Pin the zip crate to 0.6 (#3645)

## Summary Restore API-compatibility with pre-1.1.0 versions of the `zip` crate, and pin the dependency to the 0.6 series, due to concerns discussed in https://github.com/astral-sh/uv/issues/3642. ## Test Plan ``` cargo run -p uv-dev -- fetch-python cargo test ```
2025-07-07 13:25:00 +00:00 · 2024-05-18 13:31:53 -04:00 · 2024-05-18 13:31:53 -04:00 · 53c2551fac
commit 53c2551fac
parent 18b095ce28
4 changed files with 13 additions and 41 deletions
--- a/.github/renovate.json5
+++ b/.github/renovate.json5
@ -18,6 +18,13 @@
    enabled: true,
  },
  packageRules: [
+    {
+      // Disable updates of `zip-rs`; intentionally pinned for now due to ownership change
+      // See: https://github.com/astral-sh/uv/issues/3642
+      matchPackagePatterns: ["zip"],
+      matchManagers: ["cargo"],
+      enabled: false,
+    },
    {
      // Group upload/download artifact updates, the versions are dependent
      groupName: "Artifact GitHub Actions dependencies",
--- a/Cargo.lock
+++ b/Cargo.lock
@ -128,15 +128,6 @@ version = "1.0.83"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "25bdb32cbbdce2b519a9cd7df3a678443100e265d5e25ca763b7572a5104f5f3"

-[[package]]
-name = "arbitrary"
-version = "1.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "7d5a26814d8dcb93b0e5a0ff3c6d80a8843bafb21b39e8e18a6f05471870e110"
-dependencies = [
- "derive_arbitrary",
-]
-
 [[package]]
 name = "arc-swap"
 version = "1.7.1"
@ -1045,17 +1036,6 @@ dependencies = [
 "syn 1.0.109",
 ]

-[[package]]
-name = "derive_arbitrary"
-version = "1.3.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "67e77553c4162a157adbf834ebae5b415acbecbeafc7a74b0e886657506a7611"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.64",
-]
-
 [[package]]
 name = "diff"
 version = "0.1.13"
@ -1100,17 +1080,6 @@ dependencies = [
 "windows-sys 0.48.0",
 ]

-[[package]]
-name = "displaydoc"
-version = "0.2.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "487585f4d0c6655fe74905e2504d8ad6908e4db67f744eb140876906c2f3175d"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.64",
-]
-
 [[package]]
 name = "distribution-filename"
 version = "0.0.1"
@ -5708,17 +5677,14 @@ checksum = "525b4ec142c6b68a2d10f01f7bbf6755599ca3f81ea53b8431b7dd348f5fdb2d"

 [[package]]
 name = "zip"
-version = "1.3.0"
+version = "0.6.6"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f1f4a27345eb6f7aa7bd015ba7eb4175fa4e1b462a29874b779e0bbcf96c6ac7"
+checksum = "760394e246e4c28189f19d488c058bf16f564016aefac5d32bb1f3b51d5e9261"
 dependencies = [
- "arbitrary",
+ "byteorder",
 "crc32fast",
 "crossbeam-utils",
- "displaydoc",
 "flate2",
- "indexmap",
- "thiserror",
 ]

 [[package]]
--- a/Cargo.toml
+++ b/Cargo.toml
@ -145,7 +145,7 @@ wiremock = { version = "0.6.0" }
 walkdir = { version = "2.5.0" }
 which = { version = "6.0.0" }
 winapi = { version = "0.3.9", features = ["fileapi", "handleapi", "ioapiset", "winbase", "winioctl", "winnt"] }
-zip = { version = "1.1.0", default-features = false, features = ["deflate"] }
+zip = { version = "0.6.6", default-features = false, features = ["deflate"] }

 [workspace.metadata.cargo-shear]
 ignored = ["flate2"]
--- a/crates/install-wheel-rs/src/wheel.rs
+++ b/crates/install-wheel-rs/src/wheel.rs
@ -11,7 +11,7 @@ use rustc_hash::FxHashMap;
 use sha2::{Digest, Sha256};
 use tracing::{instrument, warn};
 use walkdir::WalkDir;
-use zip::write::SimpleFileOptions;
+use zip::write::FileOptions;
 use zip::ZipWriter;

 use pypi_types::DirectUrl;
@ -190,8 +190,7 @@ pub(crate) fn windows_script_launcher(
        // We're using the zip writer, but with stored compression
        // https://github.com/njsmith/posy/blob/04927e657ca97a5e35bb2252d168125de9a3a025/src/trampolines/mod.rs#L75-L82
        // https://github.com/pypa/distlib/blob/8ed03aab48add854f377ce392efffb79bb4d6091/PC/launcher.c#L259-L271
-        let stored =
-            SimpleFileOptions::default().compression_method(zip::CompressionMethod::Stored);
+        let stored = FileOptions::default().compression_method(zip::CompressionMethod::Stored);
        let mut archive = ZipWriter::new(Cursor::new(&mut payload));
        let error_msg = "Writing to Vec<u8> should never fail";
        archive.start_file("__main__.py", stored).expect(error_msg);