build(deps): bump uutests from 0.8.0 to 0.9.0

[dependabot]

Bumps uutests from 0.8.0 to 0.9.0.

Release notes

Sourced from uutests's releases.

0.9.0

Rust Coreutils 0.9.0 Release:

We are excited to announce the release of Rust Coreutils 0.9.0 - a release focused on safety and security. This cycle was shaped by a third-party security audit, driving extensive TOCTOU hardening and a sustained, project-wide effort to shrink the amount of unsafe code by removing it outright and migrating low-level syscalls from nix/libc to rustix. On top of that, we landed major zero-copy I/O performance work (splice/tee/pipe), broadened WebAssembly, Cygwin and Windows support, and continued contributing tests and bug reports upstream to GNU coreutils.

---

GNU Test Suite Compatibility:

Result	0.8.0	0.9.0	Change 0.8.0 to 0.9.0	% Total 0.8.0	% Total 0.9.0	% Change 0.8.0 to 0.9.0
Pass	630	625	-5	94.74%	90.58%	-4.16%
Skip	14	8	-6	2.11%	1.16%	-0.95%
Fail	21	56	+35	3.16%	8.12%	+4.96%
Error	0	1	+1	0%	0.14%	+0.14%
Total	665	690	+25 (new tests)

Note: The rise in failing tests is due to the upstream GNU test suite being extended, not to regressions on our side. We updated our GNU reference from 9.10 to 9.11 (PR #11922), which added 25 new tests (665 → 690). Many of these newly-introduced tests are not yet passing, which accounts for the jump from 21 to 56 failures; no previously-passing functionality regressed, and work is ongoing to address the new tests.

---

---

Highlights:

• Security Hardening (Zellic audit)

  • A third-party security audit by Zellic reviewed the codebase; the findings - widely reported as 44 CVEs (see also the Ubuntu update and the corrode write-up Bugs Rust won't catch) - were concentrated in TOCTOU races and filesystem edge cases that Rust's type system does not prevent
  • It's worth noting that many of these CVEs are not memory-safety issues but differences in behavior from GNU coreutils that the audit identified; aligning our semantics with GNU resolves them
  • This release closes many of them: a new TOCTOU-resistant uucore::safe_copy module; TOCTOU fixes in cp, mv, and chmod recursive traversal; rm dot/dotdot path-parsing protection; nohup.out now created with mode 0600; and chroot now resolves all ids before chrooting

• Reducing unsafe & migrating to rustix

  • A sustained, project-wide push to shrink the unsafe surface: dozens of unsafe removals across utilities, tests, fuzz targets and uucore (get_groups, make_fifo, build.rs, and more)
  • Migration from nix/libc to rustix across id, tr, timeout, sort, wc, tail, cp, who, factor, and core process/IO paths

• Performance

  • splice()/tee()/pipe() fast paths landed across cat, wc, head, tail, yes, cp, tee, and unexpand (e.g. unexpand +7.5%, faster cp from a pipe on Linux, tee via raw syscalls, yes using the tee syscall)
  • Consolidated in a reworked uucore::pipes / buf_copy

• GNU Compatibility & Upstream Collaboration

  • Reference bumped to GNU 9.11, which extended the suite with 25 new tests (the reason the failure count went up - see the note above; it is not a regression)
  • We continue to contribute tests and bug reports upstream to GNU coreutils, and our compatibility work keeps surfacing edge cases on both sides
  • New fixes across numfmt, date, tr, cksum, factor, head, stat, and sort

• numfmt Overhaul

  • Precision handling, rejection of scientific notation, LC_NUMERIC decimal separator, zero-padding for negative numbers, IEC precision cap, large %f values, --to=auto exit code, and multi-byte --suffix width accounting

• ls Improvements

  • ls -lF symlink target indicators, link-count column no longer inflated per-ACL-file, version-sorting and recursive-mode fixes, independent permissions-column width

... (truncated)

Commits

• 840c36d shred: fix --remove=unlink with relative paths
• 395d703 stat: fix %N quoting of filenames containing control characters (#12330)
• b22013a ls: ls -lF symlink target indicators (#11554)
• 179b977 ln: add WASI support via symlink_path (#11713)
• 565f118 sort: add a test reproducing failure during sort --merge
• 2c37153 mktemp: ensure that "-q XX" shows error msg
• 9d3bafc mktemp: fix hidden file creation with dot prefix
• 76c63ee install: update comments and tests
• 21fda8c fix(install): follow symlink components in destination path with -D
• db7b8a6 stdbuf: build on Windows (depending on cygwin dll)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)