threatcode · pull · Jun 12, 2026 · Jun 12, 2026 · Jun 12, 2026 · Jun 12, 2026
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -23,8 +23,6 @@ members = [
     "macros",
     "parser",
     "proto",
-    "proto-json",
-    "proto-yaml",
     "py",
     "ls",
 ]
@@ -53,7 +51,6 @@ der-parser = "10.0.0"
 digest = "0.10.7"
 dsa = "0.6.3"
 ecdsa = "0.16.9"
-enable-ansi-support = "0.3.1"
 env_logger = "0.11.10"
 figment = "0.10.19"
 globwalk = "0.9.1"
@@ -114,8 +111,6 @@ yara-x-fmt = { path = "fmt", version = "1.17.0" }
 yara-x-macros = { path = "macros", version = "1.17.0" }
 yara-x-parser = { path = "parser", version = "1.17.0" }
 yara-x-proto = { path = "proto", version = "1.17.0"}
-yara-x-proto-yaml = { path = "proto-yaml", version = "1.17.0" }
-yara-x-proto-json = { path = "proto-json", version = "1.17.0" }
 zip = { version = "8.2.0", default-features = false }
 simd-adler32 = "0.3.9"
 simd_cesu8 = "1.1.1"

diff --git a/cli/Cargo.toml b/cli/Cargo.toml
@@ -57,7 +57,6 @@ figment = { workspace = true, features = ["toml"] }
 globwalk = { workspace = true }
 home = { workspace = true }
 itertools = { workspace = true }
-enable-ansi-support = { workspace = true }
 env_logger = { workspace = true, optional = true, features = ["auto-color"] }
 log = { workspace = true, optional = true }
 protobuf = { workspace = true }
@@ -69,8 +68,7 @@ strum_macros = { workspace = true }
 yansi = { workspace = true }
 yara-x = { workspace = true, features = ["parallel-compilation"] }
 yara-x-parser = { workspace = true }
-yara-x-proto-yaml = { workspace = true }
-yara-x-proto-json = { workspace = true }
+yara-x-proto = { workspace = true }
 yara-x-fmt = { workspace = true }
 
 chardetng = "1.0.0"
@@ -85,4 +83,7 @@ wild = "2.2.1"
 [dev-dependencies]
 assert_cmd = "2.2.2"
 assert_fs = "1.1.4"
-predicates = { workspace = true }
+predicates = { workspace = true }
+
+[target.'cfg(windows)'.dependencies]
+enable-ansi-support = "0.3.1"
diff --git a/cli/src/commands/dump.rs b/cli/src/commands/dump.rs
@@ -8,8 +8,8 @@ use std::path::PathBuf;
 use strum_macros::Display;
 
 use yara_x::mods::*;
-use yara_x_proto_json::Serializer as JsonSerializer;
-use yara_x_proto_yaml::Serializer as YamlSerializer;
+use yara_x_proto::json::Serializer as JsonSerializer;
+use yara_x_proto::yaml::Serializer as YamlSerializer;
 
 use crate::help;
 

diff --git a/cli/src/main.rs b/cli/src/main.rs
@@ -29,8 +29,8 @@ const EXIT_ERROR: i32 = 1;
 const CONFIG_FILE: &str = ".yara-x.toml";
 
 fn main() -> anyhow::Result<()> {
-    // Enable support for ANSI escape codes in Windows. In other platforms
-    // this is a no-op.
+    // Enable support for ANSI escape codes in Windows.
+    #[cfg(target_os = "windows")]
     if let Err(err) = enable_ansi_support::enable_ansi_support() {
         println!("could not enable ANSI support: {err}")
     }

diff --git a/lib/Cargo.toml b/lib/Cargo.toml
@@ -350,7 +350,7 @@ goldenfile = { workspace = true }
 ihex = { workspace = true }
 pretty_assertions = { workspace = true }
 rayon = { workspace = true }
-yara-x-proto-yaml = { workspace = true }
+yara-x-proto = { workspace = true }
 zip = { workspace = true }
 
 [[bench]]

diff --git a/lib/src/compiler/mod.rs b/lib/src/compiler/mod.rs
@@ -1236,6 +1236,9 @@ impl Compiler<'_> {
 
         self.filesize_bounds
             .retain(|pattern_id, _| *pattern_id < snapshot.next_pattern_id);
+
+        self.header_constraints
+            .retain(|pattern_id, _| *pattern_id < snapshot.next_pattern_id);
     }
 
     /// Returns true if the bytes in the slice are all 0x00, 0x90, or 0xff.

diff --git a/lib/src/modules/tests.rs b/lib/src/modules/tests.rs
@@ -167,7 +167,7 @@ fn test_modules() {
         let output_file = mint.new_goldenfile(out_path).unwrap();
 
         // Render the module's output as YAML.
-        let mut yaml = yara_x_proto_yaml::Serializer::new(output_file);
+        let mut yaml = yara_x_proto::yaml::Serializer::new(output_file);
 
         yaml.serialize(output).unwrap();
     });

diff --git a/lib/src/tests/mod.rs b/lib/src/tests/mod.rs
@@ -3424,6 +3424,80 @@ fn filesize_bounds() {
     .expect_err("should fail");
 }
 
+#[test]
+fn header_constraints() {
+    let rules = crate::compile(
+        r#"
+        rule test_1 {
+          strings:
+            $a = /foo.*bar/
+          condition:
+            uint16(0) == 0x5a4d and $a
+        }
+        rule test_2 {
+          strings:
+            $a = /foo.*bar/
+          condition:
+            $a
+        }
+        "#,
+    )
+    .unwrap();
+
+    let mut scanner = crate::scanner::Scanner::new(&rules);
+
+    assert_eq!(
+        scanner
+            .scan(b"foobar")
+            .expect("scan should not fail")
+            .matching_rules()
+            .len(),
+        1 // test_2 matches, but test_1 do not.
+    );
+
+    let rules = crate::compile(
+        r#"
+        rule test {
+          strings:
+            $a = /foo.*bar/
+          condition:
+            $a and filesize == 6
+        }
+        "#,
+    )
+    .unwrap();
+
+    let mut scanner = crate::scanner::Scanner::new(&rules);
+
+    assert_eq!(
+        scanner
+            .scan(b"foobar")
+            .expect("scan should not fail")
+            .matching_rules()
+            .len(),
+        1
+    );
+
+    crate::compile(
+        r#"
+        rule test_1 {
+          strings:
+            $a = "foo"
+            $b = /a*/
+          condition:
+            uint16(0) == 0x5a4d and $a and $b
+        }
+        rule test_2 {
+          strings:
+            $c = "bar"
+          condition:
+            uint16(0) == 0x5a4d and $c
+        }
+        "#,
+    )
+    .expect_err("should fail");
+}
+
 #[test]
 fn for_of() {
     rule_true!(

diff --git a/proto-json/Cargo.toml b/proto-json/Cargo.toml
diff --git a/proto-json/build.rs b/proto-json/build.rs