chore(deps): bump the cargo group across 1 directory with 3 updates

[dependabot]

Bumps the cargo group with 3 updates in the / directory: russh, rand and rustls-webpki.

Updates russh from 0.60.0 to 0.60.1

Release notes

Sourced from russh's releases.

v0.60.1

Security fixes

GHSA-f5v4-2wr6-hqmg in 6c3c80a

This DoS vulnerability allowed an unauthenticated user to trigger an out-of-memory condition in a russh based server if keyboard-interactive authentication is allowed. A malicious authentication packet could trigger a multi-GB memory allocation likely leading to the process getting killed by the OOM killer.

Fixes

• a9057ed: fixed #687 - PKCS8 key encryption not working (#688) (Eugene) #688

Commits

• 5a6ca29 v0.60.1
• 6c3c80a Merge commit from fork
• a9057ed fixed #687 - PKCS8 key encryption not working (#688)
• See full diff in compare view

Updates rand from 0.8.5 to 0.8.6

Changelog

Sourced from rand's changelog.

[0.8.6] - 2026-04-14

This release back-ports a fix from v0.10. See also #1763.

Changes

• Deprecate feature log (#1772)

#1763: rust-random/rand#1763 #1772: rust-random/rand#1772

• Drop the experimental simd_support feature.

Commits

• 5309f25 0.8.6 (#1772): update for recent nightly rustc and backport #1764
• 1126d03 When testing rustc 1.36, use compatible dependencies.
• 143b602 Add Cargo.lock.msrv.
• 9be86f2 Fix cross build test.
• 5e0d50d Drop simd_support.
• 8ff02f0 Upgrade cache action.
• 4ad0cc3 Don't test for unsupported target architecture.
• 258e6d0 Address warning.
• 9f0e676 Mark some internal traits as potentially unused.
• 6f123c1 Workaround never constructed and never used warning.
• Additional commits viewable in compare view

Updates rustls-webpki from 0.103.10 to 0.103.13

Release notes

Sourced from rustls-webpki's releases.

0.103.13

• Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gfr8. Users who don't use CRLs are not affected.
• For name constraints on URI names, we incorrectly processed excluded subtrees in a way which inverted the desired meaning. See rustls/webpki#471. This was a case missing in the fix for GHSA-965h-392x-2mh5.

What's Changed

• Actually fail closed for URI matching against excluded subtrees by @​djc in rustls/webpki#473
• Prepare 0.103.13 by @​ctz in rustls/webpki#474

Full Changelog: rustls/webpki@v/0.103.12...v/0.103.13

0.103.12

This release fixes two bugs in name constraint enforcement:

• GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.
• GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

• Prepare 0.103.12 by @​djc in rustls/webpki#470

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

• Backport parsing trust anchors with unknown critical extensions to 0.103 by @​djc in rustls/webpki#466

Commits

• 2879b2c Prepare 0.103.13
• 2c49773 Improve tests for padding of BitStringFlags
• 4e3c0b3 Correct validation of BIT STRING constraints
• 39c91d2 Actually fail closed for URI matching against excluded subtrees
• 27131d4 Bump version to 0.103.12
• 6ecb876 Clean up stuttery enum variant names
• 318b3e6 Ignore wildcard labels when matching name constraints
• 1219622 Rewrite constraint matching to avoid permissive catch-all branch
• 57bc62c Bump version to 0.103.11
• d0fa01e Allow parsing trust anchors with unknown criticial extensions
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[NikolayS]

REV review — PR #834

Three patch-level cargo bumps, all with upstream security advisory fixes. Lockfile-only change. Verified against the codebase to confirm no API contact with the deprecated/removed surfaces.

Findings

• INFO security: russh 0.60.0 → 0.60.1 carries a DoS advisory fix (GHSA-f5v4-2wr6-hqmg) for keyboard-interactive auth — but the vector is server-side. rpg uses russh exclusively as an SSH client (src/ssh_tunnel.rs); confirmed no russh::Server / Server::run usage in src/ (grep -rn "russh.*server\|Server::run" src/ returns nothing). DoS is not exploitable here. The accompanying PKCS8 key encryption fix (#688) is a clean bonus for users who load encrypted keys.
• INFO security: rustls-webpki 0.103.10 → 0.103.13 fixes a reachable panic in CRL parsing (GHSA-82j2-j2ch-gfr8) and a URI name-constraint correctness bug. rpg's TLS path goes through this crate transitively via tokio-rustls. Patch bump, no API change.
• INFO compat: rand 0.8.5 → 0.8.6 is a nightly-compat backport from v0.10. Deprecates the log feature and drops the experimental simd_support feature. Confirmed rpg does not use either — grep -rn "rand.*log\|simd_support" src/ Cargo.toml is empty. Pure transitive-dep bump.
• INFO scope: only Cargo.lock changes. No Cargo.toml edits. Dependabot grouped these correctly.
• INFO comparison with closed chore(deps): bump the cargo group across 1 directory with 2 updates #826: that earlier PR carried the rand + rustls-webpki bumps but kept failing CI mysteriously with logs purged. This recreate (after the H5/H6/chore: align project metadata, MSRV, and CI PG matrix (#824) #825 merges) plus dependabot's own rebase produced clean CI on every check. Nothing about the bumps is the issue — the earlier failure pattern was branch-state-dependent.

Verdict

PASS

---

End-to-end test evidence

Build

$ cd /tmp/rpg-834 && cargo build --all-targets --all-features
   Compiling rustls-webpki v0.103.13
   Compiling tokio-rustls v0.26.4
   Compiling hyper-rustls v0.27.7
   Compiling reqwest v0.12.28
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 42.79s

Clippy

$ cargo clippy --all-targets --all-features -- -D warnings
    Checking internal-russh-forked-ssh-key v0.6.18+upstream-0.6.7
    Checking russh v0.60.1
    Finished `dev` profile [unoptimized + debuginfo] target(s) in 17.19s

Zero warnings under -D warnings. russh v0.60.1 (the bumped version) compiles clean.

Tests

$ cargo test --lib --bins
test result: ok. 2066 passed; 0 failed; 4 ignored; 0 measured; 0 filtered out; finished in 0.07s

(2066 = main's current count after H5/H6 landed: 2063 + 1 H5 test + 2 H6 tests.)

CI

26/26 checks green on 2eb9aab, including clippy on the matrix-expanded PG 14–18 integration tests, MSRV 1.88, and TLS connection tests (the rustls-webpki path).

Ready for merge.