Skip to content

Bump the cargo group across 4 directories with 4 updates#903

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/cargo-5a0b961ed7
Closed

Bump the cargo group across 4 directories with 4 updates#903
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/cargo-5a0b961ed7

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Apr 23, 2026
edited by greptile-apps Bot
Loading

Bumps the cargo group with 4 updates in the / directory: rand, openssl, quinn-proto and rustls-webpki.
Bumps the cargo group with 4 updates in the /helix-cli directory: rand, openssl, quinn-proto and rustls-webpki.
Bumps the cargo group with 3 updates in the /helix-container directory: rand, openssl and rustls-webpki.
Bumps the cargo group with 1 update in the /hql-tests directory: rustls-webpki.

Updates rand from 0.9.1 to 0.9.3

Changelog

Sourced from rand's changelog.

[0.9.3] — 2026-02-11

This release back-ports a fix from v0.10. See also #1763.

Changes

  • Deprecate feature log (#1764)
  • Replace usages of doc_auto_cfg (#1764)

#1763: rust-random/rand#1763

[0.9.2] — 2025-07-20

Deprecated

  • Deprecate rand::rngs::mock module and StepRng generator (#1634)

Additions

  • Enable WeightedIndex<usize> (de)serialization (#1646)
Commits

Updates openssl from 0.10.72 to 0.10.78

Release notes

Sourced from openssl's releases.

openssl-v0.10.78

What's Changed

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.77...openssl-v0.10.78

openssl-v0.10.77

What's Changed

New Contributors

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.76...openssl-v0.10.77

openssl-v0.10.76

What's Changed

... (truncated)

Commits
  • a6debf5 Release openssl v0.10.78 and openssl-sys v0.9.114 (#2609)
  • 09b425e Check derive output buffer length on OpenSSL 1.1.x (#2606)
  • 826c388 Error for short out in MdCtxRef::digest_final() (#2608)
  • 1d10902 Validate callback-returned lengths in PSK and cookie trampolines (#2607)
  • 5af6895 Reject oversized length returns from password callback trampoline (#2605)
  • 718d07f fix inverted bounds assertion in AES key unwrap (#2604)
  • 53cc69d Add support for LibreSSL 4.3.x (#2603)
  • 0b41e79 Fix dangling stack pointer in custom extension add callback (#2599)
  • cbdedf8 Avoid panic for overlong OIDs (#2598)
  • 1fc51ef openssl 4 support (#2591)
  • Additional commits viewable in compare view

Updates quinn-proto from 0.11.13 to 0.11.14

Release notes

Sourced from quinn-proto's releases.

quinn-proto 0.11.14

@​jxs reported a denial of service issue in quinn-proto 5 days ago:

We coordinated with them to release this version to patch the issue. Unfortunately the maintainers missed these issues during code review and we did not have enough fuzzing coverage -- we regret the oversight and have added an additional fuzzing target.

Organizations that want to participate in coordinated disclosure can contact us privately to discuss terms.

What's Changed

Commits
  • 2c315aa proto: bump version to 0.11.14
  • 8ad47f4 Use newer rustls-pki-types PEM parser API
  • c81c028 ci: fix workflow syntax
  • 0050172 ci: pin wasm-bindgen-cli version
  • 8a6f82c Take semver-compatible dependency updates
  • e52db4a Apply suggestions from clippy 1.91
  • 6df7275 chore: Fix unnecessary_unwrap clippy
  • c8eefa0 proto: avoid unwrapping varint decoding during parameters parsing
  • 9723a97 fuzz: add fuzzing target for parsing transport parameters
  • eaf0ef3 Fix over-permissive proto dependency edge (#2385)
  • Additional commits viewable in compare view

Updates rustls-webpki from 0.103.1 to 0.103.3

Release notes

Sourced from rustls-webpki's releases.

0.103.3

Add support for RSA signature algorithms that don't include parameters. Per RFC 4055 section 5, implementations of the SHA-1/SHA-2 one-way hash functions "MUST accept the parameters being absent as well as present".

What's Changed

0.103.2

  • Maintain context for key usage mismatch errors in order to make them easier to interpret.
  • Accept certificates with an empty extension sequence.

What's Changed

Commits
  • 34a2392 Bump version to 0.103.3
  • 16abda1 Support RSA PKCS#1 signatures with absent parameters
  • 0ac75b1 cargo-check-external-types: update toolchain
  • 1e923bf ci: enable triggering CI workflow manually
  • f4a8783 ci: skip push triggers for most branches
  • 9cf30f6 Bump version to 0.103.2
  • baac0b0 Maintain context for key usage mismatch errors
  • 85d885d tests: remove test certs for client_auth tests
  • 7badc0e tests: move check_cert() down
  • 5b3dae1 tests: use rcgen for client_auth tests
  • Additional commits viewable in compare view

Updates rand from 0.8.5 to 0.8.6

Changelog

Sourced from rand's changelog.

[0.9.3] — 2026-02-11

This release back-ports a fix from v0.10. See also #1763.

Changes

  • Deprecate feature log (#1764)
  • Replace usages of doc_auto_cfg (#1764)

#1763: rust-random/rand#1763

[0.9.2] — 2025-07-20

Deprecated

  • Deprecate rand::rngs::mock module and StepRng generator (#1634)

Additions

  • Enable WeightedIndex<usize> (de)serialization (#1646)
Commits

Updates openssl from 0.10.75 to 0.10.78

Release notes

Sourced from openssl's releases.

openssl-v0.10.78

What's Changed

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.77...openssl-v0.10.78

openssl-v0.10.77

What's Changed

New Contributors

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.76...openssl-v0.10.77

openssl-v0.10.76

What's Changed

... (truncated)

Commits
  • a6debf5 Release openssl v0.10.78 and openssl-sys v0.9.114 (#2609)
  • 09b425e Check derive output buffer length on OpenSSL 1.1.x (#2606)
  • 826c388 Error for short out in MdCtxRef::digest_final() (#2608)
  • 1d10902 Validate callback-returned lengths in PSK and cookie trampolines (#2607)
  • 5af6895 Reject oversized length returns from password callback trampoline (#2605)
  • 718d07f fix inverted bounds assertion in AES key unwrap (#2604)
  • 53cc69d Add support for LibreSSL 4.3.x (#2603)
  • 0b41e79 Fix dangling stack pointer in custom extension add callback (#2599)
  • cbdedf8 Avoid panic for overlong OIDs (#2598)
  • 1fc51ef openssl 4 support (#2591)
  • Additional commits viewable in compare view

Updates quinn-proto from 0.11.13 to 0.11.14

Release notes

Sourced from quinn-proto's releases.

quinn-proto 0.11.14

@​jxs reported a denial of service issue in quinn-proto 5 days ago:

We coordinated with them to release this version to patch the issue. Unfortunately the maintainers missed these issues during code review and we did not have enough fuzzing coverage -- we regret the oversight and have added an additional fuzzing target.

Organizations that want to participate in coordinated disclosure can contact us privately to discuss terms.

What's Changed

Commits
  • 2c315aa proto: bump version to 0.11.14
  • 8ad47f4 Use newer rustls-pki-types PEM parser API
  • c81c028 ci: fix workflow syntax
  • 0050172 ci: pin wasm-bindgen-cli version
  • 8a6f82c Take semver-compatible dependency updates
  • e52db4a Apply suggestions from clippy 1.91
  • 6df7275 chore: Fix unnecessary_unwrap clippy
  • c8eefa0 proto: avoid unwrapping varint decoding during parameters parsing
  • 9723a97 fuzz: add fuzzing target for parsing transport parameters
  • eaf0ef3 Fix over-permissive proto dependency edge (#2385)
  • Additional commits viewable in compare view

Updates rustls-webpki from 0.103.9 to 0.103.13

Release notes

Sourced from rustls-webpki's releases.

0.103.3

Add support for RSA signature algorithms that don't include parameters. Per RFC 4055 section 5, implementations of the SHA-1/SHA-2 one-way hash functions "MUST accept the parameters being absent as well as present".

What's Changed

0.103.2

  • Maintain context for key usage mismatch errors in order to make them easier to interpret.
  • Accept certificates with an empty extension sequence.

What's Changed

Commits
  • 34a2392 Bump version to 0.103.3
  • 16abda1 Support RSA PKCS#1 signatures with absent parameters
  • 0ac75b1 cargo-check-external-types: update toolchain
  • 1e923bf ci: enable triggering CI workflow manually
  • f4a8783 ci: skip push triggers for most branches
  • 9cf30f6 Bump version to 0.103.2
  • baac0b0 Maintain context for key usage mismatch errors
  • 85d885d tests: remove test certs for client_auth tests
  • 7badc0e tests: move check_cert() down
  • 5b3dae1 tests: use rcgen for client_auth tests
  • Additional commits viewable in compare view

Updates rand from 0.9.2 to 0.9.3

Changelog

Sourced from rand's changelog.

[0.9.3] — 2026-02-11

This release back-ports a fix from v0.10. See also #1763.

Changes

  • Deprecate feature log (#1764)
  • Replace usages of doc_auto_cfg (#1764)

#1763: rust-random/rand#1763

[0.9.2] — 2025-07-20

Deprecated

  • Deprecate rand::rngs::mock module and StepRng generator (#1634)

Additions

  • Enable WeightedIndex<usize> (de)serialization (#1646)
Commits

Updates openssl from 0.10.75 to 0.10.78

Release notes

Sourced from openssl's releases.

openssl-v0.10.78

What's Changed

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.77...openssl-v0.10.78

openssl-v0.10.77

What's Changed

New Contributors

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.76...openssl-v0.10.77

openssl-v0.10.76

What's Changed

... (truncated)

Commits
  • a6debf5 Release openssl v0.10.78 and openssl-sys v0.9.114 (#2609)
  • 09b425e Check derive output buffer length on OpenSSL 1.1.x (#2606)
  • 826c388 Error for short out in MdCtxRef::digest_final() (#2608)
  • 1d10902 Validate callback-returned lengths in PSK and cookie trampolines (#2607)
  • 5af6895 Reject oversized length returns from password callback trampoline (#2605)
  • 718d07f fix inverted bounds assertion in AES key unwrap (#2604)
  • 53cc69d Add support for LibreSSL 4.3.x (#2603)
  • 0b41e79 Fix dangling stack pointer in custom extension add callback (#2599)
  • cbdedf8 Avoid panic for overlong OIDs (#2598)
  • 1fc51ef openssl 4 support (#2591)
  • Additional commits viewable in compare view

Updates rustls-webpki from 0.103.9 to 0.103.13

Release notes

Sourced from rustls-webpki's releases.

0.103.3

Add support for RSA signature algorithms that don't include parameters. Per RFC 4055 section 5, implementations of the SHA-1/SHA-2 one-way hash functions "MUST accept the parameters being absent as well as present".

What's Changed

0.103.2

  • Maintain context for key usage mismatch errors in order to make them easier to interpret.
  • Accept certificates with an empty extension sequence.

What's Changed

  • Fix CI build failures, tidy cargo-deny config by @​cpu in rustls/webpki#339
  • Update semver-compatible dependencies by Description has been truncated

    Greptile Summary

    This dependabot PR bumps rand (→ 0.9.3), openssl (→ 0.10.78), quinn-proto (→ 0.11.14), and rustls-webpki (→ 0.103.3) across four workspace directories. Notably, quinn-proto 0.11.14 patches a reported denial-of-service advisory (GHSA-6xvm-j4wr-6v98).

    • helix-cli/Cargo.lock contains 16 new packages and a helix-cli version bump (2.2.7 → 2.3.4) that are outside the scope of these four dependency updates — this should be verified or split into a separate PR.

    Important Files Changed
    Filename Overview
    Cargo.lock Root lock file updated for rand 0.9.3, openssl 0.10.78, quinn-proto 0.11.14, rustls-webpki 0.103.3 — clean, expected changes only
    helix-cli/Cargo.lock Contains the stated security/patch bumps but also 16 new packages (helix-enterprise-ql, aws-lc-rs/sys, tui-banner, reqwest 0.13.2, etc.) and helix-cli 2.2.7→2.3.4 — scope exceeds stated dependency bumps
    helix-container/Cargo.lock Lock file updated for rand, openssl, rustls-webpki patches — matches stated scope
    helix-container/Cargo.toml rand bumped from 0.9.1 to 0.9.3 — correct and minimal change
    helix-db/Cargo.toml rand bumped from 0.9.0 to 0.9.3 in both [dependencies] and [dev-dependencies] — correct
    hql-tests/Cargo.lock rustls-webpki bumped from 0.103.1 to 0.103.3 — clean, expected change

Flowchart

 
%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Dependabot PR] --> B[4 Dependency Updates]
    B --> C[rand 0.9.1 to 0.9.3]
    B --> D[openssl 0.10.72 to 0.10.78]
    B --> E[quinn-proto 0.11.13 to 0.11.14]
    B --> F[rustls-webpki 0.103.1 to 0.103.3]

    E --> E1[Patches DoS advisory GHSA-6xvm-j4wr-6v98]
    D --> D1[Fixes dangling pointer and AES unwrap bounds]

    B --> G[4 Workspace Directories]
    G --> G1[root]
    G --> G2[helix-cli]
    G --> G3[helix-container]
    G --> G4[hql-tests]

    G2 --> W[Warning: Cargo.lock has 16 extra new packages and helix-cli version bump 2.2.7 to 2.3.4]
Loading

Reviews (1): Last reviewed commit: "Bump the cargo group across 4 directorie..." | Re-trigger Greptile

Greptile also left 1 inline comment on this PR.

@dependabot
Bump the cargo group across 4 directories with 4 updates
a150926 
Bumps the cargo group with 4 updates in the / directory: [rand](https://github.com/rust-random/rand), [openssl](https://github.com/rust-openssl/rust-openssl), [quinn-proto](https://github.com/quinn-rs/quinn) and [rustls-webpki](https://github.com/rustls/webpki).
Bumps the cargo group with 4 updates in the /helix-cli directory: [rand](https://github.com/rust-random/rand), [openssl](https://github.com/rust-openssl/rust-openssl), [quinn-proto](https://github.com/quinn-rs/quinn) and [rustls-webpki](https://github.com/rustls/webpki).
Bumps the cargo group with 3 updates in the /helix-container directory: [rand](https://github.com/rust-random/rand), [openssl](https://github.com/rust-openssl/rust-openssl) and [rustls-webpki](https://github.com/rustls/webpki).
Bumps the cargo group with 1 update in the /hql-tests directory: [rustls-webpki](https://github.com/rustls/webpki).


Updates `rand` from 0.9.1 to 0.9.3
- [Release notes](https://github.com/rust-random/rand/releases)
- [Changelog](https://github.com/rust-random/rand/blob/0.9.3/CHANGELOG.md)
- [Commits](rust-random/rand@rand_core-0.9.1...0.9.3)

Updates `openssl` from 0.10.72 to 0.10.78
- [Release notes](https://github.com/rust-openssl/rust-openssl/releases)
- [Commits](rust-openssl/rust-openssl@openssl-v0.10.72...openssl-v0.10.78)

Updates `quinn-proto` from 0.11.13 to 0.11.14
- [Release notes](https://github.com/quinn-rs/quinn/releases)
- [Commits](quinn-rs/quinn@quinn-proto-0.11.13...quinn-proto-0.11.14)

Updates `rustls-webpki` from 0.103.1 to 0.103.3
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](rustls/webpki@v/0.103.1...v/0.103.3)

Updates `rand` from 0.8.5 to 0.8.6
- [Release notes](https://github.com/rust-random/rand/releases)
- [Changelog](https://github.com/rust-random/rand/blob/0.9.3/CHANGELOG.md)
- [Commits](rust-random/rand@rand_core-0.9.1...0.9.3)

Updates `openssl` from 0.10.75 to 0.10.78
- [Release notes](https://github.com/rust-openssl/rust-openssl/releases)
- [Commits](rust-openssl/rust-openssl@openssl-v0.10.72...openssl-v0.10.78)

Updates `quinn-proto` from 0.11.13 to 0.11.14
- [Release notes](https://github.com/quinn-rs/quinn/releases)
- [Commits](quinn-rs/quinn@quinn-proto-0.11.13...quinn-proto-0.11.14)

Updates `rustls-webpki` from 0.103.9 to 0.103.13
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](rustls/webpki@v/0.103.1...v/0.103.3)

Updates `rand` from 0.9.2 to 0.9.3
- [Release notes](https://github.com/rust-random/rand/releases)
- [Changelog](https://github.com/rust-random/rand/blob/0.9.3/CHANGELOG.md)
- [Commits](rust-random/rand@rand_core-0.9.1...0.9.3)

Updates `openssl` from 0.10.75 to 0.10.78
- [Release notes](https://github.com/rust-openssl/rust-openssl/releases)
- [Commits](rust-openssl/rust-openssl@openssl-v0.10.72...openssl-v0.10.78)

Updates `rustls-webpki` from 0.103.9 to 0.103.13
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](rustls/webpki@v/0.103.1...v/0.103.3)

Updates `rustls-webpki` from 0.103.7 to 0.103.13
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](rustls/webpki@v/0.103.1...v/0.103.3)

---
updated-dependencies:
- dependency-name: rand
  dependency-version: 0.9.3
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: openssl
  dependency-version: 0.10.78
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: quinn-proto
  dependency-version: 0.11.14
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rustls-webpki
  dependency-version: 0.103.3
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rand
  dependency-version: 0.8.6
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: openssl
  dependency-version: 0.10.78
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: quinn-proto
  dependency-version: 0.11.14
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rustls-webpki
  dependency-version: 0.103.13
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rand
  dependency-version: 0.9.3
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: openssl
  dependency-version: 0.10.78
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rustls-webpki
  dependency-version: 0.103.13
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rustls-webpki
  dependency-version: 0.103.13
  dependency-type: indirect
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Apr 23, 2026
@dependabot dependabot Bot mentioned this pull request Apr 23, 2026
Closed
greptile-apps[bot]
greptile-apps Bot reviewed Apr 23, 2026
View reviewed changes
Comment thread helix-cli/Cargo.lock
@@ -1044,9 +1089,10 @@ dependencies = [

Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps Bot Apr 23, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Unexpected extra changes in helix-cli/Cargo.lock

This lock file contains 16 new packages and a version bump to helix-cli itself (2.2.7 → 2.3.4) that go well beyond the four stated dependency updates. New entries include helix-enterprise-ql, aws-lc-rs, aws-lc-sys, cmake, tui-banner, reqwest 0.13.2, rustls-platform-verifier, and others. These appear to be unrelated feature additions or a stale lock file that was regenerated in full. If this is intentional, it should be split into a separate PR; if not, the lock file should be regenerated only against the bumped packages.

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 6, 2026

Superseded by #905.

@dependabot dependabot Bot closed this May 6, 2026
@dependabot dependabot Bot deleted the dependabot/cargo/cargo-5a0b961ed7 branch May 6, 2026 19:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants