build(deps): bump stellar/stellar-cli from 25.1.0 to 25.2.0 in the actions-minor group

[dependabot]

Bumps the actions-minor group with 1 update: stellar/stellar-cli.

Updates stellar/stellar-cli from 25.1.0 to 25.2.0

Release notes

Sourced from stellar/stellar-cli's releases.

25.2.0

🚀 New Features

• Auto-build on deploy: stellar contract deploy and stellar contract upload now automatically build your contracts when no WASM is provided — no manual build step required. (#2378)
• Self-describing events: stellar events and contract invoke now display human-readable event descriptions from the contract spec. (#2380)
• Fee bump for large transactions: Transactions that exceed the base fee threshold are automatically wrapped in a fee bump transaction. (#2382)
• Pipe secrets from stdin: Key secrets can now be passed via pipe, making it easier to integrate with secret managers in scripts and CI. (#2403)
• stellar network root-account: New command to retrieve the root account for a given network. (#2402)
• Network ID in stellar network info: The network ID is now included in the output of stellar network info. (#2413)
• Auto-convert string arguments in contract invoke: String-typed arguments are now automatically coerced, reducing friction when calling contracts from the CLI. (#2410)
• --locked passthrough on contract build: The --locked flag is now forwarded when building contracts, ensuring reproducible builds. (#2383)
• --hd-path propagation: The --hd-path flag now correctly propagates to auth signers and alias resolution. (#2437)
• Spec shaking (build side): The build pipeline now supports spec shaking, reducing generated output size. (#2353)

🔒 Security

• Sensitive env vars concealed by default: stellar env now hides sensitive values (secret keys, RPC headers, signing keys) by default, showing # KEY=<concealed> instead of the raw value. (#2440, #2408)
• Path traversal prevention: Network and contract alias names are now validated to block path traversal attacks. (#2443)
• Restrictive file permissions: Config directories and key files are now created with tighter permissions on Unix systems. (#2415)
• RPC headers hidden from output: RPC headers (which may contain auth tokens) are no longer shown in stellar network ls --long or debug trace output. (#2441, #2442)
• Control character sanitization: Control characters in contract spec display output are now sanitized. (#2433)
• Keccak vulnerability patched: Updated keccak to address CWE-758. (#2422)

🐛 Bug Fixes

• Fixed BytesN parsing when using valid hex values. (#2385)
• Fixed snapshot create unconditionally adding entries when match result was unused. (#2404)
• Fixed --asset in trustline commands to accept valid asset codes of any length. (#2405)
• Fixed an error when fetching ledger entries for trustlines using the native asset. (#2406)

🔧 Developer Experience

• Warnings are now shown when a contract spec references types that are missing. (#2426)
• Improved dependency checking in the install script. (#2399)
• --no-default-features is now honored when using cargo install. (#2416)

📦 TypeScript Bindings

• Updated bindings to the latest JS SDK version. (#2373)

---

Full Changelog: stellar/stellar-cli@v25.1.0...v25.2.0

New Contributors: @​teddav made their first contribution in #2373 — welcome! 🎉

Commits

• 2848488 Bump version to 25.2.0 (#2444)
• 6b2e3ea Display env vars with concealed value by default. (#2440)
• aac2016 Hide rpc headers when debug tracing the network. (#2442)
• 485e197 Update dependencies. (#2439)
• 78fdf1d Fix path traversal in network and alias names. (#2443)
• bfee6e7 Hide rpc headers when list networks with stellar network ls --long. (#2441)
• 508fca8 Propagate --hd-path to auth signers and alias resolution. (#2437)
• 00f808f Implement the build side of spec shaking (#2353)
• 049bfd3 Run tests only on unix. (#2430)
• 73e5a19 Skip WASM verification for non-example contracts (#2436)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions