mirror of https://github.com/google/comprehensive-rust.git synced 2026-04-25 23:11:02 +02:00

T

dependabot[bot] 4b60b9d9cf build(deps-dev): bump the npm_and_yarn group across 1 directory with 2 updates (#3160 )

Bumps the npm_and_yarn group with 2 updates in the /tests directory:
[basic-ftp](https://github.com/patrickjuchli/basic-ftp) and
[lodash](https://github.com/lodash/lodash).

Updates `basic-ftp` from 5.2.1 to 5.2.2
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/patrickjuchli/basic-ftp/releases">basic-ftp's
releases</a>.</em></p>
<blockquote>
<h2>5.2.2</h2>
<ul>
<li>Fixed: Improve control character rejection, fixes <a
href="https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-6v7q-wjvx-w8wg">https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-6v7q-wjvx-w8wg</a>.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Changelog</summary>
<p><em>Sourced from <a
href="https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md">basic-ftp's
changelog</a>.</em></p>
<blockquote>
<h2>5.2.2</h2>
<ul>
<li>Fixed: Improve control character rejection, fixes <a
href="https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-6v7q-wjvx-w8wg">https://github.com/patrickjuchli/basic-ftp/security/advisories/GHSA-6v7q-wjvx-w8wg</a>.</li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/patrickjuchli/basic-ftp/commit/e9d09d6815b300b73e1297cdcf91786a979ef212"><code>e9d09d6</code></a>
Bump version</li>
<li><a
href="https://github.com/patrickjuchli/basic-ftp/commit/20327d35126e57e5fdbaae79a4b65222fbadc53c"><code>20327d3</code></a>
Move prevention of control character injection to more central
place</li>
<li>See full diff in <a
href="https://github.com/patrickjuchli/basic-ftp/compare/v5.2.1...v5.2.2">compare
view</a></li>
</ul>
</details>
<br />

Updates `lodash` from 4.17.23 to 4.18.1
<details>
<summary>Release notes</summary>
<p><em>Sourced from <a
href="https://github.com/lodash/lodash/releases">lodash's
releases</a>.</em></p>
<blockquote>
<h2>4.18.1</h2>
<h2>Bugs</h2>
<p>Fixes a <code>ReferenceError</code> issue in <code>lodash</code>
<code>lodash-es</code> <code>lodash-amd</code> and
<code>lodash.template</code> when using the <code>template</code> and
<code>fromPairs</code> functions from the modular builds. See <a
href="https://redirect.github.com/lodash/lodash/issues/6167#issuecomment-4165269769">lodash/lodash#6167</a></p>
<p>These defects were related to how lodash distributions are built from
the main branch using <a
href="https://github.com/lodash-archive/lodash-cli">https://github.com/lodash-archive/lodash-cli</a>.
When internal dependencies change inside lodash functions, equivalent
updates need to be made to a mapping in the lodash-cli. (hey, it was
ahead of its time once upon a time!). We know this, but we missed it in
the last release. It's the kind of thing that passes in CI, but fails bc
the build is not the same thing you tested.</p>
<p>There is no diff on main for this, but you can see the diffs for each
of the npm packages on their respective branches:</p>
<ul>
<li><code>lodash</code>: <a
href="https://github.com/lodash/lodash/compare/4.18.0-npm...4.18.1-npm">https://github.com/lodash/lodash/compare/4.18.0-npm...4.18.1-npm</a></li>
<li><code>lodash-es</code>: <a
href="https://github.com/lodash/lodash/compare/4.18.0-es...4.18.1-es">https://github.com/lodash/lodash/compare/4.18.0-es...4.18.1-es</a></li>
<li><code>lodash-amd</code>: <a
href="https://github.com/lodash/lodash/compare/4.18.0-amd...4.18.1-amd">https://github.com/lodash/lodash/compare/4.18.0-amd...4.18.1-amd</a></li>
<li><code>lodash.template</code><a
href="https://github.com/lodash/lodash/compare/4.18.0-npm-packages...4.18.1-npm-packages">https://github.com/lodash/lodash/compare/4.18.0-npm-packages...4.18.1-npm-packages</a></li>
</ul>
<h2>4.18.0</h2>
<h2>v4.18.0</h2>
<p><strong>Full Changelog</strong>: <a
href="https://github.com/lodash/lodash/compare/4.17.23...4.18.0">https://github.com/lodash/lodash/compare/4.17.23...4.18.0</a></p>
<h3>Security</h3>
<p><strong><code>_.unset</code> / <code>_.omit</code></strong>: Fixed
prototype pollution via <code>constructor</code>/<code>prototype</code>
path traversal (<a
href="https://github.com/lodash/lodash/security/advisories/GHSA-f23m-r3pf-42rh">GHSA-f23m-r3pf-42rh</a>,
<a
href="https://github.com/lodash/lodash/commit/fe8d32eda854377349a4f922ab7655c8e5df9a0b">fe8d32e</a>).
Previously, array-wrapped path segments and primitive roots could bypass
the existing guards, allowing deletion of properties from built-in
prototypes. Now <code>constructor</code> and <code>prototype</code> are
blocked unconditionally as non-terminal path keys, matching
<code>baseSet</code>. Calls that previously returned <code>true</code>
and deleted the property now return <code>false</code> and leave the
target untouched.</p>
<p><strong><code>_.template</code></strong>: Fixed code injection via
<code>imports</code> keys (<a
href="https://github.com/lodash/lodash/security/advisories/GHSA-r5fr-rjxr-66jc">GHSA-r5fr-rjxr-66jc</a>,
CVE-2026-4800, <a
href="https://github.com/lodash/lodash/commit/879aaa93132d78c2f8d20c60279da9f8b21576d6">879aaa9</a>).
Fixes an incomplete patch for CVE-2021-23337. The <code>variable</code>
option was validated against <code>reForbiddenIdentifierChars</code> but
<code>importsKeys</code> was left unguarded, allowing code injection via
the same <code>Function()</code> constructor sink. <code>imports</code>
keys containing forbidden identifier characters now throw
<code>&quot;Invalid imports option passed into
_.template&quot;</code>.</p>
<h3>Docs</h3>
<ul>
<li>Add security notice for <code>_.template</code> in threat model and
API docs (<a
href="https://redirect.github.com/lodash/lodash/pull/6099">#6099</a>)</li>
<li>Document <code>lower &gt; upper</code> behavior in
<code>_.random</code> (<a
href="https://redirect.github.com/lodash/lodash/pull/6115">#6115</a>)</li>
<li>Fix quotes in <code>_.compact</code> jsdoc (<a
href="https://redirect.github.com/lodash/lodash/pull/6090">#6090</a>)</li>
</ul>
<h3><code>lodash.*</code> modular packages</h3>
<p><a
href="https://redirect.github.com/lodash/lodash/pull/6157">Diff</a></p>
<p>We have also regenerated and published a select number of the
<code>lodash.*</code> modular packages.</p>
<p>These modular packages had fallen out of sync significantly from the
minor/patch updates to lodash. Specifically, we have brought the
following packages up to parity w/ the latest lodash release because
they have had CVEs on them in the past:</p>
<ul>
<li><a
href="https://www.npmjs.com/package/lodash.orderby">lodash.orderby</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.tonumber">lodash.tonumber</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.trim">lodash.trim</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.trimend">lodash.trimend</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.sortedindexby">lodash.sortedindexby</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.zipobjectdeep">lodash.zipobjectdeep</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.unset">lodash.unset</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.omit">lodash.omit</a></li>
<li><a
href="https://www.npmjs.com/package/lodash.template">lodash.template</a></li>
</ul>
</blockquote>
</details>
<details>
<summary>Commits</summary>
<ul>
<li><a
href="https://github.com/lodash/lodash/commit/cb0b9b9212521c08e3eafe7c8cb0af1b42b6649e"><code>cb0b9b9</code></a>
release(patch): bump main to 4.18.1 (<a
href="https://redirect.github.com/lodash/lodash/issues/6177">#6177</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/75535f57883b7225adb96de1cfc1cd4169cfcb51"><code>75535f5</code></a>
chore: prune stale advisory refs (<a
href="https://redirect.github.com/lodash/lodash/issues/6170">#6170</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/62e91bc6a39c98d85b9ada8c44d40593deaf82a4"><code>62e91bc</code></a>
docs: remove n_ Node.js &lt; 6 REPL note from README (<a
href="https://redirect.github.com/lodash/lodash/issues/6165">#6165</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/59be2de61f8aa9461c7856533b51d31b7d8babc4"><code>59be2de</code></a>
release(minor): bump to 4.18.0 (<a
href="https://redirect.github.com/lodash/lodash/issues/6161">#6161</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/af634573030f979194871da7c68f79420992f53d"><code>af63457</code></a>
fix: broken tests for _.template 879aaa9</li>
<li><a
href="https://github.com/lodash/lodash/commit/1073a7693e1727e0cf3641e5f71f75ddcf8de7c0"><code>1073a76</code></a>
fix: linting issues</li>
<li><a
href="https://github.com/lodash/lodash/commit/879aaa93132d78c2f8d20c60279da9f8b21576d6"><code>879aaa9</code></a>
fix: validate imports keys in _.template</li>
<li><a
href="https://github.com/lodash/lodash/commit/fe8d32eda854377349a4f922ab7655c8e5df9a0b"><code>fe8d32e</code></a>
fix: block prototype pollution in baseUnset via constructor/prototype
traversal</li>
<li><a
href="https://github.com/lodash/lodash/commit/18ba0a32f42fd02117f096b032f89c984173462d"><code>18ba0a3</code></a>
refactor(fromPairs): use baseAssignValue for consistent assignment (<a
href="https://redirect.github.com/lodash/lodash/issues/6153">#6153</a>)</li>
<li><a
href="https://github.com/lodash/lodash/commit/b8190803d48d60b8c80ad45d39125f32fa618cb2"><code>b819080</code></a>
ci: add dist sync validation workflow (<a
href="https://redirect.github.com/lodash/lodash/issues/6137">#6137</a>)</li>
<li>Additional commits viewable in <a
href="https://github.com/lodash/lodash/compare/4.17.23...4.18.1">compare
view</a></li>
</ul>
</details>
<br />


