Skip to content

Bump the cargo group across 1 directory with 12 updates#5

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/cargo/rust/cargo-a56d7c2689
Open

Bump the cargo group across 1 directory with 12 updates#5
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/cargo/rust/cargo-a56d7c2689

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Feb 20, 2026

Bumps the cargo group with 11 updates in the /rust directory:

Package From To
diesel 2.1.4 2.1.6
tracing-subscriber 0.3.17 0.3.20
tokio 1.38.1 1.38.2
bytes 1.5.0 1.11.1
keccak 0.1.4 0.1.6
openssl 0.10.62 0.10.75
rustix 0.37.23 0.37.28
rustls-webpki 0.100.1 0.100.3
time 0.3.36 0.3.44
webpki 0.22.0 0.22.4
whoami 1.4.1 1.6.1

Updates diesel from 2.1.4 to 2.1.6

Changelog

Sourced from diesel's changelog.

[2.1.6] 2024-04-19

  • Fix using BoxableExpression with having clauses
  • Fix using numeric expressions with aliased fields
  • Minor documentation fixes

[2.1.5] 2024-03-15

  • Fix impl SqlOrd postgres > postgres_backend feature flag.
  • Allow Queryable to be used with multiple table names.
  • Fix an inconsistent unit test
  • Fix a clippy lint
  • Fix ./bin/test feature flag calls.
  • Update libsqlite3-sys to allow version 0.28 as well
Commits
  • 26c6be4 Preapare a diesel 2.1.6 patch release
  • 2dc6cc1 Merge pull request #3956 from Tanguille/docs/clarify-as-expression-to-sql
  • ca66173 Merge pull request #3980 from kornelski/dev-cycle
  • 45915ac Merge pull request #3971 from Ten0/fix_missing_skip_insertion_attribute_in_un...
  • 26b8803 Merge pull request #3979 from formlogic-kirk/alias_op_impls
  • 6a9bfdf Fix the having clause tests + add a test for normal select queries
  • 0799a44 Add ValidGrouping to boxed having expression
  • 5d6637f Try explicitly implementing FromClause<F> for HavingDsl<Predicate>
  • b4776a3 Add test
  • c96c870 Merge pull request #3959 from 1Dragoon/backports/2.1.4
  • Additional commits viewable in compare view

Updates tracing-subscriber from 0.3.17 to 0.3.20

Release notes

Sourced from tracing-subscriber's releases.

tracing-subscriber 0.3.20

Security Fix: ANSI Escape Sequence Injection (CVE-TBD)

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Solution

Version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Affected Versions

All versions of tracing-subscriber prior to 0.3.20 are affected by this vulnerability.

Recommendations

Immediate Action Required: We recommend upgrading to tracing-subscriber 0.3.20 immediately, especially if your application:

  • Logs user-provided input (form data, HTTP headers, query parameters, etc.)
  • Runs in environments where terminal output is displayed to users

Migration

This is a patch release with no breaking API changes. Simply update your Cargo.toml:

[dependencies]
tracing-subscriber = "0.3.20"

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

tracing-subscriber 0.3.19

[ [crates.io][crate-0.3.19] ] | [ [docs.rs][docs-0.3.19] ]

This release updates the tracing dependency to [v0.1.41][tracing-0.1.41] and the tracing-serde dependency to [v0.2.0][tracing-serde-0.2.0].

Added

... (truncated)

Commits

Updates tokio from 1.38.1 to 1.38.2

Release notes

Sourced from tokio's releases.

Tokio v1.38.2

This release fixes a soundness issue in the broadcast channel. The channel accepts values that are Send but !Sync. Previously, the channel called clone() on these values without synchronizing. This release fixes the channel by synchronizing calls to .clone() (Thanks Austin Bonander for finding and reporting the issue).

Fixed

  • sync: synchronize clone() call in broadcast channel (#7232)

#7232: tokio-rs/tokio#7232

Commits

Updates bytes from 1.5.0 to 1.11.1

Release notes

Sourced from bytes's releases.

Bytes v1.11.1

1.11.1 (February 3rd, 2026)

  • Fix integer overflow in BytesMut::reserve

Bytes v1.11.0

1.11.0 (November 14th, 2025)

  • Bump MSRV to 1.57 (#788)

Fixed

  • fix: BytesMut only reuse if src has remaining (#803)
  • Specialize BytesMut::put::<Bytes> (#793)
  • Reserve capacity in BytesMut::put (#794)
  • Change BytesMut::remaining_mut to use isize::MAX instead of usize::MAX (#795)

Internal changes

  • Guarantee address in slice() for empty slices. (#780)
  • Rename Vtable::to_* -> Vtable::into_* (#776)
  • Fix latest clippy warnings (#787)
  • Ignore BytesMut::freeze doctest on wasm (#790)
  • Move drop_fn of from_owner into vtable (#801)

