Skip to content

Bump the cargo group across 4 directories with 6 updates#2346

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/cargo/cargo-bc481c7091
Open

Bump the cargo group across 4 directories with 6 updates#2346
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/cargo/cargo-bc481c7091

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot Bot commented on behalf of github Apr 14, 2026

Bumps the cargo group with 4 updates in the / directory: rand, quinn-proto, rustls-webpki and tar.
Bumps the cargo group with 4 updates in the /contracts/feature-tests/gas-tests directory: rand, bytes, keccak and tar.
Bumps the cargo group with 1 update in the /tools/git-scraper directory: rand.
Bumps the cargo group with 1 update in the /tools/rust-debugger/format-tests directory: rand.

Updates rand from 0.10.0 to 0.10.1

Changelog

Sourced from rand's changelog.

[0.10.1] — 2026-02-11

This release includes a fix for a soundness bug; see #1763.

Changes

  • Document panic behavior of make_rng and add #[track_caller] (#1761)
  • Deprecate feature log (#1763)

#1761: rust-random/rand#1761 #1763: rust-random/rand#1763

Commits

Updates quinn-proto from 0.11.13 to 0.11.14

Release notes

Sourced from quinn-proto's releases.

quinn-proto 0.11.14

@​jxs reported a denial of service issue in quinn-proto 5 days ago:

We coordinated with them to release this version to patch the issue. Unfortunately the maintainers missed these issues during code review and we did not have enough fuzzing coverage -- we regret the oversight and have added an additional fuzzing target.

Organizations that want to participate in coordinated disclosure can contact us privately to discuss terms.

What's Changed

Commits
  • 2c315aa proto: bump version to 0.11.14
  • 8ad47f4 Use newer rustls-pki-types PEM parser API
  • c81c028 ci: fix workflow syntax
  • 0050172 ci: pin wasm-bindgen-cli version
  • 8a6f82c Take semver-compatible dependency updates
  • e52db4a Apply suggestions from clippy 1.91
  • 6df7275 chore: Fix unnecessary_unwrap clippy
  • c8eefa0 proto: avoid unwrapping varint decoding during parameters parsing
  • 9723a97 fuzz: add fuzzing target for parsing transport parameters
  • eaf0ef3 Fix over-permissive proto dependency edge (#2385)
  • Additional commits viewable in compare view

Updates rustls-webpki from 0.103.9 to 0.103.11

Release notes

Sourced from rustls-webpki's releases.

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

0.103.10

Correct selection of candidate CRLs by Distribution Point and Issuing Distribution Point. If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored.

The impact was that correctly provided CRLs would not be consulted to check revocation. With UnknownStatusPolicy::Deny (the default) this would lead to incorrect but safe Error::UnknownRevocationStatus. With UnknownStatusPolicy::Allow this would lead to inappropriate acceptance of revoked certificates.

This vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)

More likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.

This vulnerability is identified by GHSA-pwjx-qhcg-rvj4. Thank you to @​1seal for the report.

What's Changed

Full Changelog: rustls/webpki@v/0.103.9...v/0.103.10

Commits
  • 57bc62c Bump version to 0.103.11
  • d0fa01e Allow parsing trust anchors with unknown criticial extensions
  • 348ce01 Prepare 0.103.10
  • dbde592 crl: fix authoritative_for() support for multiple URIs
  • 9c4838e avoid std::prelude imports
  • 009ef66 fix rust 1.94 ambiguous panic macro warnings
  • c41360d build(deps): bump taiki-e/cache-cargo-install-action from 2 to 3
  • e401d00 generate.py: reformat for black 2026.1.0
  • 06cedec Take semver-compatible deps
  • See full diff in compare view

Updates tar from 0.4.44 to 0.4.45

Commits
  • 096e3d1 Bump to 0.4.45 (#443)
  • 17b1fd8 archive: Prevent symlink-directory collision chmod attack (#442)
  • de1a587 archive: Unconditionally honor PAX size (#441)
  • 6071cbe ci: Consolidate workflows (#439)
  • ad1fde9 build-sys: Promote unused_code to an error
  • c8cb250 tests: Squash a warning
  • 638c495 ci: Add xtask infra + reverse dependency testing (#435)
  • 32a9bbb tests: Add RandomReader to exercise partial-read resilience (#436)
  • 9c5df0b Fix GNU long-name extension stream corruption on validation error (#434)
  • 88b1e3b Fix docs typo in header.rs (#431)
  • Additional commits viewable in compare view

Updates rand from 0.10.0 to 0.10.1

Changelog

Sourced from rand's changelog.

[0.10.1] — 2026-02-11

This release includes a fix for a soundness bug; see #1763.

Changes

  • Document panic behavior of make_rng and add #[track_caller] (#1761)
  • Deprecate feature log (#1763)

#1761: rust-random/rand#1761 #1763: rust-random/rand#1763

Commits

Updates bytes from 1.11.0 to 1.11.1

Release notes

Sourced from bytes's releases.

Bytes v1.11.1

1.11.1 (February 3rd, 2026)

  • Fix integer overflow in BytesMut::reserve
Changelog

Sourced from bytes's changelog.

1.11.1 (February 3rd, 2026)

  • Fix integer overflow in BytesMut::reserve
Commits

Updates keccak from 0.1.5 to 0.1.6

Commits

Updates tar from 0.4.44 to 0.4.45

Commits
  • 096e3d1 Bump to 0.4.45 (#443)
  • 17b1fd8 archive: Prevent symlink-directory collision chmod attack (#442)
  • de1a587 archive: Unconditionally honor PAX size (#441)
  • 6071cbe ci: Consolidate workflows (#439)
  • ad1fde9 build-sys: Promote unused_code to an error
  • c8cb250 tests: Squash a warning
  • 638c495 ci: Add xtask infra + reverse dependency testing (#435)
  • 32a9bbb tests: Add RandomReader to exercise partial-read resilience (#436)
  • 9c5df0b Fix GNU long-name extension stream corruption on validation error (#434)
  • 88b1e3b Fix docs typo in header.rs (#431)
  • Additional commits viewable in compare view

Updates rand from 0.9.2 to 0.9.4

Changelog

Sourced from rand's changelog.

[0.10.1] — 2026-02-11

This release includes a fix for a soundness bug; see #1763.

Changes

  • Document panic behavior of make_rng and add #[track_caller] (#1761)
  • Deprecate feature log (#1763)

#1761: rust-random/rand#1761 #1763: rust-random/rand#1763

Commits

Updates rand from 0.9.2 to 0.10.1

Changelog

Sourced from rand's changelog.

[0.10.1] — 2026-02-11

This release includes a fix for a soundness bug; see #1763.

Changes

  • Document panic behavior of make_rng and add #[track_caller] (#1761)
  • Deprecate feature log (#1763)

#1761: rust-random/rand#1761 #1763: rust-random/rand#1763

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the cargo group across 4 directories with 6 updates
d626a30 
Bumps the cargo group with 4 updates in the / directory: [rand](https://github.com/rust-random/rand), [quinn-proto](https://github.com/quinn-rs/quinn), [rustls-webpki](https://github.com/rustls/webpki) and [tar](https://github.com/alexcrichton/tar-rs).
Bumps the cargo group with 4 updates in the /contracts/feature-tests/gas-tests directory: [rand](https://github.com/rust-random/rand), [bytes](https://github.com/tokio-rs/bytes), [keccak](https://github.com/RustCrypto/sponges) and [tar](https://github.com/alexcrichton/tar-rs).
Bumps the cargo group with 1 update in the /tools/git-scraper directory: [rand](https://github.com/rust-random/rand).
Bumps the cargo group with 1 update in the /tools/rust-debugger/format-tests directory: [rand](https://github.com/rust-random/rand).


Updates `rand` from 0.10.0 to 0.10.1
- [Release notes](https://github.com/rust-random/rand/releases)
- [Changelog](https://github.com/rust-random/rand/blob/master/CHANGELOG.md)
- [Commits](rust-random/rand@0.10.0...0.10.1)

Updates `quinn-proto` from 0.11.13 to 0.11.14
- [Release notes](https://github.com/quinn-rs/quinn/releases)
- [Commits](quinn-rs/quinn@quinn-proto-0.11.13...quinn-proto-0.11.14)

Updates `rustls-webpki` from 0.103.9 to 0.103.11
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](rustls/webpki@v/0.103.9...v/0.103.11)

Updates `tar` from 0.4.44 to 0.4.45
- [Commits](alexcrichton/tar-rs@0.4.44...0.4.45)

Updates `rand` from 0.10.0 to 0.10.1
- [Release notes](https://github.com/rust-random/rand/releases)
- [Changelog](https://github.com/rust-random/rand/blob/master/CHANGELOG.md)
- [Commits](rust-random/rand@0.10.0...0.10.1)

Updates `bytes` from 1.11.0 to 1.11.1
- [Release notes](https://github.com/tokio-rs/bytes/releases)
- [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md)
- [Commits](tokio-rs/bytes@v1.11.0...v1.11.1)

Updates `keccak` from 0.1.5 to 0.1.6
- [Commits](RustCrypto/sponges@keccak-v0.1.5...keccak-v0.1.6)

Updates `tar` from 0.4.44 to 0.4.45
- [Commits](alexcrichton/tar-rs@0.4.44...0.4.45)

Updates `rand` from 0.9.2 to 0.9.4
- [Release notes](https://github.com/rust-random/rand/releases)
- [Changelog](https://github.com/rust-random/rand/blob/master/CHANGELOG.md)
- [Commits](rust-random/rand@0.10.0...0.10.1)

Updates `rand` from 0.9.2 to 0.10.1
- [Release notes](https://github.com/rust-random/rand/releases)
- [Changelog](https://github.com/rust-random/rand/blob/master/CHANGELOG.md)
- [Commits](rust-random/rand@0.10.0...0.10.1)

---
updated-dependencies:
- dependency-name: rand
  dependency-version: 0.10.1
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: quinn-proto
  dependency-version: 0.11.14
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rustls-webpki
  dependency-version: 0.103.11
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: tar
  dependency-version: 0.4.45
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rand
  dependency-version: 0.10.1
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: bytes
  dependency-version: 1.11.1
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: keccak
  dependency-version: 0.1.6
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: tar
  dependency-version: 0.4.45
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rand
  dependency-version: 0.9.4
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rand
  dependency-version: 0.10.1
  dependency-type: indirect
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Apr 14, 2026
@dependabot dependabot Bot mentioned this pull request Apr 14, 2026
Closed
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 14, 2026

Contract comparison - from f9bc3a2 to d626a30

Path                                                                                             size                  has-allocator                     has-format
esdt-transfer-with-fee.wasm 7505 false without message
factorial.wasm 579 false None
crypto-bubbles.wasm 2561 false None
order-book-factory.wasm 3401 false None
order-book-pair.wasm 14099 false None
adder.wasm 699 false None
fractional-nfts.wasm 8302 false without message
lottery.wasm 12666 false without message
multisig-full.wasm 15128 false without message
multisig-view.wasm 5590 false None
multisig.wasm 13617 false without message
crypto-zombies.wasm 9282 false without message
digital-cash.wasm 9736 false None
nft-minter.wasm 9726 false without message
nft-storage-prepay.wasm 2609 false None
kitty-ownership.wasm 12965 false without message
kitty-auction.wasm 9389 false without message
kitty-genetic-alg.wasm 3494 false without message
proxy-pause.wasm 4165 false None
nft-subscription.wasm 8725 false without message
ping-pong-egld.wasm 6397 false None
crowdfunding.wasm 3574 false None
empty.wasm 244 false None
bonding-curve-contract.wasm 14067 false None
token-release.wasm 6978 false without message
rewards-distribution.wasm 9445 false without message
seed-nft-minter.wasm 14189 false without message
check-pause.wasm 1260 false None
multiversx-price-aggregator-sc.wasm 17904 false without message
multiversx-wegld-swap-sc.wasm 4265 false None
std-contract.wasm 3469 true without message
vault.wasm 8950 false None
vault-upgrade.wasm 708 false None
recursive-caller.wasm 5163 false without message
forwarder-blind.wasm 14134 false without message
transfer-role-features.wasm 8605 false without message
proxy-test-second.wasm 2332 false without message
second-contract.wasm 1158 false None
first-contract.wasm 3450 false None
parent.wasm 1999 false None
child.wasm 3982 false without message
forwarder-legacy.wasm 33620 false without message
local-esdt-and-nft.wasm 12568 false without message
proxy-test-first.wasm 5707 false without message
mesh-node.wasm 16046 false without message
forwarder-raw.wasm 13081 false None
forwarder-raw-init-async-call.wasm 2374 false None
forwarder-raw-init-sync-call.wasm 2958 false None
forwarder.wasm 49004 false without message
builtin-func-features.wasm 3828 false None
panic-message-std.wasm 16073 false with message
panic-message-features.wasm 13030 false with message
abi-tester.wasm 8607 true without message
abi-tester-ev.wasm 760 false None
scenario-tester.wasm 1374 false None
forbidden-opcodes.wasm 842 false None
rust-testing-framework-tester.wasm 8552 false None
rust-snippets-generator-test.wasm 4708 false None
alloc-features.wasm 23260 false without message
alloc-mem-fail.wasm 17812 true without message
alloc-mem-leaking.wasm 23417 false without message
esdt-system-sc-mock.wasm 4556 false None
use-module.wasm 32477 false without message
use-module-view.wasm 736 false None
payable-features.wasm 6046 false None
exchange-features.wasm 1514 false None
big-float-features.wasm 6373 false without message
basic-features.wasm 85947 false without message
basic-features-small-int-bug.wasm 824 false None
basic-features-storage-bytes.wasm 541 false None
erc1155.wasm 12016 false without message
erc1155-marketplace.wasm 10602 false without message
erc20.wasm 1887 false None
erc721.wasm 2232 false None
erc1155-user-mock.wasm 1229 false None
crowdfunding-erc20.wasm 4909 false without message
lottery-erc20.wasm 12886 false without message
formatted-message-features.wasm 3613 false without message
multi-contract-features.wasm 681 false None
multi-contract-features-view.wasm 1113 false None
multi-contract-alt-impl.wasm 353 false None
multi-contract-example-feature.wasm 680 false None
send-tx-repeat.wasm 1292 false None
vec-repeat.wasm 4872 false None
linked-list-repeat.wasm 6838 false without message
set-repeat.wasm 6511 false None
map-repeat.wasm 7363 false without message
queue-repeat.wasm 5536 false None
single-value-repeat.wasm 4253 false None
str-repeat-mb-builder-basic.wasm 757 false None
str-repeat.wasm 2733 false without message
str-repeat-mb-builder-cached.wasm 1109 false without message
large-storage.wasm 1656 false None

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants