Skip to content

chore(deps): weekly safe cargo updates · 3 packages#35

Open
mendral-app[bot] wants to merge 2 commits into
mainfrom
mendral/deps/weekly-safe-cargo-20260713
Open

chore(deps): weekly safe cargo updates · 3 packages#35
mendral-app[bot] wants to merge 2 commits into
mainfrom
mendral/deps/weekly-safe-cargo-20260713

Conversation

@mendral-app

@mendral-app mendral-app Bot commented Jul 13, 2026

Copy link
Copy Markdown

Packages bumped

Crate Old New Published
ammonia 4.1.2 4.1.3 2026-06-30
rustls 0.23.37 0.23.41 2026-06-22
mockall 0.14.0 0.15.0 2026-06-28
Per-package detail

ammonia 4.1.2 → 4.1.3

  • Security fix: Patches mXSS vulnerability in MathML annotation-xml encoding strip (GHSA-9jh8-v38h-cvhr). Specially crafted MathML content could bypass sanitization causing namespace switches after cleanup.
  • Upgraded internal html5ever to 0.37+.
  • Impact: ammonia is used in src/sanitize/ for HTML sanitization of PR content. This security fix is directly relevant — applying it protects against crafted payloads in PR bodies.

rustls 0.23.37 → 0.23.41

  • 0.23.38: Backport allowing ALPN validation skip on client side.
  • 0.23.39: Nightly read_buf adaptation (non-default feature).
  • 0.23.40: ECH padding fixes; ServerConfig::require_ems default now follows CryptoProvider's FIPS status.
  • 0.23.41: Further read_buf API adaptation.
  • Impact: We use rustls with ring feature only, default TLS for reqwest/octocrab. No behavioral change for our usage — we don't use ECH or custom require_ems settings.

mockall 0.14.0 → 0.15.0

  • Added compatibility with #[auto_impl] macro.
  • No breaking changes; MSRV unchanged at 1.77.0.
  • Impact: Dev-only dependency. Existing mock definitions compile without changes.

Files modified

  • Cargo.toml
  • Cargo.lock
Skipped this ecosystem
Crate Current Latest eligible Reason
askama_escape 0.15.4 0.16.0 Open PR #24
axum 0.8.8 0.8.9 Open PR #31
chrono 0.4.44 0.4.45 Open PR #31
hmac 0.12.1 0.13.0 Open PR #33
http 1.4.0 1.4.2 Open PR #29
jsonwebtoken 10.3.0 10.4.0 Open PR #29
octocrab 0.49.5 0.53.1 Open PR #28
rand 0.10.0 0.10.2 Open PR #31 (at 0.10.1)
reqwest 0.13.2 0.13.4 Open PR #31
serde_json 1.0.149 1.0.150 Open PR #29
sha2 0.10.9 0.11.0 Open PR #33
tokio 1.49.0 1.52.3 Open PR #29
tracing-subscriber 0.3.22 0.3.23 Open PR #29
uuid 1.21.0 1.23.4 Open PR #29 (at 1.23.3)
async-trait 0.1.89 0.1.89 Already latest
hex 0.4.3 0.4.3 Already latest
http-body-util 0.1.3 0.1.3 Already latest
serde 1.0.228 1.0.228 Already latest
thiserror 2.0.18 2.0.18 Already latest
tower 0.5.3 0.5.3 Already latest
tracing 0.1.44 0.1.44 Already latest

Note

Created by Mendral. Tag @mendral-app with feedback or questions.

mendral-app Bot added 2 commits July 13, 2026 02:31
Bump ammonia (4.1.2 → 4.1.3), rustls (0.23.37 → 0.23.41),
mockall (0.14.0 → 0.15.0).
Required by new org policy enforcing SHA-pinned actions.
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 13, 2026

Copy link
Copy Markdown

Deploying pratrol with  Cloudflare Pages  Cloudflare Pages

Latest commit: 56fe9e9
Status: ✅  Deploy successful!
Preview URL: https://cdcfa0dc.pratrol.pages.dev
Branch Preview URL: https://mendral-deps-weekly-safe-car-yfmr.pratrol.pages.dev

View logs

@mendral-app mendral-app Bot marked this pull request as ready for review July 13, 2026 09:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants