Bump tar from 0.4.44 to 0.4.45 in /src-tauri in the cargo group across 1 directory#1173
Bump tar from 0.4.44 to 0.4.45 in /src-tauri in the cargo group across 1 directory#1173dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
dependabot
Bot
added
Dependencies
dependabot
Bot
added
Dependencies
✅ Deploy Preview for public-surrealist ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
![claude[bot]](https://avatars.githubusercontent.com/in/1236702?s=60&v=4){kind=small}
There was a problem hiding this comment.
LGTM — straightforward Dependabot patch bump of tar (0.4.44 → 0.4.45) with security fixes, only touching Cargo.lock.
Extended reasoning...
Overview
This PR is an automated Dependabot security update that bumps the tar crate from 0.4.44 to 0.4.45 in src-tauri/Cargo.lock. The only file changed is the lockfile. The diff also includes transitive dependency resolution changes (some windows-sys versions shifted), which is normal lockfile behavior.
Security risks
The update itself is a security improvement — the upstream tar 0.4.45 release includes a fix for a symlink-directory collision chmod attack and other bug fixes. There are no new dependencies introduced; this is a patch-level bump of an existing dependency. No credentials or tokens are affected.
Level of scrutiny
This is a minimal-risk change: a lockfile-only patch bump from a well-known Rust crate, generated by Dependabot. The change is fully mechanical and deterministic. No source code, configuration, or application logic is modified.
Other factors
No bugs were found by the automated bug hunting system. No prior reviews or comments from humans exist on this PR (only the Netlify bot deploy preview). The tar crate is a widely-used, well-maintained package, and this is a patch version bump within the same minor version.
Bumps the cargo group with 1 update in the /src-tauri directory: [tar](https://github.com/alexcrichton/tar-rs). Updates `tar` from 0.4.44 to 0.4.45 - [Commits](alexcrichton/tar-rs@0.4.44...0.4.45) --- updated-dependencies: - dependency-name: tar dependency-version: 0.4.45 dependency-type: indirect dependency-group: cargo ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
force-pushed
the
dependabot/cargo/src-tauri/cargo-82c2e2ce39
branch
from
2e00bf4 to
4e6fbc2
Compare
Bumps the cargo group with 1 update in the /src-tauri directory: tar.
Updates
tarfrom 0.4.44 to 0.4.45Commits
096e3d1Bump to 0.4.45 (#443)17b1fd8archive: Prevent symlink-directory collision chmod attack (#442)de1a587archive: Unconditionally honor PAX size (#441)6071cbeci: Consolidate workflows (#439)ad1fde9build-sys: Promote unused_code to an errorc8cb250tests: Squash a warning638c495ci: Add xtask infra + reverse dependency testing (#435)32a9bbbtests: Add RandomReader to exercise partial-read resilience (#436)9c5df0bFix GNU long-name extension stream corruption on validation error (#434)88b1e3bFix docs typo in header.rs (#431)