Skip to content

chore(deps): bump the cargo group across 2 directories with 4 updates#118

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/cargo/codex-rs/cargo-6f4289d8c4
Open

chore(deps): bump the cargo group across 2 directories with 4 updates#118
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/cargo/codex-rs/cargo-6f4289d8c4

Conversation

@dependabot
Copy link

@dependabot dependabot bot commented on behalf of github Mar 21, 2026

Bumps the cargo group with 4 updates in the /codex-rs directory: tar, aws-lc-sys, quinn-proto and rustls-webpki.
Bumps the cargo group with 1 update in the /tools/argument-comment-lint directory: tar.

Updates tar from 0.4.44 to 0.4.45

Commits
  • 096e3d1 Bump to 0.4.45 (#443)
  • 17b1fd8 archive: Prevent symlink-directory collision chmod attack (#442)
  • de1a587 archive: Unconditionally honor PAX size (#441)
  • 6071cbe ci: Consolidate workflows (#439)
  • ad1fde9 build-sys: Promote unused_code to an error
  • c8cb250 tests: Squash a warning
  • 638c495 ci: Add xtask infra + reverse dependency testing (#435)
  • 32a9bbb tests: Add RandomReader to exercise partial-read resilience (#436)
  • 9c5df0b Fix GNU long-name extension stream corruption on validation error (#434)
  • 88b1e3b Fix docs typo in header.rs (#431)
  • Additional commits viewable in compare view

Updates aws-lc-sys from 0.37.0 to 0.37.1

Commits

Updates quinn-proto from 0.11.13 to 0.11.14

Release notes

Sourced from quinn-proto's releases.

quinn-proto 0.11.14

@​jxs reported a denial of service issue in quinn-proto 5 days ago:

We coordinated with them to release this version to patch the issue. Unfortunately the maintainers missed these issues during code review and we did not have enough fuzzing coverage -- we regret the oversight and have added an additional fuzzing target.

Organizations that want to participate in coordinated disclosure can contact us privately to discuss terms.

What's Changed

Commits
  • 2c315aa proto: bump version to 0.11.14
  • 8ad47f4 Use newer rustls-pki-types PEM parser API
  • c81c028 ci: fix workflow syntax
  • 0050172 ci: pin wasm-bindgen-cli version
  • 8a6f82c Take semver-compatible dependency updates
  • e52db4a Apply suggestions from clippy 1.91
  • 6df7275 chore: Fix unnecessary_unwrap clippy
  • c8eefa0 proto: avoid unwrapping varint decoding during parameters parsing
  • 9723a97 fuzz: add fuzzing target for parsing transport parameters
  • eaf0ef3 Fix over-permissive proto dependency edge (#2385)
  • Additional commits viewable in compare view

Updates rustls-webpki from 0.103.9 to 0.103.10

Release notes

Sourced from rustls-webpki's releases.

0.103.10

Correct selection of candidate CRLs by Distribution Point and Issuing Distribution Point. If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored.

The impact was that correct provided CRLs would not be consulted to check revocation. With UnknownStatusPolicy::Deny (the default) this would lead to incorrect but safe Error::UnknownRevocationStatus. With UnknownStatusPolicy::Allow this would lead to inappropriate acceptance of revoked certificates.

This vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)

More likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.

This vulnerability is identified by GHSA-pwjx-qhcg-rvj4. Thank you to @​1seal for the report.

What's Changed

Full Changelog: rustls/webpki@v/0.103.9...v/0.103.10

Commits
  • 348ce01 Prepare 0.103.10
  • dbde592 crl: fix authoritative_for() support for multiple URIs
  • 9c4838e avoid std::prelude imports
  • 009ef66 fix rust 1.94 ambiguous panic macro warnings
  • c41360d build(deps): bump taiki-e/cache-cargo-install-action from 2 to 3
  • e401d00 generate.py: reformat for black 2026.1.0
  • 06cedec Take semver-compatible deps
  • See full diff in compare view

Updates tar from 0.4.44 to 0.4.45

Commits
  • 096e3d1 Bump to 0.4.45 (#443)
  • 17b1fd8 archive: Prevent symlink-directory collision chmod attack (#442)
  • de1a587 archive: Unconditionally honor PAX size (#441)
  • 6071cbe ci: Consolidate workflows (#439)
  • ad1fde9 build-sys: Promote unused_code to an error
  • c8cb250 tests: Squash a warning
  • 638c495 ci: Add xtask infra + reverse dependency testing (#435)
  • 32a9bbb tests: Add RandomReader to exercise partial-read resilience (#436)
  • 9c5df0b Fix GNU long-name extension stream corruption on validation error (#434)
  • 88b1e3b Fix docs typo in header.rs (#431)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump the cargo group across 2 directories with 4 updates
75fb16f 
Bumps the cargo group with 4 updates in the /codex-rs directory: [tar](https://github.com/alexcrichton/tar-rs), [aws-lc-sys](https://github.com/aws/aws-lc-rs), [quinn-proto](https://github.com/quinn-rs/quinn) and [rustls-webpki](https://github.com/rustls/webpki).
Bumps the cargo group with 1 update in the /tools/argument-comment-lint directory: [tar](https://github.com/alexcrichton/tar-rs).


Updates `tar` from 0.4.44 to 0.4.45
- [Commits](alexcrichton/tar-rs@0.4.44...0.4.45)

Updates `aws-lc-sys` from 0.37.0 to 0.37.1
- [Release notes](https://github.com/aws/aws-lc-rs/releases)
- [Commits](aws/aws-lc-rs@aws-lc-sys/v0.37.0...aws-lc-sys/v0.37.1)

Updates `quinn-proto` from 0.11.13 to 0.11.14
- [Release notes](https://github.com/quinn-rs/quinn/releases)
- [Commits](quinn-rs/quinn@quinn-proto-0.11.13...quinn-proto-0.11.14)

Updates `rustls-webpki` from 0.103.9 to 0.103.10
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](rustls/webpki@v/0.103.9...v/0.103.10)

Updates `tar` from 0.4.44 to 0.4.45
- [Commits](alexcrichton/tar-rs@0.4.44...0.4.45)

---
updated-dependencies:
- dependency-name: tar
  dependency-version: 0.4.45
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: aws-lc-sys
  dependency-version: 0.37.1
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: quinn-proto
  dependency-version: 0.11.14
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rustls-webpki
  dependency-version: 0.103.10
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: tar
  dependency-version: 0.4.45
  dependency-type: indirect
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Mar 21, 2026
@dependabot dependabot bot requested a review from zapabob as a code owner March 21, 2026 08:59
@dependabot dependabot bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Mar 21, 2026
@vercel
Copy link

vercel bot commented Mar 21, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
codex Error Error Mar 21, 2026 9:00am

@dependabot dependabot bot mentioned this pull request Mar 21, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zapabob zapabob Awaiting requested review from zapabob zapabob is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants