chore(deps): update rust crate gix to 0.71.0 [security] (#15391)

This PR contains the following updates:

| Package | Type | Update | Change |
|---|---|---|---|
| [gix](https://redirect.github.com/GitoxideLabs/gitoxide) |
workspace.dependencies | minor | `0.70.0` -> `0.71.0` |

### GitHub Vulnerability Alerts

####
[CVE-2025-31130](https://redirect.github.com/GitoxideLabs/gitoxide/security/advisories/GHSA-2frx-2596-x5r6)

### Summary
gitoxide uses SHA-1 hash implementations without any collision
detection, leaving it vulnerable to hash collision attacks.

### Details
gitoxide uses the `sha1_smol` or `sha1` crate, both of which implement
standard SHA-1 without any mitigations for collision attacks. This means
that two distinct Git objects with colliding SHA-1 hashes would break
the Git object model and integrity checks when used with gitoxide.

The SHA-1 function is considered cryptographically insecure. However, in
the wake of the SHAttered attacks, this issue was mitigated in Git
2.13.0 in 2017 by using the
[sha1collisiondetection](https://redirect.github.com/crmarcstevens/sha1collisiondetection)
algorithm by default and producing an error when known SHA-1 collisions
are detected. Git is in the process of migrating to using SHA-256 for
object hashes, but this has not been rolled out widely yet and gitoxide
does not support SHA-256 object hashes.

### PoC
The following program demonstrates the problem, using the two [SHAttered
PDFs](https://shattered.io/):

```rust
use sha1_checked::{CollisionResult, Digest};

fn sha1_oid_of_file(filename: &str) -> gix::ObjectId {
    let mut hasher = gix::features::hash::hasher(gix::hash::Kind::Sha1);
    hasher.update(&std::fs::read(filename).unwrap());
    gix::ObjectId::Sha1(hasher.digest())
}

fn sha1dc_oid_of_file(filename: &str) -> Result<gix::ObjectId, String> {
    // Matches Git’s behaviour.
    let mut hasher = sha1_checked::Builder::default().safe_hash(false).build();
    hasher.update(&std::fs::read(filename).unwrap());
    match hasher.try_finalize() {
        CollisionResult::Ok(digest) => Ok(gix::ObjectId::Sha1(digest.into())),
        CollisionResult::Mitigated(_) => unreachable!(),
        CollisionResult::Collision(digest) => Err(format!(
            "Collision attack: {}",
            gix::ObjectId::Sha1(digest.into()).to_hex()
        )),
    }
}

fn main() {
    dbg!(sha1_oid_of_file("shattered-1.pdf"));
    dbg!(sha1_oid_of_file("shattered-2.pdf"));
    dbg!(sha1dc_oid_of_file("shattered-1.pdf"));
    dbg!(sha1dc_oid_of_file("shattered-2.pdf"));
}
```

The output is as follows:

```
[src/main.rs:24:5] sha1_oid_of_file("shattered-1.pdf") = Sha1(38762cf7f55934b34d179ae6a4c80cadccbb7f0a)
[src/main.rs:25:5] sha1_oid_of_file("shattered-2.pdf") = Sha1(38762cf7f55934b34d179ae6a4c80cadccbb7f0a)
[src/main.rs:26:5] sha1dc_oid_of_file("shattered-1.pdf") = Err(
    "Collision attack: 38762cf7f55934b34d179ae6a4c80cadccbb7f0a",
)
[src/main.rs:27:5] sha1dc_oid_of_file("shattered-2.pdf") = Err(
    "Collision attack: 38762cf7f55934b34d179ae6a4c80cadccbb7f0a",
)
```

The latter behaviour matches Git.

Since the SHAttered PDFs are not in a valid format for Git objects, a
direct proof‐of‐concept using higher‐level APIs cannot be immediately
demonstrated without significant computational resources.

### Impact
An attacker with the ability to mount a collision attack on SHA-1 like
the [SHAttered](https://shattered.io/) or [SHA-1 is a
Shambles](https://sha-mbles.github.io/) attacks could create two
distinct Git objects with the same hash. This is becoming increasingly
affordable for well‐resourced attackers, with the Shambles researchers
in 2020 estimating $45k for a chosen‐prefix collision or $11k for a
classical collision, and projecting less than $10k for a chosen‐prefix
collision by 2025. The result could be used to disguise malicious
repository contents, or potentially exploit assumptions in the logic of
programs using gitoxide to cause further vulnerabilities.

This vulnerability affects any user of gitoxide, including `gix-*`
library crates, that reads or writes Git objects.

---

### Release Notes

<details>
<summary>GitoxideLabs/gitoxide (gix)</summary>

###
[`v0.71.0`](https://redirect.github.com/GitoxideLabs/gitoxide/releases/tag/gix-v0.71.0):
gix v0.71.0

[Compare
Source](https://redirect.github.com/GitoxideLabs/gitoxide/compare/gix-v0.70.0...gix-v0.71.0)

##### Changed

-   read config losslessly even without `debug_assertions`
    This should hopefully not be a breaking change, as the same code
    could produce the same behaviour if compiled with different flags,
    and the semantic meaning of the resulting configuration should be
    the same. But Hyrum’s law is always lurking…

##### Documentation

-   specify ThreadSafeRepository is not Send/Sync without "parallel"

##### New Features

-   add `Repository::checkout_options()`.
    It's a low-level set of options to drive (quite unsafe) checkouts.
They are unsafe as they may be configured to overwrite, and are in no
    way similar to `git checkout`.
-   add `Repository::head_tree_id_or_empty()` for convenience.
- add `Repository::workdir_path()` to easily obtain a `Path` for
worktree items.
- add `Repository::workdir()` as replacement for
`Repository::work_dir()`.
    Keep the latter as deprecated though.
- `filter::Pipeline::worktree_file_to_object()` now can add `Commit`
type objects.
-   add `filter::Pipeline::worktree_file_to_object()`.
    That way it's easier to correctly add whole files into the object
    database.
-   make internal `repo` fields public for ease of use.
    That way, functions or methods taking such a type as argument
    have access to the underlying repository so it doesn't need
    to be passed as separate argument.
- add
`blob::platform::Resource::intern_source_strip_newline_separators()`
That way it will be easier to have typical Git-style patches diffs
around
    files that don't end with a newline.
- add `Repository::big_file_threshold()` to easily learn what Git
considers a big file.

##### Bug Fixes

-   Don't panic when rev-parsing `^^^` and similar
- `filter::Pipeline::convert_to_git()` now also works on Windows under
all circumstances.
-   assure `Repository::commit_as()` also uses the committer for reflogs
Previously it would retrieve the configured committer, or trigger an
error
if there was none despite the commiter being provided to `commit_as()`.

This als adds `Repository::edit_references_as(committer)` to allow
passing
    a given committer.

##### Other

- <csr-id-866affde8ef17f201884b8a4b36cc4c7f449d6fe/>
`Repository::commit()` now explains how to create a commit without ref
updates.

##### Changed (BREAKING)

-   drop obsolete SHA‐1 features
    The hashing API has moved to `gix_hash::hasher`, and we now use
    `sha1-checked` unconditionally.

##### Bug Fixes (BREAKING)

- make clear what `with_pruned()` is doing by renaming it to
`with_boundary()`.
This is how it acts, and it's not at all the same as `hide()` in `git2`.

##### Commit Statistics

-   57 commits contributed to the release.
- 17 commits were understood as
[conventional](https://www.conventionalcommits.org).
- 2 unique issues were worked on:
[#&#8203;1829](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1829),
[#&#8203;1914](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1914)

##### Thanks Clippy

[Clippy](https://redirect.github.com/rust-lang/rust-clippy) helped 1
time to make code idiomatic.

##### Commit Details

<csr-read-only-do-not-edit/>

<details><summary>view details</summary>

-
**[#&#8203;1829](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1829)**
- Assure `Repository::commit_as()` also uses the committer for reflogs
([`9bec947`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/9bec947))
-
**[#&#8203;1914](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1914)**
- Don't panic when rev-parsing `^^^` and similar
([`aa8daf8`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/aa8daf8))
-   **Uncategorized**
- Release gix-sec v0.10.12, gix-config v0.44.0, gix-prompt v0.10.0,
gix-url v0.30.0, gix-credentials v0.28.0, gix-discover v0.39.0, gix-dir
v0.13.0, gix-mailmap v0.26.0, gix-revision v0.33.0, gix-merge v0.4.0,
gix-negotiate v0.19.0, gix-pack v0.58.0, gix-odb v0.68.0, gix-refspec
v0.29.0, gix-shallow v0.3.0, gix-packetline v0.18.4, gix-transport
v0.46.0, gix-protocol v0.49.0, gix-status v0.18.0, gix-submodule
v0.18.0, gix-worktree-state v0.18.0, gix v0.71.0, gix-fsck v0.10.0,
gitoxide-core v0.46.0, gitoxide v0.42.0
([`ada5a94`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/ada5a94))
- Release gix-date v0.9.4, gix-utils v0.2.0, gix-actor v0.34.0,
gix-features v0.41.0, gix-hash v0.17.0, gix-hashtable v0.8.0, gix-path
v0.10.15, gix-validate v0.9.4, gix-object v0.48.0, gix-glob v0.19.0,
gix-quote v0.5.0, gix-attributes v0.25.0, gix-command v0.5.0,
gix-packetline-blocking v0.18.3, gix-filter v0.18.0, gix-fs v0.14.0,
gix-commitgraph v0.27.0, gix-revwalk v0.19.0, gix-traverse v0.45.0,
gix-worktree-stream v0.20.0, gix-archive v0.20.0, gix-tempfile v17.0.0,
gix-lock v17.0.0, gix-index v0.39.0, gix-config-value v0.14.12,
gix-pathspec v0.10.0, gix-ignore v0.14.0, gix-worktree v0.40.0, gix-diff
v0.51.0, gix-blame v0.1.0, gix-ref v0.51.0, gix-config v0.44.0,
gix-prompt v0.10.0, gix-url v0.30.0, gix-credentials v0.28.0,
gix-discover v0.39.0, gix-dir v0.13.0, gix-mailmap v0.26.0, gix-revision
v0.33.0, gix-merge v0.4.0, gix-negotiate v0.19.0, gix-pack v0.58.0,
gix-odb v0.68.0, gix-refspec v0.29.0, gix-shallow v0.3.0, gix-packetline
v0.18.4, gix-transport v0.46.0, gix-protocol v0.49.0, gix-status
v0.18.0, gix-submodule v0.18.0, gix-worktree-state v0.18.0, gix v0.71.0,
gix-fsck v0.10.0, gitoxide-core v0.46.0, gitoxide v0.42.0, safety bump
48 crates
([`b41312b`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/b41312b))
- Update changelogs prior to release
([`38dff41`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/38dff41))
- Merge pull request
[#&#8203;1915](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1915)
from emilazy/push-qvyqmopsoltr
([`4660f7a`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/4660f7a))
- Migrate `gix_object::{try_ =>}compute_hash` users
([`3d7e379`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/3d7e379))
- Migrate hashing API users to fallible versions
([`fbf6cc8`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/fbf6cc8))
- Drop obsolete SHA‐1 features
([`fd12ef8`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/fd12ef8))
- Merge pull request
[#&#8203;1851](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1851)
from GitoxideLabs/fix-1850
([`cd96b64`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/cd96b64))
- Adapt to changes in `gix-features`
([`5f8bff8`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/5f8bff8))
- Merge pull request
[#&#8203;1916](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1916)
from GitoxideLabs/fix-1914
([`32b54b3`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/32b54b3))
- Merge pull request
[#&#8203;1909](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1909)
from cruessler/take-to-components-in-fs-stack
([`5cb5337`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/5cb5337))
- Use `gix_fs::stack::ToNormalPathComponents` everywhere.
([`1f98edb`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/1f98edb))
- Update MSRV to 1.75 for access to `impl` returns in traits.
([`569c186`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/569c186))
- Merge pull request
[#&#8203;1911](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1911)
from GitoxideLabs/improvements
([`bfa3253`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/bfa3253))
- `filter::Pipeline::convert_to_git()` now also works on Windows under
all circumstances.
([`dcdb8ea`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/dcdb8ea))
- Merge pull request
[#&#8203;1907](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1907)
from EliahKagan/run-ci/raw
([`7b17da6`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/7b17da6))
- Drop trailing `,` just before `)` on same line in function calls
([`66a5ae1`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/66a5ae1))
- Use raw literals for more strings with backslashes
([`01bd76d`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/01bd76d))
- Merge pull request
[#&#8203;1898](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1898)
from GitoxideLabs/improvements
([`7255a5f`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/7255a5f))
- Improve documentation of a field that one can easily get wrong
otherwise.
([`5a1b3d6`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/5a1b3d6))
- Merge pull request
[#&#8203;1873](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1873)
from NobodyXu/zlib-rs
([`316f113`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/316f113))
- Review adjustments for zlib-rs support.
([`5e618b6`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/5e618b6))
- Add new feature zlib-rs
([`8b1b55c`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/8b1b55c))
- Revert "Instrument make_remote_repos.sh to view `config` corruption"
([`9061fc4`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/9061fc4))
- Instrument make_remote_repos.sh to view `config` corruption
([`d290ad9`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/d290ad9))
- Merge pull request
[#&#8203;1884](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1884)
from GitoxideLabs/improvements
([`0bf1d5b`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/0bf1d5b))
- Merge pull request
[#&#8203;1876](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1876)
from joshtriplett/fix-tests-in-environments-with-env-variables-set
([`dc8bd63`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/dc8bd63))
- Fix tests when `GIT_AUTHOR_NAME` or `GIT_COMMITTER_NAME` are set
([`94dda22`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/94dda22))
- Add `Repository::checkout_options()`.
([`5054780`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/5054780))
- Add `Repository::head_tree_id_or_empty()` for convenience.
([`02878c9`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/02878c9))
- Add `Repository::workdir_path()` to easily obtain a `Path` for
worktree items.
([`776f9be`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/776f9be))
- Add `Repository::workdir()` as replacement for
`Repository::work_dir()`.
([`518fbbc`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/518fbbc))
- Merge pull request
[#&#8203;1882](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1882)
from emilazy/push-ylwwuwymlmwt
([`10e41ee`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/10e41ee))
- Fix cargo-deny using a prodash-update and ignore directive
([`cf7f34d`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/cf7f34d))
- Read config losslessly even without `debug_assertions`
([`9800e9c`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/9800e9c))
- Merge pull request
[#&#8203;1854](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1854)
from GitoxideLabs/montly-report
([`16a248b`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/16a248b))
- Thanks clippy
([`8e96ed3`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/8e96ed3))
- Merge pull request
[#&#8203;1837](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1837)
from GitoxideLabs/improvements
([`b4fe425`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/b4fe425))
- `Repository::commit()` now explains how to create a commit without ref
updates.
([`866affd`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/866affd))
- Merge pull request
[#&#8203;1835](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1835)
from GitoxideLabs/fixes
([`503098d`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/503098d))
- Merge pull request
[#&#8203;1834](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1834)
from GitoxideLabs/improvements
([`5c327bb`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/5c327bb))
- `filter::Pipeline::worktree_file_to_object()` now can add `Commit`
type objects.
([`27e62d7`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/27e62d7))
- Merge pull request
[#&#8203;1833](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1833)
from GitoxideLabs/improvements
([`c042813`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/c042813))
- Add `filter::Pipeline::worktree_file_to_object()`.
([`70ebd5f`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/70ebd5f))
- Make internal `repo` fields public for ease of use.
([`23d2bed`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/23d2bed))
- Merge pull request
[#&#8203;1821](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1821)
from GitoxideLabs/improvements
([`914bf28`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/914bf28))
- Add
`blob::platform::Resource::intern_source_strip_newline_separators()`
([`37582b0`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/37582b0))
- Merge pull request
[#&#8203;1820](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1820)
from GitoxideLabs/improvements
([`daa6d4a`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/daa6d4a))
- Make clear what `with_pruned()` is doing by renaming it to
`with_boundary()`.
([`b78e7dd`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/b78e7dd))
- Merge pull request
[#&#8203;1807](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1807)
from bryceberger/bryce/push-xqrmpyoxlosq
([`79cb655`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/79cb655))
- Refactor
([`d7ddbb7`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/d7ddbb7))
- Specify ThreadSafeRepository is not Send/Sync without "parallel"
([`687322b`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/687322b))
- Merge pull request
[#&#8203;1785](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1785)
from GitoxideLabs/improvements
([`1a69c40`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/1a69c40))
- Add `Repository::big_file_threshold()` to easily learn what Git
considers a big file.
([`f3257f3`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/f3257f3))
- Merge pull request
[#&#8203;1778](https://redirect.github.com/GitoxideLabs/gitoxide/issues/1778)
from GitoxideLabs/new-release
([`8df0db2`](https://redirect.github.com/GitoxideLabs/gitoxide/commit/8df0db2))

</details>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/rust-lang/cargo).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS4yMjcuMyIsInVwZGF0ZWRJblZlciI6IjM5LjIyNy4zIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->

Author: ehuss