Bytes v1.10.1

1.10.1 (March 5th, 2025)

Fixed

  • Fix memory leak when using to_vec with Bytes::from_owner (#773)

#773: tokio-rs/bytes#773

Bytes v1.10.0

1.10.0 (February 3rd, 2025)

Added

  • Add feature to support platforms without atomic CAS (#467)
  • try_get_* methods for Buf trait (#753)
  • Implement Buf::chunks_vectored for Take (#617)
  • Implement Buf::chunks_vectored for VecDeque<u8> (#708)

Fixed

  • Remove incorrect guarantee for chunks_vectored (#754)
  • Ensure that tests pass under panic=abort (#749)

... (truncated)

Changelog

Sourced from bytes's changelog.

1.11.1 (February 3rd, 2026)

  • Fix integer overflow in BytesMut::reserve

1.11.0 (November 14th, 2025)

  • Bump MSRV to 1.57 (#788)

Fixed

  • fix: BytesMut only reuse if src has remaining (#803)
  • Specialize BytesMut::put::<Bytes> (#793)
  • Reserve capacity in BytesMut::put (#794)
  • Change BytesMut::remaining_mut to use isize::MAX instead of usize::MAX (#795)

Internal changes

  • Guarantee address in slice() for empty slices. (#780)
  • Rename Vtable::to_* -> Vtable::into_* (#776)
  • Fix latest clippy warnings (#787)
  • Ignore BytesMut::freeze doctest on wasm (#790)
  • Move drop_fn of from_owner into vtable (#801)

1.10.1 (March 5th, 2025)

Fixed

  • Fix memory leak when using to_vec with Bytes::from_owner (#773)

1.10.0 (February 3rd, 2025)

Added

  • Add feature to support platforms without atomic CAS (#467)
  • try_get_* methods for Buf trait (#753)
  • Implement Buf::chunks_vectored for Take (#617)
  • Implement Buf::chunks_vectored for VecDeque<u8> (#708)

Fixed

  • Remove incorrect guarantee for chunks_vectored (#754)
  • Ensure that tests pass under panic=abort (#749)

1.9.0 (November 27, 2024)

Added

  • Add Bytes::from_owner to enable externally-allocated memory (#742)

Documented

... (truncated)

Commits

Updates keccak from 0.1.4 to 0.1.6

Commits

Updates mio from 0.8.10 to 1.1.1

Changelog

Sourced from mio's changelog.

1.1.1

  • Handle ERROR_MORE_DATA when scheduling reads for Window named pipes (tokio-rs/mio#1921).
  • Fix compilation error on NetBSD due to changes in types in the libc crate (tokio-rs/mio#1923).

1.1.0

MSRV was increased to 1.71 to support windows-sys v0.61.

1.0.4

1.0.3

1.0.2

... (truncated)

Commits
  • 6125f9b Release v1.1.1
  • c1aa358 Add FreeBSD 14 and 15 to Cirrus CI (#1926)
  • 02f69ea Handle ERROR_MORE_DATA when scheduling read for Window named pipes
  • 625655d Fix NetBSD build error due to UData type mismatched (#1923)
  • 7ba0ccb Use taiki-e/install-action on CI
  • b0578c2 Enable tests docs under sanitizer again
  • f36136a Enable aarch64-unknown-openbsd CI target in CI
  • 83b1bff docs: minor improvement for docs
  • f063725 Disable aarch64-unknown-openbsd in CI (#1917)
  • 3661806 Enable all targets on the CI that work again (#1913)
  • Additional commits viewable in compare view

Updates openssl from 0.10.62 to 0.10.75

Release notes

Sourced from openssl's releases.

openssl-v0.10.75

What's Changed

New Contributors

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.74...openssl-v0.10.75

openssl-v0.10.74

What's Changed

... (truncated)

Commits
  • 09b90d0 Merge pull request #2518 from alex/bump-for-release
  • 26533f3 Release openssl v0.10.75 and openssl-sys v0.9.111
  • 395ecca Merge pull request #2517 from alex/claude/fix-ocsp-find-status-011CUqcGFNKeKJ...
  • cc26867 Fix unsound OCSP find_status handling of optional next_update field
  • 95aa8e8 Merge pull request #2513 from botovq/libressl-stable
  • e735a32 CI: bump LibreSSL 4.x branches to latest releases
  • 21ab91d Merge pull request #2510 from huwcbjones/huw/sys/evp-mac
  • d9161dc sys/evp: add EVP_MAC symbols
  • 3fd4bf2 Merge pull request #2508 from goffrie/oaep-label
  • 52022fd Implement set_rsa_oaep_label for AWS-LC/BoringSSL
  • Additional commits viewable in compare view

Updates rustix from 0.37.23 to 0.37.28

Commits

Updates rustls-webpki from 0.100.1 to 0.100.3

Release notes

Sourced from rustls-webpki's releases.

0.100.3

  • Path building complexity is now limited to a maximum budget of path finding operations, avoiding exponential processing time when encountering certificate chains containing many certificates with the same subject/issuer distinguished name but different subject public key information.
  • Name constraints evaluation is now limited to a maximum number of comparison operations, avoiding exponential processing time when encountering certificate chains containing many name constraints and subject alternate names.

What's Changed

The following PRs were backported to the rel-0.100 branch in rustls/webpki#172

Full Changelog: rustls/webpki@v/0.100.2...v/0.100.3

Thanks to all who have contributed, on behalf of the rustls team (@​ctz, @​cpu and @​djc)!

v/0.100.2

Release notes

  • certificate path building and verification is now capped at 100 signature validation operations to avoid the risk of CPU usage denial-of-service attack when validating crafted certificate chains producing quadratic runtime. This risk affected both clients, as well as servers that verified client certificates.

What's Changed

Full Changelog: rustls/webpki@v/0.100.1...v/0.100.2

Commits
  • 5649c6a Cargo: bump version 0.100.2 -> 0.100.3.
  • 86f4cb2 verify_cert: use enum for build chain error
  • 50a2930 verify_cert: correct handling of fatal errors
  • 0651f72 error: add is_fatal helper, use in verify_cert
  • 0598dd2 verify_cert: optional Budget arg for verify_chain helper
  • 277fb4b verify_cert: take references in verify_chain helper
  • 63f78e0 verify_cert: name constraint checking on verified chain
  • f55622a verify_cert: budget for name constraint comparisons
  • 141ddcb verify_cert: pull out verify_chain test helper
  • eb07f2f verify_cert: pull out make_end_entity test helper
  • Additional commits viewable in compare view

Updates time from 0.3.36 to 0.3.44

Release notes

Sourced from time's releases.

v0.3.44

See the changelog for details.

v0.3.43

See the changelog for details.

v0.3.42

See the changelog for details.

v0.3.41

See the changelog for details.

v0.3.40

See the changelog for details.

v0.3.39

See the changelog for details.

v0.3.38

See the changelog for details.

v0.3.37

See the changelog for details.

Changelog

Sourced from time's changelog.

0.3.44 [2025-09-19]

Fixed

  • Comparisons of PrimitiveDateTime, UtcDateTime, and OffsetDateTime with differing signs (i.e. one negative and one positive year) would return the inverse result of what was expected. This was introduced in v0.3.42 and has been fixed.
  • Type inference would fail due to feature unification when wasm-bindgen enabled serde_json. This has been fixed by explicitly specifying the type in the relevant locations.

0.3.43 [2025-09-02]

Added

  • Support for rand 0.9

Fixed

  • In the convert module, any use of per with types that were not the same (such as Nanosecond::per(Second)) would not compile due to a bug. This has been fixed.

0.3.42 [2025-08-31]

Added

  • Time::duration_until
  • Time::duration_since
  • per_t method for all types in time::convert. This is similar to the existing per method, but can return any of the primitive numeric types that can represent the result. This will cut down on as casts while ensuring correctness. Type inference isn't perfect, so you may need to provide a type annotation in some situations.
  • impl PartialOrd for Month and impl Ord for Month; this assumes the months are in the same year
  • SystemTimeExt trait, adding methods for checked arithmetic with time::Duration and obtaining the difference between two SystemTimes as a time::Duration
  • Permit using UtcDateTime with rand (this was inadvertently omitted previously)
  • impl core::error::Error for all error types (now available when the std feature is disabled)
  • MacOS can now obtain the local UTC offset in multi-threaded programs as the system APIs are thread-safe.
  • #[track_caller] has been added to all relevant methods.

Changed

  • The minimum supported Rust version is now 1.81.0.
  • The dependency on itoa has been removed, as the standard library now has similar functionality by default.
  • Formatting a component that involves a floating point number is now guaranteed to be deterministic, avoiding any subtle differences between platforms or compiler versions.

Fixed

... (truncated)

Commits

Updates webpki from 0.22.0 to 0.22.4

Commits

Updates whoami from 1.4.1 to 1.6.1

Release notes

Sourced from whoami's releases.

v1.6.0

Changelog

Added

  • Support for GNU/Hurd

Changed

  • Removed comment about hostname being limited to ASCII due to Unicode hostnames being supported on Windows
  • More descriptive error messages on the web target

Fixed

  • account() always returning username instead of user principal name on Windows
  • langs() now returns a list accurate to the POSIX locale spec
  • hostname() on Windows now returns PhysicalDnsHostname instead of NetBIOS
  • devicename(): Fixed reading escaped unix pretty names
  • Link error on Windows (in future Rust version)

