Update gix-* crates — heartwood

Fixes CVE-2026-0810.

The gix crates require updating due to the security vulnerability above. They require updating together in lock-step so both radicle-fetch and radicle-oid are affected.

radicle-oid handles the non-exhaustive nature of ObjectId.

radicle-fetch updates to the new API types, however, this comes with some updates to the ls_refs protocol.

A regression is documented in gitoxide issue 2429. The regression highlighted that it is the duty of the caller to also filter the outcome of ls-refs, and ref-prefix is simply an optimisation.

The ls-refs code is refactored to better represent and handle this operation.

 [[package]]
 name = "arc-swap"
 version = "1.7.1"
 version = "1.8.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "69f7f8c3906b62b754cd5326047894316021dcfe5a194c8ea52bdd94934a3457"
 checksum = "f9f3647c145568cec02c42054e07bdf9a5a698e15b466fb2341bfc393cd24aa5"
 dependencies = [
  "rustversion",
 ]
 [[package]]
 name = "ascii"

  "document-features",
  "mio 1.0.4",
  "parking_lot",
  "rustix 1.0.7",
  "rustix 1.1.3",
  "signal-hook",
  "signal-hook-mio",
  "winapi",

 checksum = "7ced92e76e966ca2fd84c8f7aa01a4aea65b0eb6648d72f7c8f3e2764a67fece"
 dependencies = [
  "crc32fast",
  "libz-rs-sys",
  "miniz_oxide",
 ]

 [[package]]
 name = "gix-actor"
 version = "0.35.4"
 version = "0.38.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "2d36dcf9efe32b51b12dfa33cedff8414926124e760a32f9e7a6b5580d280967"
 checksum = "b50ce5433eaa46187349e59089eea71b0397caa71991b2fa3e124120426d7d15"
 dependencies = [
  "bstr",
  "gix-date",
  "gix-date 0.13.0",
  "gix-utils",
  "itoa",
  "thiserror 2.0.17",
  "thiserror 2.0.18",
  "winnow",
 ]
 [[package]]
 name = "gix-actor"
 version = "0.39.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0c44f13049925e8dc3955c20ecec5391cedfb041e0952416b583ecc57bc68325"
 dependencies = [
  "bstr",
  "gix-date 0.14.0",
  "gix-error 0.1.0",
  "winnow",
 ]
 [[package]]
 name = "gix-chunk"
 version = "0.4.11"
 version = "0.5.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "63e516efaac951ed21115b11d5514b120c26ccb493d0c0b9ea6cc10edf4fdf44"
 dependencies = [
  "gix-error 0.0.0",
 ]
 [[package]]
 name = "gix-chunk"
 version = "0.6.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "0b1f1d8764958699dc764e3f727cef280ff4d1bd92c107bbf8acd85b30c1bd6f"
 checksum = "d14ee09ab454481a91fe969ca5afbd41c8a9b05680197b6554ebb69bdcf7d571"
 dependencies = [
  "thiserror 2.0.17",
  "gix-error 0.1.0",
 ]
 [[package]]
 name = "gix-command"
 version = "0.6.2"
 version = "0.7.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "6b31b65ca48a352ae86312b27a514a0c661935f96b481ac8b4371f65815eb196"
 checksum = "2962172c6f78731e2b7773bf762f7b8d1746a342a4c0a8914a612206e1295953"
 dependencies = [
  "bstr",
  "gix-path",

  "gix-quote",
  "gix-sec",
  "gix-url",
  "thiserror 2.0.17",
  "thiserror 2.0.18",
 ]
 [[package]]
 name = "gix-traverse"
 version = "0.47.0"
 version = "0.52.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c7cdc82509d792ba0ad815f86f6b469c7afe10f94362e96c4494525a6601bdd5"
 checksum = "37f8b53b4c56b01c43a4491c4edfe2ce66c654eb86232205172ceb1650d21c55"
 dependencies = [
  "bitflags 2.9.1",
  "gix-commitgraph",
  "gix-date",
  "gix-commitgraph 0.32.0",
  "gix-date 0.13.0",
  "gix-hash",
  "gix-hashtable",
  "gix-object",
  "gix-revwalk",
  "gix-object 0.55.0",
  "gix-revwalk 0.26.0",
  "smallvec",
  "thiserror 2.0.17",
  "thiserror 2.0.18",
 ]
 [[package]]
 name = "gix-url"
 version = "0.32.0"
 version = "0.35.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1b76a9d266254ad287ffd44467cd88e7868799b08f4d52e02d942b93e514d16f"
 checksum = "507752d41afcdf5961ab494eb062c3bf21f68b2ee67e45568e9028cccdd00c34"
 dependencies = [
  "bstr",
  "gix-features",
  "gix-path",
  "percent-encoding",
  "thiserror 2.0.17",
  "url",
  "thiserror 2.0.18",
 ]
 [[package]]
 name = "gix-utils"
 version = "0.3.0"
 version = "0.3.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5351af2b172caf41a3728eb4455326d84e0d70fe26fc4de74ab0bd37df4191c5"
 checksum = "befcdbdfb1238d2854591f760a48711bed85e72d80a10e8f2f93f656746ef7c5"
 dependencies = [
  "fastrand",
  "unicode-normalization",

 [[package]]
 name = "hashbrown"
 version = "0.15.5"
 version = "0.16.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "9229cfe53dfd69f0609a49f65461bd93001ea1ef889cd5529dd176593f5338a1"
 checksum = "841d1cc9bed7f9236f321df977030373f4a4163ae1a7dbfe1a51a2c1a51d9100"
 [[package]]
 name = "heapless"

 ]
 [[package]]
 name = "home"
 version = "0.5.9"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e3d1354bf6b7235cb4a0576c2619fd4ed18183f689b12b006a0ee7329eeff9a5"
 dependencies = [
  "windows-sys 0.52.0",
 ]
 [[package]]
 name = "human-panic"
 version = "2.0.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"

 [[package]]
 name = "itoa"
 version = "1.0.11"
 version = "1.0.17"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "49f1f14873335454500d59611f1cf4a4b0f786f9ac11f4312a78e4cf2566695b"
 checksum = "92ecc6618181def0457392ccd0ee51198e065e016d1d527a7ac1b6dc7c1f09d2"
 [[package]]
 name = "jiff"
 version = "0.2.15"
 version = "0.2.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "be1f93b8b1eb69c77f24bbb0afdf66f54b632ee39af40ca21c4365a1d7347e49"
 checksum = "c867c356cc096b33f4981825ab281ecba3db0acefe60329f044c1789d94c6543"
 dependencies = [
  "jiff-static",
  "jiff-tzdb-platform",
  "log",
  "portable-atomic",
  "portable-atomic-util",
  "serde",
  "windows-sys 0.59.0",
  "serde_core",
  "windows-sys 0.60.2",
 ]
 [[package]]
 name = "jiff-static"
 version = "0.2.15"
 version = "0.2.20"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "03343451ff899767262ec32146f6d559dd759fdadf42ff0e227c7c48f72594b4"
 checksum = "f7946b4325269738f270bb55b3c19ab5c5040525f83fd625259422a9d25d9be5"
 dependencies = [
  "proc-macro2",
  "quote",

 [[package]]
 name = "libc"
 version = "0.2.174"
 version = "0.2.182"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1171693293099992e19cddea4e8b849964e9846f4acee11b3948bcc337be8776"
 checksum = "6800badb6cb2082ffd7b6a67e6125bb39f18782f793520caee8cb8846be06112"
 [[package]]
 name = "libgit2-sys"

 checksum = "4ec2a862134d2a7d32d7983ddcdd1c4923530833c9f2ea1a44fc5fa473989058"
 [[package]]
 name = "libz-rs-sys"
 version = "0.5.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "840db8cf39d9ec4dd794376f38acc40d0fc65eec2a8f484f7fd375b84602becd"
 dependencies = [
  "zlib-rs",
 ]
 [[package]]
 name = "libz-sys"
 version = "1.1.16"
 source = "registry+https://github.com/rust-lang/crates.io-index"

 [[package]]
 name = "linux-raw-sys"
 version = "0.9.4"
 version = "0.11.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cd945864f07fe9f5371a27ad7b52a172b4b499999f1d97574c9fa68373937e12"
 checksum = "df1d3c3b53da64cf5760482273a98e575c651a67eec7f77df96b5b642de8f039"
 [[package]]
 name = "litemap"

 [[package]]
 name = "prodash"
 version = "30.0.1"
 version = "31.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5a6efc566849d3d9d737c5cb06cc50e48950ebe3d3f9d70631490fff3a07b139"
 checksum = "962200e2d7d551451297d9fdce85138374019ada198e30ea9ede38034e27604c"
 dependencies = [
  "parking_lot",
 ]

  "siphasher 1.0.1",
  "sqlite",
  "tempfile",
  "thiserror 2.0.17",
  "thiserror 2.0.18",
  "uds_windows",
  "unicode-normalization",
 ]

  "serde_json",
  "shlex",
  "tempfile",
  "thiserror 2.0.17",
  "thiserror 2.0.18",
  "timeago",
  "tree-sitter",
  "tree-sitter-bash",

  "gix-odb",
  "gix-pack",
  "gix-protocol",
  "gix-refspec",
  "gix-transport",
  "log",
  "nonempty",
  "radicle",
  "radicle-git-ref-format",
  "radicle-oid",
  "thiserror 2.0.17",
  "thiserror 2.0.18",
 ]
 [[package]]

 name = "radicle-ssh"
 version = "0.10.0"
 dependencies = [
  "thiserror 2.0.17",
  "thiserror 2.0.18",
  "winpipe",
  "zeroize",
 ]

 [[package]]
 name = "rustix"
 version = "1.0.7"
 version = "1.1.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c71e83d6afe7ff64890ec6b71d6a69bb8a610ab78ce364b3352876bb4c801266"
 checksum = "146c9e247ccc180c1f61615433868c99f3de3ae256a30a43b49f67c2d9171f34"
 dependencies = [
  "bitflags 2.9.1",
  "errno",
  "libc",
  "linux-raw-sys 0.9.4",
  "windows-sys 0.59.0",
  "linux-raw-sys 0.11.0",
  "windows-sys 0.60.2",
 ]
 [[package]]

 [[package]]
 name = "thiserror"
 version = "2.0.17"
 version = "2.0.18"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "f63587ca0f12b72a0600bcba1d40081f830876000bb46dd2337a3051618f4fc8"
 checksum = "4288b5bcbc7920c07a1149a35cf9590a2aa808e0bc1eafaade0b80947865fbc4"
 dependencies = [
  "thiserror-impl 2.0.17",
  "thiserror-impl 2.0.18",
 ]
 [[package]]

 ]
 [[package]]
 name = "windows-sys"
 version = "0.61.2"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "ae137229bcbd6cdf0f7b80a31df61766145077ddf49416a728b02cb3921ff3fc"
 dependencies = [
  "windows-link 0.2.1",
 ]
 [[package]]
 name = "windows-targets"
 version = "0.48.5"
 source = "registry+https://github.com/rust-lang/crates.io-index"

 [[package]]
 name = "winnow"
 version = "0.7.13"
 version = "0.7.14"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "21a0236b59786fed61e2a80582dd500fe61f18b5dca67a4a067d0bc9039339cf"
 checksum = "5a5364e9d77fcdeeaa6062ced926ee3381faa2ee02d3eb83a5c27a8825540829"
 dependencies = [
  "memchr",
 ]

 dunce = "1.0.5"
 fastrand = { version = "2.0.0", default-features = false }
 git2 = { version = "0.19.0", default-features = false, features = ["vendored-libgit2"] }
 gix-hash = { version = "0.19.0", default-features = false }
 gix-hash = { version = "0.22.1", default-features = false, features = ["sha1"] }
 human-panic = "2.0.6"
 itertools = "0.14"
 lexopt = "0.3.0"

 [dependencies]
 bstr = { workspace = true }
 either = "1.9.0"
 gix-features = { version = "0.43.1", features = ["progress"] }
 gix-features = { version = "0.46", features = ["progress"] }
 gix-hash = { workspace = true }
 gix-odb = "0.70.0"
 gix-pack = "0.60.0"
 gix-protocol = { version = "0.51.0", features = ["blocking-client"] }
 gix-transport = { version = "0.48.0", features = ["blocking-client"] }
 gix-odb = "0.75.0"
 gix-pack = "0.65.0"
 gix-protocol = { version = "0.57.0", features = ["blocking-client"] }
 gix-refspec = "0.37"
 gix-transport = { version = "0.54.0", features = ["blocking-client"] }
 log = { workspace = true, features = ["std"] }
 nonempty = { workspace = true }
 radicle = { workspace = true }

 use std::io;
 use std::time::Instant;
 use gix_protocol::handshake;
 use gix_protocol::{handshake, Handshake};
 pub use gix_protocol::{transport::bstr::ByteSlice, RemoteProgress};
 pub use handle::Handle;

     result
 }
 fn perform_handshake<R, S>(handle: &mut Handle<R, S>) -> Result<handshake::Outcome, Error>
 fn perform_handshake<R, S>(handle: &mut Handle<R, S>) -> Result<Handshake, Error>
 where
     S: transport::ConnectionStream,
 {

 use std::collections::{BTreeMap, BTreeSet, HashSet};
 use bstr::BString;
 use bstr::{BStr, BString};
 use either::Either;
 use gix_protocol::handshake::Ref;
 use nonempty::NonEmpty;

     }
 }
 /// A `ref-prefix` used in the `ls-refs` step of the fetch protocol.
 ///
 /// Since the Radicle protocol only wants to filter by very specific references,
 /// this type captures the possible reference prefixes.
 #[derive(Clone, Copy, Debug, PartialEq, Eq, PartialOrd, Ord)]
 pub(crate) enum RefPrefix {
     /// Represents `refs/rad/id`.
     RadId,
     /// Represents `"refs/namespaces/<namespace>/refs/rad/id"`.
     NamespacedRadId { namespace: PublicKey },
     /// Represents `"refs/namespaces/<namespace>/refs/rad/sigrefs"`.
     NamespacedRadSigrefs { namespace: PublicKey },
     /// Represents `"refs/namespaces"`
     AllNamespaces,
 }
 impl RefPrefix {
     /// Convert the [`RefPrefix`] into its equivalent [`BString`].
     ///
     /// See the [`RefPrefix`] variants for their [`BString`] values.
     pub fn into_bstring(self) -> BString {
         match self {
             RefPrefix::RadId => refs::REFS_RAD_ID.as_bstr().into(),
             RefPrefix::NamespacedRadId { namespace } => {
                 radicle::git::refs::storage::id(&namespace).as_bstr().into()
             }
             RefPrefix::NamespacedRadSigrefs { namespace } => {
                 radicle::git::refs::storage::sigrefs(&namespace)
                     .as_bstr()
                     .into()
             }
             RefPrefix::AllNamespaces => "refs/namespaces".into(),
         }
     }
     /// Convert the [`RefPrefix`] into its equivalent [`RefSpec`].
     ///
     /// See the [`RefPrefix`] variants for their [`BString`] values.
     ///
     /// # Panics
     ///
     /// This will panic if the reference as a [`BString`] value no longer parses
     /// in the upstream [`gix_refspec`] crate.
     ///
     /// [`RefSpec`]: gix_refspec::RefSpec
     pub fn as_refspec(&self) -> gix_refspec::RefSpec {
         use gix_refspec::parse::Operation;
         let parse = |spec: &BStr| -> gix_refspec::RefSpec {
             gix_refspec::parse(spec, Operation::Fetch)
                 .expect("RefPrefix should be valid refspec")
                 .to_owned()
         };
         match self {
             RefPrefix::RadId => parse(refs::REFS_RAD_ID.as_bstr()),
             RefPrefix::NamespacedRadId { namespace } => {
                 parse(radicle::git::refs::storage::id(namespace).as_bstr())
             }
             RefPrefix::NamespacedRadSigrefs { namespace } => {
                 parse(radicle::git::refs::storage::sigrefs(namespace).as_bstr())
             }
             RefPrefix::AllNamespaces => parse(BStr::new("refs/namespaces")),
         }
     }
 }
 /// A [`ProtocolStage`] describes a single roundtrip with the Radicle
 /// node that is serving the data.
 ///

 ///      refdb (in-memory and production).
 pub(crate) trait ProtocolStage {
     /// If and how to perform `ls-refs`.
     fn ls_refs(&self) -> Option<NonEmpty<BString>>;
     fn ls_refs(&self) -> Option<NonEmpty<RefPrefix>>;
     /// Filter a remote-advertised [`Ref`].
     ///

 }
 impl ProtocolStage for CanonicalId {
     fn ls_refs(&self) -> Option<NonEmpty<BString>> {
         Some(NonEmpty::new(refs::REFS_RAD_ID.as_bstr().into()))
     fn ls_refs(&self) -> Option<NonEmpty<RefPrefix>> {
         Some(NonEmpty::new(RefPrefix::RadId))
     }
     fn ref_filter(&self, r: Ref) -> Option<ReceivedRef> {

 }
 impl ProtocolStage for SpecialRefs {
     fn ls_refs(&self) -> Option<NonEmpty<BString>> {
     fn ls_refs(&self) -> Option<NonEmpty<RefPrefix>> {
         match &self.followed {
             policy::Allowed::All => Some(NonEmpty::new("refs/namespaces".into())),
             policy::Allowed::All => Some(NonEmpty::new(RefPrefix::AllNamespaces)),
             policy::Allowed::Followed { remotes } => NonEmpty::collect(
                 remotes
                     .iter()
                     .chain(self.delegates.iter())
                     .flat_map(|remote| {
                         [
                             BString::from(radicle::git::refs::storage::id(remote).to_string()),
                             BString::from(radicle::git::refs::storage::sigrefs(remote).to_string()),
                             RefPrefix::NamespacedRadSigrefs { namespace: *remote },
                             RefPrefix::NamespacedRadId { namespace: *remote },
                         ]
                     }),
             ),

 }
 impl ProtocolStage for SigrefsAt {
     fn ls_refs(&self) -> Option<NonEmpty<BString>> {
     fn ls_refs(&self) -> Option<NonEmpty<RefPrefix>> {
         // N.b. the `Oid`s are known but the `rad/sigrefs` are still
         // asked for to mark them for updating the fetch state.
         NonEmpty::collect(self.refs_at.iter().map(|refs_at| {
             BString::from(radicle::git::refs::storage::sigrefs(&refs_at.remote).to_string())
         }))
         NonEmpty::collect(
             self.refs_at
                 .iter()
                 .map(|refs_at| RefPrefix::NamespacedRadSigrefs {
                     namespace: refs_at.remote,
                 }),
         )
     }
     // We only asked for `rad/sigrefs` so we should only get

 impl ProtocolStage for DataRefs {
     // We don't need to ask for refs since we have all reference names
     // and `Oid`s in `rad/sigrefs`.
     fn ls_refs(&self) -> Option<NonEmpty<BString>> {
     fn ls_refs(&self) -> Option<NonEmpty<RefPrefix>> {
         None
     }

     Ok(())
 }
 #[cfg(test)]
 mod test {
     use super::RefPrefix;
     /// Ensure that the call to [`RefPrefix::as_refspec`] does not panic
     #[test]
     fn valid_refspecs() {
         let namespace = "z6Mkt67GdsW7715MEfRuP4pSZxJRJh6kj6Y48WRqVv4N1tRk"
             .parse()
             .unwrap();
         let prefixes = [
             RefPrefix::AllNamespaces,
             RefPrefix::RadId,
             RefPrefix::NamespacedRadId { namespace },
             RefPrefix::NamespacedRadSigrefs { namespace },
         ];
         for prefix in prefixes {
             prefix.as_refspec();
         }
     }
 }

 use std::collections::{BTreeMap, BTreeSet};
 use std::time::Instant;
 use gix_protocol::handshake;
 use gix_protocol::Handshake;
 use radicle::crypto::PublicKey;
 use radicle::git::{fmt::Qualified, Oid};
 use radicle::identity::{Did, Doc, DocError};

     pub(super) fn run_stage<R, S, F>(
         &mut self,
         handle: &mut Handle<R, S>,
         handshake: &handshake::Outcome,
         handshake: &Handshake,
         step: &F,
     ) -> Result<BTreeSet<PublicKey>, error::Step>
     where

         let refs = match step.ls_refs() {
             Some(refs) => handle
                 .transport
                 .ls_refs(refs.into(), handshake)?
                 .ls_refs(refs, handshake)?
                 .into_iter()
                 .filter_map(|r| step.ref_filter(r))
                 .collect::<Vec<_>>(),
             None => vec![],
         };
         log::trace!("Received refs {refs:?}");
         log::trace!("Received refs {refs:#?}");
         step.pre_validate(&refs)?;
         let wants_haves = step.wants_haves(handle.repository(), &refs)?;