Skip to content

build(deps): bump the cargo group across 1 directory with 8 updates#2

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/codex-rs/cargo-f494575a8c
Open

build(deps): bump the cargo group across 1 directory with 8 updates#2
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/codex-rs/cargo-f494575a8c

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github May 31, 2026

Copy link
Copy Markdown

Bumps the cargo group with 6 updates in the /codex-rs directory:

Package From To
gix 0.81.0 0.83.0
jsonwebtoken 9.3.1 10.3.0
rmcp 0.15.0 1.4.0
tar 0.4.45 0.4.46
actix-http 3.11.2 3.12.1
openssl 0.10.75 0.10.80

Updates gix from 0.81.0 to 0.83.0

Release notes

Sourced from gix's releases.

gix v0.83.0

Bug Fixes

  • Correctly use $COMMON_DIR/info/exclude to make excludes work in worktrees. It turns out there is no per-worktree excludes file either.

Chore (BREAKING)

  • Upgrade prodash and crosstermion to the latest version. This will fix the cargo deny issue as it brings in a newer lru crate.

Bug Fixes (BREAKING)

  • remove winnow and replace it with hand-implemented parsers everywhere. This will allow for simplified maintenance and editing (both human and machine) down the road, and enable additional performance optimisations.

    Parser compbinators to me ultimately were a failed experiment as I couldn't maintain them anyway, with it being too difficult for me to grasp and express everything in its very own kind of language, with a lot of different things to consider.

    Note that this also removes detailed errors from all parsers that previously used winnow, with the option to re-add those if there is demand.

Commit Statistics

  • 5 commits contributed to the release over the course of 2 calendar days.
  • 3 days passed between releases.
  • 1 commit was understood as conventional.
  • 0 issues like '(#ID)' were seen in commit messages

Commit Details

  • Uncategorized
    • Adapt to changes in gix-object (91bfab0)
    • Remove winnow and replace it with hand-implemented parsers everywhere. (91c854e)
    • Merge pull request #2540 from GitoxideLabs/reporting (4d5ba23)
    • Merge pull request #2529 from GitoxideLabs/reflog-newline-handling (2c3a08e)
    • Adapt to changes in gix-error (2e2a126)
Commits
  • 53f880c Release gix-error v0.2.3, gix-date v0.15.3, gix-actor v0.41.0, gix-path v0.12...
  • 09687eb fix CI - and probably prevent can't connect to localhost in journey tests
  • d5f9bf5 feat: add Category::is_remote_tracking_branch().
  • 87b2da8 address auto-review
  • 731248f feat!: add sha-256 support to gix-ref.
  • 91bfab0 Adapt to changes in gix-object
  • d4439cd fix!: Limit Commit and Tag parsing to a given gix_hash::Kind
  • 5127973 fix: Allow more pathological cases during parsing just like Git
  • 91c854e fix!: remove winnow and replace it with hand-implemented parsers everywhere.
  • b060eb2 fix!: remove winnow from the public gix-actor API for parsing (#2545)
  • Additional commits viewable in compare view

Updates jsonwebtoken from 9.3.1 to 10.3.0

Changelog

Sourced from jsonwebtoken's changelog.

10.3.0 (2026-01-27)

  • Export everything needed to define your own CryptoProvider
  • Fix type confusion with exp/nbf when not required

10.2.0 (2025-11-06)

  • Remove Clone bound from decode functions

10.1.0 (2025-10-18)

  • add dangerous::insecure_decode
  • Implement TryFrom &Jwk for DecodingKey

10.0.0 (2025-09-29)

  • BREAKING: now using traits for crypto backends, you have to choose between aws_lc_rs and rust_crypto
  • Add Clone bound to decode
  • Support decoding byte slices
  • Support JWS
Commits

Updates rmcp from 0.15.0 to 1.4.0

Release notes

Sourced from rmcp's releases.

rmcp-macros-v1.4.0

Added

  • (macros) auto-generate get_info and default router (#785)

rmcp-v1.4.0

Added

  • add Default and constructors to ServerSseMessage (#794)
  • add meta to elicitation results (#792)
  • (macros) auto-generate get_info and default router (#785)
  • (transport) add which_command for cross-platform executable resolution (#774)
  • (auth) add StoredCredentials::new() constructor (#778)

Fixed

  • (server) remove initialized notification gate to support Streamable HTTP (#788)
  • default session keep_alive to 5 minutes (#780)
  • (http) add host check (#764)
  • exclude local feature from docs.rs build (#782)

Other

  • update Rust toolchain to 1.92 (#797)
  • unify IntoCallToolResult Result impls (#787)

rmcp-macros-v1.3.0

Added

  • add local feature for !Send tool handler support (#740)

Other

  • fix all clippy warnings across workspace (#746)

rmcp-v1.3.0

Added

  • (transport) add Unix domain socket client for streamable HTTP (#749)
  • (auth) implement SEP-2207 OIDC-flavored refresh token guidance (#676)
  • add configuration for transparent session re-init (#760)
  • add local feature for !Send tool handler support (#740)

