2019 compiler warnings (#1927)

This PR fixes a bunch of warnings while building with VS2019.
Some lz4 warning fixes are included, too.

return ((int)r); is not part of if statement due to missing brackets (#1930)

This is problematic because we need to return if an error occurs, and
because we are letting a continue to be evaluated even though it is
closed.

Replace `svfs.f_namelen` with `svfs.f_namemax` (#1924)

The equivalent for `f_namelen` in struct statvfs is `f_namemax`.

Signed-off-by: Wong Hoi Sing Edison <hswong3i@pantarei-design.com>

Makefile: add mkdirs for all */test/list.h targets (#1923)

Add missing mkdir calls to `cat/test/list.h` and `unzip/test/list.h`
invocations, making them consistent with the other rules. Otherwise,
the build fails when configured with `--disable-dependency-tracking`,
as configure does not create the directories automatically then.

unzip: fix build without utimensat() or futimens()

Fixes #1919

unzip: use libeal port of sys/queue.h if not available

Fixes #1920

unzip: use lchmod() and optreset only if available (fix Android build)

Fixes #1921