What's Changed

New Contributors

Full Changelog: ardaku/whoami@v1.5.2...v1.6.0

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the cargo group across 1 directory with 12 updates
a637f3c 
Bumps the cargo group with 11 updates in the /rust directory:

| Package | From | To |
| --- | --- | --- |
| [diesel](https://github.com/diesel-rs/diesel) | `2.1.4` | `2.1.6` |
| [tracing-subscriber](https://github.com/tokio-rs/tracing) | `0.3.17` | `0.3.20` |
| [tokio](https://github.com/tokio-rs/tokio) | `1.38.1` | `1.38.2` |
| [bytes](https://github.com/tokio-rs/bytes) | `1.5.0` | `1.11.1` |
| [keccak](https://github.com/RustCrypto/sponges) | `0.1.4` | `0.1.6` |
| [openssl](https://github.com/rust-openssl/rust-openssl) | `0.10.62` | `0.10.75` |
| [rustix](https://github.com/bytecodealliance/rustix) | `0.37.23` | `0.37.28` |
| [rustls-webpki](https://github.com/rustls/webpki) | `0.100.1` | `0.100.3` |
| [time](https://github.com/time-rs/time) | `0.3.36` | `0.3.44` |
| [webpki](https://github.com/briansmith/webpki) | `0.22.0` | `0.22.4` |
| [whoami](https://github.com/ardaku/whoami) | `1.4.1` | `1.6.1` |



Updates `diesel` from 2.1.4 to 2.1.6
- [Release notes](https://github.com/diesel-rs/diesel/releases)
- [Changelog](https://github.com/diesel-rs/diesel/blob/main/CHANGELOG.md)
- [Commits](diesel-rs/diesel@v2.1.4...v2.1.6)

Updates `tracing-subscriber` from 0.3.17 to 0.3.20
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](tokio-rs/tracing@tracing-subscriber-0.3.17...tracing-subscriber-0.3.20)

Updates `tokio` from 1.38.1 to 1.38.2
- [Release notes](https://github.com/tokio-rs/tokio/releases)
- [Commits](tokio-rs/tokio@tokio-1.38.1...tokio-1.38.2)

Updates `bytes` from 1.5.0 to 1.11.1
- [Release notes](https://github.com/tokio-rs/bytes/releases)
- [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md)
- [Commits](tokio-rs/bytes@v1.5.0...v1.11.1)

Updates `keccak` from 0.1.4 to 0.1.6
- [Commits](RustCrypto/sponges@keccak/v0.1.4...keccak-v0.1.6)

Updates `mio` from 0.8.10 to 1.1.1
- [Release notes](https://github.com/tokio-rs/mio/releases)
- [Changelog](https://github.com/tokio-rs/mio/blob/master/CHANGELOG.md)
- [Commits](tokio-rs/mio@v0.8.10...v1.1.1)

Updates `openssl` from 0.10.62 to 0.10.75
- [Release notes](https://github.com/rust-openssl/rust-openssl/releases)
- [Commits](rust-openssl/rust-openssl@openssl-v0.10.62...openssl-v0.10.75)

Updates `rustix` from 0.37.23 to 0.37.28
- [Release notes](https://github.com/bytecodealliance/rustix/releases)
- [Changelog](https://github.com/bytecodealliance/rustix/blob/main/CHANGES.md)
- [Commits](bytecodealliance/rustix@v0.37.23...v0.37.28)

Updates `rustls-webpki` from 0.100.1 to 0.100.3
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](rustls/webpki@v/0.100.1...v/0.100.3)

Updates `time` from 0.3.36 to 0.3.44
- [Release notes](https://github.com/time-rs/time/releases)
- [Changelog](https://github.com/time-rs/time/blob/main/CHANGELOG.md)
- [Commits](time-rs/time@v0.3.36...v0.3.44)

Updates `webpki` from 0.22.0 to 0.22.4
- [Commits](https://github.com/briansmith/webpki/commits)

Updates `whoami` from 1.4.1 to 1.6.1
- [Release notes](https://github.com/ardaku/whoami/releases)
- [Commits](https://github.com/ardaku/whoami/commits)

---
updated-dependencies:
- dependency-name: diesel
  dependency-version: 2.1.6
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: tracing-subscriber
  dependency-version: 0.3.20
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: tokio
  dependency-version: 1.38.2
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: bytes
  dependency-version: 1.11.1
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: keccak
  dependency-version: 0.1.6
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: mio
  dependency-version: 1.1.1
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: openssl
  dependency-version: 0.10.75
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rustix
  dependency-version: 0.37.28
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rustls-webpki
  dependency-version: 0.100.3
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: time
  dependency-version: 0.3.44
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: webpki
  dependency-version: 0.22.4
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: whoami
  dependency-version: 1.6.1
  dependency-type: indirect
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Feb 20, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants