Skip to content

bump diesel from 2.3.7 to 2.3.10#10842

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/diesel-2.3.10
Open

bump diesel from 2.3.7 to 2.3.10#10842
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/diesel-2.3.10

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 16, 2026

Copy link
Copy Markdown
Contributor

Bumps diesel from 2.3.7 to 2.3.10.

Changelog

Sourced from diesel's changelog.

[2.3.10] 2026-06-05

  • Fixed a wrong value of a internal MYSQL flag
  • Fixed several possible panics in the PostgreSQL deserialization code for malformed packages in the
  • Fixed an issue that caused unexpected results while calling custom aggregated SQL functions twice in the SQLite backend
  • Fixed a potential use after free bug in the SQLite backend while deserializing a database from a byte buffer
  • Fixed potential invalid schema generation if column or table names "inject" rust code
  • Fixed potential SQL injections during schema introspection via diesel print-schema
  • Fixed a regression that resulted in rejecting valid combinations of ORDER BY and GROUP BY clauses

[2.3.9] 2026-04-30

  • Removed a dbg! statement from the Mysql backend that caused unwanted output
  • Fix a regression in #[derive(AsChangeset)] introduced in 2.3.8 where structs with a type or const generic parameter referenced in a field type failed to compile with error[E0425]: cannot find type 'T' in this scope. The diagnostic helper functions added to improve AsChangeset error messages now forward all generic parameters of the input struct, not only lifetimes.

[2.3.8] 2026-04-24

  • Added support for libsqlite3-sys 0.37.0
  • Raise a compile-time error when mixing aggregate and non-aggregate expressions in an ORDER BY clause without a GROUP BY clause
  • Calling .count() or .select(aggregate_expr) on a query that already has a non-aggregate .order_by() clause now raises a compile-time error instead of generating invalid SQL that would be rejected by the database at runtime (fixes #3815)
  • Added documentation for migration transaction behaviour at the crate root
  • Improved compile time error messages for #[derive(AsChangeset)]
  • Allow to use generic types in infix_operator!()
  • Fixes for several instances of unsound, unspecified or otherwise dangerous behaviour:
    • Unsound string construction in SqliteValue::read_text/FromSql<Text, Sqlite> for String
    • Invalid alignment for over aligned data in SqliteConnection::register_function for aggregate functions
    • Potential memory leaks in SqliteConnection::register_function
    • Access to padding bytes while serializing Date/time types in the Mysql backend
    • SQL Option Injection in PostgreSQL COPY FROM/TO
    • Unspecified pointer cast in Debug/Display implementation of batch INSERT statements for SQLite
    • Invalid call order of SQLite API functions in SqliteValue::read_text/FromSql<Text, Sqlite> for String/SqliteValue::read_blob()/FromSql<Binary, Sqlite> for Vec<u8>
    • Potential unsound pointer access for FromSql<Binary, _> for Vec<u8> and FromSql<Text, _> for String for third party backends (requires changes to the third party backend as well)
Commits
  • 7b4f888 Merge pull request #5067 from weiznich/prepare_2.3.10
  • bdc40a1 Prepare a 2.3.10 release
  • ad149aa Merge pull request #5059 from ayarotsky/fix-order-and-group
  • 5a5b6a8 Merge pull request #5064 from weiznich/bump/rust_1.96
  • a535124 Merge pull request #5056 from weiznich/even_fix_more_issues
  • 207391c Merge pull request #5054 from weiznich/fix_more_issues
  • 60b9d3a Merge pull request #5051 from weiznich/new_sponsor
  • 2e7eb35 Also bump derives version
  • b3a16a3 Merge pull request #5046 from apastrana6/ap/fix-derive-as-changeset
  • 9f0a6c1 Prepare a 2.3.9 release
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Jul 16, 2026
Bumps [diesel](https://github.com/diesel-rs/diesel) from 2.3.7 to 2.3.10.
- [Release notes](https://github.com/diesel-rs/diesel/releases)
- [Changelog](https://github.com/diesel-rs/diesel/blob/main/CHANGELOG.md)
- [Commits](diesel-rs/diesel@v2.3.7...v2.3.10)

---
updated-dependencies:
- dependency-name: diesel
  dependency-version: 2.3.10
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump diesel from 2.3.7 to 2.3.10 bump diesel from 2.3.7 to 2.3.10 Jul 16, 2026
@dependabot
dependabot Bot force-pushed the dependabot/cargo/diesel-2.3.10 branch from bdcbf8a to cfb5b3a Compare July 16, 2026 22:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants