Update dependencies to address Dependabot CVE reports

[jerrysxie]

Summary

Update bootloader-tool dependencies to address CVE reports flagged by Dependabot.

Dependency Changes

Dependency	Before	After	Type
rsa	0.9.8	0.9.10	direct
time	0.3.44	0.3.47	transitive (lock file)
probe-rs	0.29.1	0.31.0	direct
object	0.37.3	0.38	direct
espflash	3.3.0	4.3.0	transitive
xmas-elf	0.9.1	removed	transitive

Dependabot Alerts & CVE Details

1. time — CVE-2026-25727 / RUSTSEC-2026-0009: Denial of Service via Stack Exhaustion

• Severity: MEDIUM (CVSS 6.8)
• Advisory: RUSTSEC-2026-0009 / GHSA-r6v5-fh4h-64xc
• Affected versions: >=0.3.6, <0.3.47
• Patched in: >=0.3.47
• Impact: When user-provided input is parsed with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner.
• Fix: Updated time from 0.3.44 → 0.3.47, which adds a recursion depth limit.

2. rsa — CVE-2023-49092 / RUSTSEC-2023-0071: Marvin Attack (timing sidechannel)

• Severity: MEDIUM (CVSS 5.9)
• Advisory: RUSTSEC-2023-0071 / GHSA-4grx-2x9w-596c
• Affected versions: <=0.9.6
• Impact: Due to a non-constant-time implementation, information about the private key is leaked through timing information observable over the network. An attacker may be able to use that information to recover the key.
• Note: The upstream rsa crate has no fully patched version yet — this advisory remains open. The update from 0.9.8 → 0.9.10 picks up the latest available improvements. This is a CLI tool, not a network service, so exposure is minimal.

3. xmas-elf — Dependabot flagged for update to 0.10

• xmas-elf 0.9.1 was a transitive dependency via espflash 3.x (pulled in by probe-rs 0.29.1).
• It could not be updated to 0.10 under the old version constraint.
• Resolution: Updated probe-rs from 0.29.1 → 0.31.0, which depends on espflash ^4. espflash 4.x dropped xmas-elf entirely (replaced by the object crate), removing it from the dependency tree altogether.

Testing

• cargo check passes successfully with all updated dependencies.

[Copilot]

Pull request overview

Updates bootloader-tool’s Rust dependency set to address Dependabot-reported CVEs and remove a flagged transitive dependency (xmas-elf) by moving to newer probe-rs/espflash versions.

Changes:

• Bump direct dependencies: probe-rs to 0.31.0, object to 0.38, and rsa to 0.9.10.
• Refresh Cargo.lock to pull in patched time (0.3.47) and updated transitive dependencies, including espflash 4.3.0.
• Remove xmas-elf from the resolved dependency tree via the updated espflash dependency graph.

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
bootloader-tool/Cargo.toml	Updates direct dependency versions to newer, security-aligned releases.
bootloader-tool/Cargo.lock	Locks updated transitive dependency graph (notably time patch and xmas-elf removal).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[kurtjd]

Approved pending fix of warning.

[Copilot]

Pull request overview

Copilot reviewed 4 out of 5 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jerrysxie]

@gjpmsft @JamesHuard Please give this a review and let me know if there is any concern.