Dependabot will resolve any conflicts with this PR as long as you don't
alter it yourself. You can also trigger a rebase manually by commenting
`@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits
that have been made to it
- `@dependabot show <dependency name> ignore conditions` will show all
of the ignore conditions of the specified dependency
- `@dependabot ignore <dependency name> major version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's major version (unless you unignore this specific
dependency's major version or upgrade to it yourself)
- `@dependabot ignore <dependency name> minor version` will close this
group update PR and stop Dependabot creating any more for the specific
dependency's minor version (unless you unignore this specific
dependency's minor version or upgrade to it yourself)
- `@dependabot ignore <dependency name>` will close this group update PR
and stop Dependabot creating any more for the specific dependency
(unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore <dependency name>` will remove all of the ignore
conditions of the specified dependency
- `@dependabot unignore <dependency name> <ignore condition>` will
remove the ignore condition of the specified dependency and ignore
conditions
You can disable automated security fix PRs for this repo from the
[Security Alerts
page](https://github.com/google/comprehensive-rust/network/alerts).

</details>

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

2026-04-12 20:28:18 +02:00

.cargo

Add note clarifying xtask not a package to be installed. (#2847 )

2025-08-12 22:08:56 -04:00

.github

build(deps): bump actions/deploy-pages from 4 to 5 (#3149 )

2026-04-01 11:34:24 +01:00

mdbook-course

cargo: bump the minor group with 3 updates (#3150 )

2026-04-01 11:34:37 +01:00

mdbook-exerciser

cargo: bump the patch group across 1 directory with 3 updates (#3151 )

2026-04-01 11:20:31 +00:00

docs: start Bengali (bn) translation (#3127 )

2026-04-12 09:30:00 +00:00

src

Idiomatic: Reorder common traits slides (#3158 )

2026-04-12 13:47:37 +02:00

tests

build(deps-dev): bump the npm_and_yarn group across 1 directory with 2 updates (#3160 )

2026-04-12 20:28:18 +02:00

theme

build: add SPDX-License-Identifier to Apache 2.0 licensed files (#3095 )

2026-02-16 12:33:41 +01:00

third_party

borrowing: replace Health Statistics with more exciting exercise (#3078 )

2026-02-03 07:13:56 +00:00

xtask

cargo: bump the minor group with 3 updates (#3150 )

2026-04-01 11:34:37 +01:00

.gitignore

Evaluate slide size and block if they grow above a certain treshold (with exemption mechanism) (#2693 )

2025-03-18 12:50:46 +01:00

book.toml

Rework lifetimes section (#2964 )

2025-10-31 19:37:53 +00:00

Cargo.lock

cargo: bump buddy_system_allocator from 0.12.0 to 0.13.0 (#3152 )

2026-04-01 11:22:50 +00:00

Cargo.toml

Evaluate slide size and block if they grow above a certain treshold (with exemption mechanism) (#2693 )

2025-03-18 12:50:46 +01:00

CONTRIBUTING.md

build(deps): bump crate-ci/typos from 1.35.7 to 1.37.0 (#2939 )

2025-10-06 10:12:00 +00:00

dprint.json

ci: use pinned nightly rustfmt to make unstable features take effect (#2896 )

2025-09-10 13:36:47 +02:00

GEMINI.md

borrowing: replace Health Statistics with more exciting exercise (#3078 )

2026-02-03 07:13:56 +00:00

LICENSE

…

LICENSE-CC-BY

Relicense documentation and content to CC BY 4.0 (#3092 )

2026-02-13 15:08:59 -08:00

README.md

docs: clarify license coverage in README.md (#3096 )

2026-02-17 15:36:09 +01:00

rustfmt.toml

change imports_granularity value to 'Module' (#2947 )

2025-10-14 07:48:26 +02:00

STYLE.md

docs: add licensing instructions to STYLE.md (#3098 )

2026-02-17 16:07:02 +01:00

TRANSLATIONS.md

Document translation workflow (#2579 )

2025-04-23 08:24:30 +00:00

README.md

Comprehensive Rust 🦀

This repository has the source code for Comprehensive Rust 🦀, a multi-day Rust course developed by the Android team. The course covers all aspects of Rust, from basic syntax to generics and error handling. It also includes deep dives on Android, Chromium, bare-metal, and concurrency.

Read the course at https://google.github.io/comprehensive-rust/.

Course Format and Target Audience

The course is used internally at Google to teach Rust to experienced software engineers, typically with a background in C++ or Java.

The course is taught in a classroom setting, and we hope it will be useful for others who want to teach Rust to their team. The course is less ideal for self-study, since you would miss out on classroom discussions. You would not see the questions and answers, nor the compiler errors we trigger when going through the code samples. We hope to improve the self-study experience via speaker notes and by publishing videos.

Press

Articles and blog posts from around the web which cover Comprehensive Rust:

2023-09-08: Teaching Rust in 5 days. Comprehensive Rust was used as a base for a 5-day university class on Rust.
2023-09-21: Scaling Rust Adoption Through Training. We published a blog post with details on the development of the course.
2023-10-02: In Search of Rust Developers, Companies Turn to In-House Training. About how Microsoft, Google, and others are training people in Rust.
2024-10-18: Rust Training at Scale | Rust Global @ RustConf 2024. What Google learned from teaching Comprehensive Rust for more than two years.

Setup

The course is built using a few tools:

First, install Rust by following the instructions on https://rustup.rs/. Then clone this repository:

git clone https://github.com/google/comprehensive-rust/
cd comprehensive-rust

Then run the following command to install the correct versions of all tools mentioned above:

cargo xtask install-tools

This uses cargo install to install the tools, so you will find them in your ~/.cargo/bin/ directory afterwards.

Commands

Here are some of the commonly used commands you can run in the project. Run cargo xtask to view all available commands.

Command	Description
`cargo xtask install-tools`	Install all the tools the project depends on.
`cargo xtask serve`	Start a web server with the course. You'll find the content on http://localhost:3000. To serve any of the translated versions of the course, add the language flag (--language or -l) followed by xx, where xx is the ISO 639 language code (e.g. cargo xtask serve -l da for the Danish translation).
`cargo xtask rust-tests`	Test the included Rust snippets.
`cargo xtask web-tests`	Run the web driver tests in the tests directory.
`cargo xtask build`	Create a static version of the course in the `book/` directory. Note that you have to separately build and zip exercises and add them to book/html. To build any of the translated versions of the course, add the language flag (--language or -l) followed by xx, where xx is the ISO 639 language code (e.g. cargo xtask build -l da for the Danish translation). TRANSLATIONS.md contains further instructions.

Note

On Windows, you need to enable symlinks (git config --global core.symlinks true) and Developer Mode.

Contributing

We welcome contributions. Please see CONTRIBUTING.md for details.

License

This project is licensed under a mix of the Apache License 2.0 and the Creative Commons Attribution 4.0 International License.

Source Code: All source code files and code examples embedded in the documentation are licensed under the Apache License, Version 2.0.
Documentation & Content: All non-source code assets—specifically Markdown (.md) files, documentation, and images—are licensed under the Creative Commons Attribution 4.0 International License.

Contact

For questions or comments, please contact Martin Geisler or start a discussion on GitHub. We would love to hear from you.

Languages

Rust 61.9%

JavaScript 12.3%

TypeScript 9.1%

Handlebars 6.2%

Assembly 3.1%

Other 7.4%