build(deps): bump the cargo group across 1 directory with 3 updates by dependabot[bot] · Pull Request #26 · saagpatel/AssistSupport

dependabot · 2026-04-14T02:22:11Z

Bumps the cargo group with 3 updates in the /src-tauri directory: rand, lz4_flex and rustls-webpki.

Updates rand from 0.8.5 to 0.9.2

Changelog

[0.9.2] - 2025-07-20

Deprecated

Deprecate rand::rngs::mock module and StepRng generator (#1634)

Additions

Enable WeightedIndex<usize> (de)serialization (#1646)

[0.9.1] - 2025-04-17

Security and unsafe

Revise "not a crypto library" policy again (#1565)

Remove zerocopy dependency from rand (#1579)

Fixes

Fix feature simd_support for recent nightly rust (#1586)

Changes

Allow fn rand::seq::index::sample_weighted and fn IndexedRandom::choose_multiple_weighted to return fewer than amount results (#1623), reverting an undocumented change (#1382) to the previous release.

Additions

Add rand::distr::Alphabetic distribution. (#1587)

Re-export rand_core (#1604)

#1565: rust-random/rand#1565 #1579: rust-random/rand#1579 #1586: rust-random/rand#1586 #1587: rust-random/rand#1587 #1604: rust-random/rand#1604 #1623: rust-random/rand#1623 #1634: rust-random/rand#1634 #1646: rust-random/rand#1646

[0.9.0] - 2025-01-27

Security and unsafe

Policy: "rand is not a crypto library" (#1514)

Remove fork-protection from ReseedingRng and ThreadRng. Instead, it is recommended to call ThreadRng::reseed on fork. (#1379)

Use zerocopy to replace some unsafe code (#1349, #1393, #1446, #1502)

Dependencies

Bump the MSRV to 1.63.0 (#1207, #1246, #1269, #1341, #1416, #1536); note that 1.60.0 may work for dependents when using --ignore-rust-version

Update to rand_core v0.9.0 (#1558)

Features

Support std feature without getrandom or rand_chacha (#1354)

Enable feature small_rng by default (#1455)

Remove implicit feature rand_chacha; use std_rng instead. (#1473)

Rename feature serde1 to serde (#1477)

Rename feature getrandom to os_rng (#1537)

... (truncated)

Commits

d3dd415 Prepare rand_core 0.9.2 (#1605)
99fabd2 Prepare rand_core 0.9.2
c7fe1c4 rand: re-export rand_core (#1604)
db2b1e0 rand: re-export rand_core
ee1d96f rand_core: implement reborrow for UnwrapMut (#1595)
e0eb2ee rand_core: implement reborrow for UnwrapMut
975f602 fixup clippy 1.85 warnings
775b05b Relax Sized requirements for blanket impls (#1593)
ec6d5c0 Prepare rand_core v0.9.1 (#1591)
6a06056 rand_core: introduce an UnwrapMut wrapper (#1589)
Additional commits viewable in compare view

Updates lz4_flex from 0.11.5 to 0.11.6

Changelog

Sourced from lz4_flex's changelog.

0.11.6 (2026-03-14)

Security Fix

Fix handling of invalid match offsets during decompression #84cdafb (thanks @Marcono1234)
Invalid match offsets (offset == 0) during decompression were not properly
handled, which could lead to invalid memory reads on untrusted input.
Users on 0.11.x should upgrade to 0.11.6.

Commits

6460047 bump version to 0.11.6
84cdafb fix handling of invalid match offsets during decompression
See full diff in compare view

Updates rustls-webpki from 0.103.9 to 0.103.11

Release notes

Sourced from rustls-webpki's releases.

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

Backport parsing trust anchors with unknown critical extensions to 0.103 by @djc in rustls/webpki#466

0.103.10

Correct selection of candidate CRLs by Distribution Point and Issuing Distribution Point. If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored.

The impact was that correctly provided CRLs would not be consulted to check revocation. With UnknownStatusPolicy::Deny (the default) this would lead to incorrect but safe Error::UnknownRevocationStatus. With UnknownStatusPolicy::Allow this would lead to inappropriate acceptance of revoked certificates.

This vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)

More likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.

This vulnerability is identified by GHSA-pwjx-qhcg-rvj4. Thank you to @1seal for the report.

What's Changed

Freshen up rel-0.103 by @ctz in rustls/webpki#455

Prepare 0.103.10 by @ctz in rustls/webpki#458

Full Changelog: rustls/webpki@v/0.103.9...v/0.103.10

Commits

57bc62c Bump version to 0.103.11
d0fa01e Allow parsing trust anchors with unknown criticial extensions
348ce01 Prepare 0.103.10
dbde592 crl: fix authoritative_for() support for multiple URIs
9c4838e avoid std::prelude imports
009ef66 fix rust 1.94 ambiguous panic macro warnings
c41360d build(deps): bump taiki-e/cache-cargo-install-action from 2 to 3
e401d00 generate.py: reformat for black 2026.1.0
06cedec Take semver-compatible deps
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
@dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
@dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
@dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
@dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the cargo group with 3 updates in the /src-tauri directory: [rand](https://github.com/rust-random/rand), [lz4_flex](https://github.com/pseitz/lz4_flex) and [rustls-webpki](https://github.com/rustls/webpki). Updates `rand` from 0.8.5 to 0.9.2 - [Release notes](https://github.com/rust-random/rand/releases) - [Changelog](https://github.com/rust-random/rand/blob/master/CHANGELOG.md) - [Commits](rust-random/rand@0.8.5...rand_core-0.9.2) Updates `lz4_flex` from 0.11.5 to 0.11.6 - [Release notes](https://github.com/pseitz/lz4_flex/releases) - [Changelog](https://github.com/PSeitz/lz4_flex/blob/main/CHANGELOG.md) - [Commits](PSeitz/lz4_flex@0.11.5...0.11.6) Updates `rustls-webpki` from 0.103.9 to 0.103.11 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.9...v/0.103.11) --- updated-dependencies: - dependency-name: rand dependency-version: 0.9.2 dependency-type: direct:production dependency-group: cargo - dependency-name: lz4_flex dependency-version: 0.11.6 dependency-type: indirect dependency-group: cargo - dependency-name: rustls-webpki dependency-version: 0.103.11 dependency-type: indirect dependency-group: cargo ... Signed-off-by: dependabot[bot] <support@github.com>

saagpatel · 2026-04-21T11:15:05Z

Rand 0.8.5 → 0.9.2 is blocked on upstream ecosystem compatibility, not branch governance alone.

Attempted this bump on codex/chore/deps-rand-0-9 (now deleted) with:

Cargo.toml: rand = "0.8" → rand = "0.9"
security.rs:1210,1237: rand::thread_rng() → rand::rng()
cargo update -p rand@0.8.5

Result: 3 compile errors in the production crypto path at security.rs:142, 972, 1026:

error[E0599]: the method `fill_bytes` exists for struct `aes_gcm::aead::OsRng`,
              but its trait bounds were not satisfied

Root cause: aes_gcm 0.10 re-exports OsRng from an older rand_core version (0.6.x). Our use rand::RngCore; previously resolved to a compatible trait via rand 0.8's re-export. Rand 0.9 ships rand_core 0.9, which is a new major — so the RngCore trait in scope no longer matches the one aes_gcm::aead::OsRng implements.

Clean fix would require either:

aes_gcm to update to a rand 0.9-compatible rand_core (upstream work, tracking RustCrypto/AEADs), or
Dual-importing rand_core traits for the two concerns (ugly), or
Replacing OsRng.fill_bytes() calls with direct getrandom::fill() (bypasses rand entirely; bigger refactor)

Two of the three bumps in this cargo group (lz4_flex 0.11.6 + rustls-webpki 0.103.13) have been split off into #40. Closing this Dependabot PR once #40 lands; rand itself stays on 0.8 pending aes_gcm's upstream release.

dependabot · 2026-04-21T11:17:24Z

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Apr 14, 2026

dependabot Bot mentioned this pull request Apr 14, 2026

build(deps): bump the cargo group across 1 directory with 2 updates #13

Closed

This was referenced Apr 21, 2026

chore(deps): bump requests to 2.33.1 in search-api (replaces #11, #23) #31

Merged

chore(deps): bump lz4_flex and rustls-webpki (partial #26) #40

Merged

saagpatel closed this in #40 Apr 21, 2026

dependabot Bot deleted the dependabot/cargo/src-tauri/cargo-b59feef659 branch April 21, 2026 11:17

saagpatel mentioned this pull request Apr 21, 2026

build(deps): bump rand from 0.8.5 to 0.9.2 in /src-tauri in the cargo group across 1 directory #47

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump the cargo group across 1 directory with 3 updates#26

build(deps): bump the cargo group across 1 directory with 3 updates#26
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/cargo/src-tauri/cargo-b59feef659

dependabot Bot commented on behalf of github Apr 14, 2026

Uh oh!

saagpatel commented Apr 21, 2026

Uh oh!

dependabot Bot commented on behalf of github Apr 21, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

dependabot Bot commented on behalf of github Apr 14, 2026

[0.9.2] - 2025-07-20

Deprecated

Additions

[0.9.1] - 2025-04-17

Security and unsafe

Fixes

Changes

Additions

[0.9.0] - 2025-01-27

Security and unsafe

Dependencies

Features

0.11.6 (2026-03-14)

Security Fix

0.103.11

What's Changed

0.103.10

What's Changed

Uh oh!

saagpatel commented Apr 21, 2026

Uh oh!

dependabot Bot commented on behalf of github Apr 21, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant