Skip to content

Bump the cargo group across 2 directories with 5 updates#2317

Closed
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/cargo/cargo-5efc64c9fe
Closed

Bump the cargo group across 2 directories with 5 updates#2317
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/cargo/cargo-5efc64c9fe

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github Mar 25, 2026
edited
Loading

Bumps the cargo group with 3 updates in the / directory: quinn-proto, rustls-webpki and tar.
Bumps the cargo group with 3 updates in the /contracts/feature-tests/gas-tests directory: bytes, keccak and tar.

Updates quinn-proto from 0.11.13 to 0.11.14

Release notes

Sourced from quinn-proto's releases.

quinn-proto 0.11.14

@​jxs reported a denial of service issue in quinn-proto 5 days ago:

We coordinated with them to release this version to patch the issue. Unfortunately the maintainers missed these issues during code review and we did not have enough fuzzing coverage -- we regret the oversight and have added an additional fuzzing target.

Organizations that want to participate in coordinated disclosure can contact us privately to discuss terms.

What's Changed

Commits
  • 2c315aa proto: bump version to 0.11.14
  • 8ad47f4 Use newer rustls-pki-types PEM parser API
  • c81c028 ci: fix workflow syntax
  • 0050172 ci: pin wasm-bindgen-cli version
  • 8a6f82c Take semver-compatible dependency updates
  • e52db4a Apply suggestions from clippy 1.91
  • 6df7275 chore: Fix unnecessary_unwrap clippy
  • c8eefa0 proto: avoid unwrapping varint decoding during parameters parsing
  • 9723a97 fuzz: add fuzzing target for parsing transport parameters
  • eaf0ef3 Fix over-permissive proto dependency edge (#2385)
  • Additional commits viewable in compare view

Updates rustls-webpki from 0.103.9 to 0.103.10

Release notes

Sourced from rustls-webpki's releases.

0.103.10

Correct selection of candidate CRLs by Distribution Point and Issuing Distribution Point. If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored.

The impact was that correctly provided CRLs would not be consulted to check revocation. With UnknownStatusPolicy::Deny (the default) this would lead to incorrect but safe Error::UnknownRevocationStatus. With UnknownStatusPolicy::Allow this would lead to inappropriate acceptance of revoked certificates.

This vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)

More likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.

This vulnerability is identified by GHSA-pwjx-qhcg-rvj4. Thank you to @​1seal for the report.

What's Changed

Full Changelog: rustls/webpki@v/0.103.9...v/0.103.10

Commits
  • 348ce01 Prepare 0.103.10
  • dbde592 crl: fix authoritative_for() support for multiple URIs
  • 9c4838e avoid std::prelude imports
  • 009ef66 fix rust 1.94 ambiguous panic macro warnings
  • c41360d build(deps): bump taiki-e/cache-cargo-install-action from 2 to 3
  • e401d00 generate.py: reformat for black 2026.1.0
  • 06cedec Take semver-compatible deps
  • See full diff in compare view

Updates tar from 0.4.44 to 0.4.45

Commits
  • 096e3d1 Bump to 0.4.45 (#443)
  • 17b1fd8 archive: Prevent symlink-directory collision chmod attack (#442)
  • de1a587 archive: Unconditionally honor PAX size (#441)
  • 6071cbe ci: Consolidate workflows (#439)
  • ad1fde9 build-sys: Promote unused_code to an error
  • c8cb250 tests: Squash a warning
  • 638c495 ci: Add xtask infra + reverse dependency testing (#435)
  • 32a9bbb tests: Add RandomReader to exercise partial-read resilience (#436)
  • 9c5df0b Fix GNU long-name extension stream corruption on validation error (#434)
  • 88b1e3b Fix docs typo in header.rs (#431)
  • Additional commits viewable in compare view

Updates tar from 0.4.44 to 0.4.45

Commits
  • 096e3d1 Bump to 0.4.45 (#443)
  • 17b1fd8 archive: Prevent symlink-directory collision chmod attack (#442)
  • de1a587 archive: Unconditionally honor PAX size (#441)
  • 6071cbe ci: Consolidate workflows (#439)
  • ad1fde9 build-sys: Promote unused_code to an error
  • c8cb250 tests: Squash a warning
  • 638c495 ci: Add xtask infra + reverse dependency testing (#435)
  • 32a9bbb tests: Add RandomReader to exercise partial-read resilience (#436)
  • 9c5df0b Fix GNU long-name extension stream corruption on validation error (#434)
  • 88b1e3b Fix docs typo in header.rs (#431)
  • Additional commits viewable in compare view

Updates bytes from 1.11.0 to 1.11.1

Release notes

Sourced from bytes's releases.

Bytes v1.11.1

1.11.1 (February 3rd, 2026)

  • Fix integer overflow in BytesMut::reserve
Changelog

Sourced from bytes's changelog.

1.11.1 (February 3rd, 2026)

  • Fix integer overflow in BytesMut::reserve
Commits

Updates keccak from 0.1.5 to 0.1.6

Commits

Updates tar from 0.4.44 to 0.4.45

Commits
  • 096e3d1 Bump to 0.4.45 (#443)
  • 17b1fd8 archive: Prevent symlink-directory collision chmod attack (#442)
  • de1a587 archive: Unconditionally honor PAX size (#441)
  • 6071cbe ci: Consolidate workflows (#439)
  • ad1fde9 build-sys: Promote unused_code to an error
  • c8cb250 tests: Squash a warning
  • 638c495 ci: Add xtask infra + reverse dependency testing (#435)
  • 32a9bbb tests: Add RandomReader to exercise partial-read resilience (#436)
  • 9c5df0b Fix GNU long-name extension stream corruption on validation error (#434)
  • 88b1e3b Fix docs typo in header.rs (#431)
  • Additional commits viewable in compare view

Updates bytes from 1.11.0 to 1.11.1

Release notes

Sourced from bytes's releases.

Bytes v1.11.1

1.11.1 (February 3rd, 2026)

  • Fix integer overflow in BytesMut::reserve
Changelog

Sourced from bytes's changelog.

1.11.1 (February 3rd, 2026)

  • Fix integer overflow in BytesMut::reserve
Commits

Updates keccak from 0.1.5 to 0.1.6

Commits

Updates tar from 0.4.44 to 0.4.45

Commits
  • 096e3d1 Bump to 0.4.45 (#443)
  • 17b1fd8 archive: Prevent symlink-directory collision chmod attack (#442)
  • de1a587 archive: Unconditionally honor PAX size (#441)
  • 6071cbe ci: Consolidate workflows (#439)
  • ad1fde9 build-sys: Promote unused_code to an error
  • c8cb250 tests: Squash a warning
  • 638c495 ci: Add xtask infra + reverse dependency testing (#435)
  • 32a9bbb tests: Add RandomReader to exercise partial-read resilience (#436)
  • 9c5df0b Fix GNU long-name extension stream corruption on validation error (#434)
  • 88b1e3b Fix docs typo in header.rs (#431)
  • Additional commits viewable in compare view

@dependabot dependabot bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Mar 25, 2026
@dependabot dependabot bot mentioned this pull request Mar 25, 2026
Closed
@dependabot dependabot bot force-pushed the dependabot/cargo/cargo-5efc64c9fe branch 2 times, most recently from 7d3970b to c10759d Compare March 25, 2026 08:37
@dependabot
Bump the cargo group across 2 directories with 5 updates
290ff09 
Bumps the cargo group with 3 updates in the / directory: [quinn-proto](https://github.com/quinn-rs/quinn), [rustls-webpki](https://github.com/rustls/webpki) and [tar](https://github.com/alexcrichton/tar-rs).
Bumps the cargo group with 3 updates in the /contracts/feature-tests/gas-tests directory: [bytes](https://github.com/tokio-rs/bytes), [keccak](https://github.com/RustCrypto/sponges) and [tar](https://github.com/alexcrichton/tar-rs).


Updates `quinn-proto` from 0.11.13 to 0.11.14
- [Release notes](https://github.com/quinn-rs/quinn/releases)
- [Commits](quinn-rs/quinn@quinn-proto-0.11.13...quinn-proto-0.11.14)

Updates `rustls-webpki` from 0.103.9 to 0.103.10
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](rustls/webpki@v/0.103.9...v/0.103.10)

Updates `tar` from 0.4.44 to 0.4.45
- [Commits](alexcrichton/tar-rs@0.4.44...0.4.45)

Updates `bytes` from 1.11.0 to 1.11.1
- [Release notes](https://github.com/tokio-rs/bytes/releases)
- [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md)
- [Commits](tokio-rs/bytes@v1.11.0...v1.11.1)

Updates `keccak` from 0.1.5 to 0.1.6
- [Commits](RustCrypto/sponges@keccak-v0.1.5...keccak-v0.1.6)

Updates `tar` from 0.4.44 to 0.4.45
- [Commits](alexcrichton/tar-rs@0.4.44...0.4.45)

---
updated-dependencies:
- dependency-name: quinn-proto
  dependency-version: 0.11.14
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rustls-webpki
  dependency-version: 0.103.10
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: tar
  dependency-version: 0.4.45
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: bytes
  dependency-version: 1.11.1
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: keccak
  dependency-version: 0.1.6
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: tar
  dependency-version: 0.4.45
  dependency-type: indirect
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/cargo/cargo-5efc64c9fe branch from c10759d to 290ff09 Compare April 7, 2026 10:47
@github-actions
Copy link
Copy Markdown

github-actions bot commented Apr 7, 2026

Contract comparison - from f9bc3a2 to 290ff09

Path                                                                                             size                  has-allocator                     has-format
large-storage.wasm 1656 false None
send-tx-repeat.wasm 1292 false None
queue-repeat.wasm 5536 false None
linked-list-repeat.wasm 6838 false without message
map-repeat.wasm 7363 false without message
set-repeat.wasm 6511 false None
vec-repeat.wasm 4872 false None
single-value-repeat.wasm 4253 false None
str-repeat-mb-builder-cached.wasm 1109 false without message
str-repeat.wasm 2733 false without message
str-repeat-mb-builder-basic.wasm 757 false None
multiversx-wegld-swap-sc.wasm 4265 false None
multiversx-price-aggregator-sc.wasm 17904 false without message
crypto-zombies.wasm 9282 false without message
empty.wasm 244 false None
digital-cash.wasm 9736 false None
token-release.wasm 6978 false without message
bonding-curve-contract.wasm 14067 false None
crowdfunding.wasm 3574 false None
crypto-bubbles.wasm 2561 false None
nft-minter.wasm 9726 false without message
proxy-pause.wasm 4165 false None
nft-storage-prepay.wasm 2609 false None
multisig.wasm 13617 false without message
multisig-full.wasm 15128 false without message
multisig-view.wasm 5590 false None
adder.wasm 699 false None
esdt-transfer-with-fee.wasm 7505 false without message
nft-subscription.wasm 8725 false without message
kitty-genetic-alg.wasm 3494 false without message
kitty-ownership.wasm 12965 false without message
kitty-auction.wasm 9389 false without message
fractional-nfts.wasm 8302 false without message
order-book-factory.wasm 3401 false None
order-book-pair.wasm 14099 false None
ping-pong-egld.wasm 6397 false None
seed-nft-minter.wasm 14189 false without message
rewards-distribution.wasm 9445 false without message
factorial.wasm 579 false None
check-pause.wasm 1260 false None
lottery.wasm 12666 false without message
erc20.wasm 1887 false None
erc1155.wasm 12016 false without message
crowdfunding-erc20.wasm 4909 false without message
erc1155-marketplace.wasm 10602 false without message
erc721.wasm 2232 false None
erc1155-user-mock.wasm 1229 false None
lottery-erc20.wasm 12886 false without message
use-module.wasm 32477 false without message
use-module-view.wasm 736 false None
std-contract.wasm 3469 true without message
abi-tester.wasm 8607 true without message
abi-tester-ev.wasm 760 false None
rust-testing-framework-tester.wasm 8552 false None
rust-snippets-generator-test.wasm 4708 false None
exchange-features.wasm 1514 false None
formatted-message-features.wasm 3613 false without message
big-float-features.wasm 6373 false without message
multi-contract-example-feature.wasm 680 false None
multi-contract-features.wasm 681 false None
multi-contract-alt-impl.wasm 353 false None
multi-contract-features-view.wasm 1113 false None
esdt-system-sc-mock.wasm 4556 false None
child.wasm 3982 false without message
parent.wasm 1999 false None
vault-upgrade.wasm 708 false None
vault.wasm 8950 false None
mesh-node.wasm 16046 false without message
recursive-caller.wasm 5163 false without message
transfer-role-features.wasm 8605 false without message
forwarder-blind.wasm 14134 false without message
forwarder-raw-init-sync-call.wasm 2958 false None
forwarder-raw-init-async-call.wasm 2374 false None
forwarder-raw.wasm 13081 false None
forwarder-legacy.wasm 33620 false without message
first-contract.wasm 3450 false None
second-contract.wasm 1158 false None
proxy-test-second.wasm 2332 false without message
forwarder.wasm 49004 false without message
local-esdt-and-nft.wasm 12568 false without message
proxy-test-first.wasm 5707 false without message
builtin-func-features.wasm 3828 false None
scenario-tester.wasm 1374 false None
forbidden-opcodes.wasm 842 false None
alloc-mem-fail.wasm 17812 true without message
alloc-features.wasm 23260 false without message
alloc-mem-leaking.wasm 23417 false without message
payable-features.wasm 6046 false None
basic-features-small-int-bug.wasm 824 false None
basic-features-storage-bytes.wasm 541 false None
basic-features.wasm 85947 false without message
panic-message-features.wasm 13030 false with message
panic-message-std.wasm 16073 false with message

⚠️ Could not download the report for the base branch. Displaying only the report for the current branch. ⚠️

@dependabot @github
Copy link
Copy Markdown
Author

dependabot bot commented on behalf of github Apr 14, 2026

Superseded by #2346.

@dependabot dependabot bot closed this Apr 14, 2026
@dependabot dependabot bot deleted the dependabot/cargo/cargo-5efc64c9fe branch April 14, 2026 03:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants