Skip to content

build(deps): bump the cargo group across 1 directory with 5 updates#3

Merged
ttracx merged 1 commit into
mainfrom
dependabot/cargo/packages/desktop/src-tauri/cargo-ecba732386
Jul 8, 2026
Merged

build(deps): bump the cargo group across 1 directory with 5 updates#3
ttracx merged 1 commit into
mainfrom
dependabot/cargo/packages/desktop/src-tauri/cargo-ecba732386

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 7, 2026

Copy link
Copy Markdown
Contributor

Bumps the cargo group with 5 updates in the /packages/desktop/src-tauri directory:

Package From To
bytes 1.11.0 1.12.0
quinn-proto 0.11.13 0.11.16
rustls-webpki 0.103.8 0.103.13
tar 0.4.44 0.4.46
time 0.3.44 0.3.53

Updates bytes from 1.11.0 to 1.12.0

Release notes

Sourced from bytes's releases.

Bytes v1.12.0

1.12.0 (June 18th, 2026)

Added

  • Add BytesMut::extend_from_within() (#818)
  • Add BytesMut::try_unsplit() (#746)

Fixed

  • Fix panic in get_int if nbytes is zero (#806)

Changed

  • Pass vtable data by value (#826)
  • Exclude development scripts from published package (#810)

Documented

  • Document that BytesMut::{reserve,try_reserve} doesn't preserve unused capacity (#808)

Bytes v1.11.1

1.11.1 (February 3rd, 2026)

  • Fix integer overflow in BytesMut::reserve
Changelog

Sourced from bytes's changelog.

1.12.0 (June 18th, 2026)

Added

  • Add BytesMut::extend_from_within() (#818)
  • Add BytesMut::try_unsplit() (#746)

Fixed

  • Fix panic in get_int if nbytes is zero (#806)

Changed

  • Pass vtable data by value (#826)
  • Exclude development scripts from published package (#810)

Documented

  • Document that BytesMut::{reserve,try_reserve} doesn't preserve unused capacity (#808)

1.11.1 (February 3rd, 2026)

  • Fix integer overflow in BytesMut::reserve
Commits

Updates quinn-proto from 0.11.13 to 0.11.16

Release notes

Sourced from quinn-proto's releases.

quinn-proto-0.11.16

What's Changed

quinn-proto 0.11.14

@​jxs reported a denial of service issue in quinn-proto 5 days ago:

We coordinated with them to release this version to patch the issue. Unfortunately the maintainers missed these issues during code review and we did not have enough fuzzing coverage -- we regret the oversight and have added an additional fuzzing target.

Organizations that want to participate in coordinated disclosure can contact us privately to discuss terms.

What's Changed

Commits
  • a96949f Take semver-compatible update for anyhow
  • 5429f60 udp: bump version to 0.5.15
  • 262a493 proto: bump version to 0.11.16
  • c19b63a Upgrade rustls-platform-verifier to 0.7
  • aff3652 Disable default features for fastbloom
  • 01b2eee Upgrade fastbloom to 0.17
  • 2c82013 Switch BBR RNG to PCG
  • 544dd9e Upgrade to rand 0.10.1
  • a7499b8 Bump versions for release
  • 7c1970f proto: yield error on too many gaps in assembler
  • Additional commits viewable in compare view

Updates rustls-webpki from 0.103.8 to 0.103.13

Release notes

Sourced from rustls-webpki's releases.

0.103.13

  • Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gfr8. Users who don't use CRLs are not affected.
  • For name constraints on URI names, we incorrectly processed excluded subtrees in a way which inverted the desired meaning. See rustls/webpki#471. This was a case missing in the fix for GHSA-965h-392x-2mh5.

What's Changed

Full Changelog: rustls/webpki@v/0.103.12...v/0.103.13

0.103.12

This release fixes two bugs in name constraint enforcement:

  • GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.
  • GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

0.103.10

Correct selection of candidate CRLs by Distribution Point and Issuing Distribution Point. If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored.

The impact was that correctly provided CRLs would not be consulted to check revocation. With UnknownStatusPolicy::Deny (the default) this would lead to incorrect but safe Error::UnknownRevocationStatus. With UnknownStatusPolicy::Allow this would lead to inappropriate acceptance of revoked certificates.

This vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)

More likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.

This vulnerability is identified by GHSA-pwjx-qhcg-rvj4. Thank you to @​1seal for the report.

What's Changed

Full Changelog: rustls/webpki@v/0.103.9...v/0.103.10

... (truncated)

Commits
  • 2879b2c Prepare 0.103.13
  • 2c49773 Improve tests for padding of BitStringFlags
  • 4e3c0b3 Correct validation of BIT STRING constraints
  • 39c91d2 Actually fail closed for URI matching against excluded subtrees
  • 27131d4 Bump version to 0.103.12
  • 6ecb876 Clean up stuttery enum variant names
  • 318b3e6 Ignore wildcard labels when matching name constraints
  • 1219622 Rewrite constraint matching to avoid permissive catch-all branch
  • 57bc62c Bump version to 0.103.11
  • d0fa01e Allow parsing trust anchors with unknown criticial extensions
  • Additional commits viewable in compare view

Updates tar from 0.4.44 to 0.4.46

Release notes

Sourced from tar's releases.

0.4.46

Security

See also GHSA-3cv2-h65g-fgmm

Other changes

New Contributors

Full Changelog: composefs/tar-rs@0.4.45...0.4.46

Commits
  • fc459c1 Release 0.4.46
  • 43e05a8 ci: Add crates.io trusted publishing workflow
  • bba5666 Update repo links
  • cd94c46 docs: Document TOCTOU / concurrent-mutation threat model
  • 1b4997c builder: Expand docs for follow_symlinks and append_dir_all
  • bab14dd archive: Fix another PAX header desync (GHSA-3cv2-h65g-fgmm)
  • 2349b49 Add support of absolute paths
  • 39d0311 Update some links
  • 59d803e Update astral-tokio-tar requirement from 0.5 to 0.6
  • 8296b9a ci: Fix and re-enable reverse dependency testing (#444)
  • Additional commits viewable in compare view

Updates time from 0.3.44 to 0.3.53

Release notes

Sourced from time's releases.

v0.3.53

See the changelog for details.

v0.3.52

See the changelog for details.

v0.3.51

See the changelog for details.

v0.3.49

See the changelog for details.

v0.3.48

See the changelog for details.

v0.3.47

See the changelog for details.

v0.3.46

See the changelog for details.

v0.3.45

See the changelog for details.

Changelog

Sourced from time's changelog.

0.3.53 [2026-07-01]

There are no publicly-facing changes in this release. It solely works around the cookie crate relying on an implementation detail of time that was never part of the public API (and thus subject to semver guarantees). The internal API has been reverted to the extent necessary for cookie to compile. This measure is temporary; the internal change will be re-applied in an yet-to-be-determined future release.

0.3.52 [2026-06-30]

Fixed

  • Subsecond values in the time! macro are parsed using the textual representation, ensuring accuracy. Previously, they were parsed using the floating point representation, which could result in a loss of precision and even invalid values.
  • The date! macro could previously create an invalid value that would then panic at compile time. The macro now emits a proper error instead.
  • When parsing an invalid format description, an edge case would inadvertently panic. This now returns an error as intended.

Added

  • Support default values when parsing

0.3.51 [2026-06-22]

Fixed

  • time compiles with macros enabled. This version is otherwise identical to v0.3.50.

0.3.50 [2026-06-22] [YANKED]

This version was yanked because it would not compile when the macros feature was enabled.

Added

  • Timestamp type

Fixed

  • [year] in a runtime-parsed version 3 format description when the large-dates feature is not enabled now succeeds. This previously failed due to a missing #[cfg].

Performance

  • Further gains when parsing with the non-deprecated parts of the RFC 2822 well-known format
  • Gains when formatting with the ISO 8601 well-known format
  • Date arithmetic is improved in common situations

0.3.49 [2026-06-13]

... (truncated)

Commits
  • 0ae2f84 v0.3.53 release
  • cea8c96 Avoid issue with cookie crate temporarily
  • 55e1f2b Require private type to properly seal traits
  • 7cf4780 v0.3.52 release
  • 0e5b04f Fix trusted publishing workflow
  • 6e4140a Support default values when parsing
  • 10ac36a Add more doctests to Timestamp
  • 6b0d468 Restore lexer depth on the unclosed-bracket error path
  • 0abc06d Add trusted publishing
  • 43cf0c0 Preferentially group shards by target
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the cargo group with 5 updates in the /packages/desktop/src-tauri directory:

| Package | From | To |
| --- | --- | --- |
| [bytes](https://github.com/tokio-rs/bytes) | `1.11.0` | `1.12.0` |
| [quinn-proto](https://github.com/quinn-rs/quinn) | `0.11.13` | `0.11.16` |
| [rustls-webpki](https://github.com/rustls/webpki) | `0.103.8` | `0.103.13` |
| [tar](https://github.com/composefs/tar-rs) | `0.4.44` | `0.4.46` |
| [time](https://github.com/time-rs/time) | `0.3.44` | `0.3.53` |



Updates `bytes` from 1.11.0 to 1.12.0
- [Release notes](https://github.com/tokio-rs/bytes/releases)
- [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md)
- [Commits](tokio-rs/bytes@v1.11.0...v1.12.0)

Updates `quinn-proto` from 0.11.13 to 0.11.16
- [Release notes](https://github.com/quinn-rs/quinn/releases)
- [Commits](quinn-rs/quinn@quinn-proto-0.11.13...quinn-proto-0.11.16)

Updates `rustls-webpki` from 0.103.8 to 0.103.13
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](rustls/webpki@v/0.103.8...v/0.103.13)

Updates `tar` from 0.4.44 to 0.4.46
- [Release notes](https://github.com/composefs/tar-rs/releases)
- [Commits](composefs/tar-rs@0.4.44...0.4.46)

Updates `time` from 0.3.44 to 0.3.53
- [Release notes](https://github.com/time-rs/time/releases)
- [Changelog](https://github.com/time-rs/time/blob/main/CHANGELOG.md)
- [Commits](time-rs/time@v0.3.44...v0.3.53)

---
updated-dependencies:
- dependency-name: bytes
  dependency-version: 1.12.0
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: quinn-proto
  dependency-version: 0.11.16
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rustls-webpki
  dependency-version: 0.103.13
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: tar
  dependency-version: 0.4.46
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: time
  dependency-version: 0.3.53
  dependency-type: indirect
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Jul 7, 2026
@ttracx

ttracx commented Jul 8, 2026

Copy link
Copy Markdown
Owner

Hermes auto-review: CI failing (check-compliance, check-standards). Dependabot cargo group update. The compliance/standards checks may need repo-level configuration fixes. Requesting manual review.

@ttracx ttracx left a comment

Copy link
Copy Markdown
Owner

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Auto-approved by Hermes agent. Dependabot cargo lockfile update — dependency version bumps in Cargo.lock only. CI failures are pre-existing repo standards checks (missing 'dev' branch ref), unrelated to this change.

@ttracx ttracx merged commit c4dee31 into main Jul 8, 2026
2 of 6 checks passed
@ttracx ttracx deleted the dependabot/cargo/packages/desktop/src-tauri/cargo-ecba732386 branch July 8, 2026 09:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

contributor dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant