Bump gix-path from 0.10.10 to 0.10.11

[dependabot]

Bumps gix-path from 0.10.10 to 0.10.11.

Release notes

Sourced from gix-path's releases.

gix-path v0.10.11

Bug Fixes

• Don't require usable temp dir to get installation config When running git config -l ... to find the configuration file path associated with the git installation itself, the current working directory for the subprocess was set to the current directory prior to #1523, and to /tmp or a /tmp-like directory since #1523 (which improved performance and security).

  This builds on #1523, as well as on subsequent changes to run git in a way that its behavior depends less on its CWD, by making an even more robust choice of CWD for the subprocess, so that the CWD is less likely to be deeply nested or on network storage; more likely to exist; and, on Unix-like systems, less likely to contain a .git entry (though a git with security updates should refuse to take any configuration from such a repository unless it is owned by the user).

  Due to a combination of other measures that harden against malicious or unusual contents (especially setting GIT_DIR), the most significant benefit of this change is to fix the problem that a nonexistent temp dir would prevent the command from succeeding.

  The main way that could happen is if TMPDIR on Unix-like systems, or TMP or TEMP on Windows, is set to an incorrect value. Because these variables are sometimes reasonable to customize for specific purposes, it is plausible for them to be set to incorrect values by accident.

  Except on Windows, this always uses / as the CWD for the subprocess.

  On Windows, we use the Windows directory (usually C:\Windows) rather than the root of the system drive (usually C:\), because:

  • We are currently obtaining this information from environment variables, and it is possible for our own parent process to pass down an overly sanitized environment.

  Although this can be so sanitized we cannot find the Windows directory, this is less likely to occur than being unable to find the root of the system drive.

  This due to moderately broad awareness that the SystemRoot environment variable (which, somewhat confusingly, holds the path of the Windows directory, not the root of the system drive) should be preserved even when clearing most other variables.

  Some libraries will even automatically preserve SystemRoot when

... (truncated)

Commits

• 012a754 Release gix-trace v0.1.10, gix-path v0.10.11
• c759819 prepare changelogs prior to release.
• d69c617 Merge pull request #1566 from Byron/merge
• b91d909 thanks clippy
• dfbc732 feat!: optionally store objects new objects in memory only.
• ca5294a feat: add InMemoryPassThrough implementation.
• b279957 feat: add tree-editing capabilities to Tree and Repository.
• 7c48556 feat: TreeRef::to_owned() and Tree::into_owned() for a convenient way to ...
• 39d8e03 Use a standard HashMap instead of one based on SHA1
• b5dc45f Add benchmarks for the tree editor and the tree-editor cursor
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.