Fixed

  • prevent CallToolResult and GetTaskPayloadResult from shadowing CustomResult in untagged enums (#771)
  • drain in-flight responses on stdin EOF (#759)
  • remove default type param from StreamableHttpService (#758)
  • use cfg-gated Send+Sync supertraits to avoid semver break (#757)
  • (rmcp) surface JSON-RPC error bodies on HTTP 4xx responses (#748)

... (truncated)

Commits
  • 4628720 chore: release v1.4.0 (#779)
  • 65d2b29 fix(server): remove initialized notification gate to support Streamable HTTP ...
  • a7b5700 fix: pass GIT_TOKEN to release-plz CLI (#798)
  • 8a8c036 chore: update Rust toolchain to 1.92 (#797)
  • 34d0bc6 fix: upgrade rustc in actions (#796)
  • 45a4cc5 feat: add Default and constructors to ServerSseMessage (#794)
  • 5f43283 feat: add meta to elicitation results (#792)
  • be321a4 feat(macros): auto-generate get_info and default router (#785)
  • 5891b45 refactor: unify IntoCallToolResult Result impls (#787)
  • d98248a ci: add --locked to release-plz install (#786)
  • Additional commits viewable in compare view

Updates tar from 0.4.45 to 0.4.46

Release notes

Sourced from tar's releases.

0.4.46

Security

See also GHSA-3cv2-h65g-fgmm

Other changes

New Contributors

Full Changelog: composefs/tar-rs@0.4.45...0.4.46

Commits

Updates actix-http from 3.11.2 to 3.12.1

Release notes

Sourced from actix-http's releases.

actix-http: v3.12.1

Notice: This release contains a security fix. Users are encouraged to update to this version ASAP.

  • SECURITY: Reject HTTP/1 requests with ambiguous request framing from Content-Length and Transfer-Encoding headers to prevent request smuggling.
  • Encode the HTTP/1 Connection: Upgrade header in Camel-Case when camel-case header formatting is enabled.#3953
  • Fix HeaderMap iterators' len() and size_hint() implementations for multi-value headers.
  • Update rand dependency to 0.10.
  • Update sha1 dependency to 0.11.

#3953: actix/actix-web#3953

actix-http: v3.12.0

  • Minimum supported Rust version (MSRV) is now 1.88.
  • Increase default HTTP/2 flow control window sizes. #3638
  • Expose configuration methods to improve upload throughput. #3638
  • Fix truncated body ending without error when connection closed abnormally. #3067
  • Add config/method for TCP_NODELAY. #3918
  • Do not compress 206 Partial Content responses. #3191
  • Fix lingering sockets and client stalls when responding early to dropped chunked request payloads. #2972

#3638: actix/actix-web#3638 #3067: actix/actix-web#3067 #3918: actix/actix-web#3918 #3191: actix/actix-web#3191 #2972: actix/actix-web#2972

Commits

Updates gix-fs from 0.19.2 to 0.21.2

Release notes

Sourced from gix-fs's releases.

gix-fs v0.21.2

Commit Statistics

  • 5 commits contributed to the release over the course of 25 calendar days.
  • 25 days passed between releases.
  • 0 commits were understood as conventional.
  • 0 issues like '(#ID)' were seen in commit messages

Commit Details

  • Uncategorized
    • Merge pull request #2568 from GitoxideLabs/dependabot/cargo/cargo-56d6b174d8 (ab2fee1)
    • Update crates to Rust 2024 edition (2cb17b2)
    • Remove rust_2018_idioms lint declarations (e10d5f6)
    • Raise MSRV for hash dependency updates (3675a8d)
    • Merge pull request #2559 from GitoxideLabs/fix/symlink-prefix-reuse-worktree-escape-GHSA-f89h-2fjh-2r9q (3af9b4a)

gix-fs v0.21.1

A security fix for GHSA-f89h-2fjh-2r9q, which could allow attackers to trick gix clone into writing outside of the repository.

Commit Statistics

  • 3 commits contributed to the release over the course of 2 calendar days.
  • 2 days passed between releases.
  • 0 commits were understood as conventional.
  • 0 issues like '(#ID)' were seen in commit messages

Commit Details

  • Uncategorized
    • Update changelog of gix-fs prior to release (e26d378)
    • Revalidate cached stack leaves before directory reuse (93d0ff6)
    • Merge pull request #2546 from GitoxideLabs/fix-2545 (adb8328)

gix-fs v0.21.0

Commit Statistics

  • 1 commit contributed to the release over the course of 2 calendar days.
  • 3 days passed between releases.

... (truncated)

Changelog

Sourced from gix-fs's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

0.53.0 (2026-04-28)

0.52.1 (2026-04-24)

New Features

  • add gix free trust to easily check the assigned trust level of any given path This is particularly useful on Windows, which makes it easy to probe existing paths with ownership that might be complex to reproduce otherwise.

Commit Statistics

  • 6 commits contributed to the release over the course of 27 calendar days.
  • 32 days passed between releases.
  • 1 commit was understood as conventional.
  • 0 issues like '(#ID)' were seen in commit messages

Thanks Clippy

Clippy helped 1 time to make code idiomatic.

Commit Details

  • Uncategorized
    • Merge pull request #2510 from GitoxideLabs/folder-identity-on-windows (a96587c)
    • Add gix free trust to easily check the assigned trust level of any given path (ab2016f)
    • Merge pull request #2513 from GitoxideLabs/v2-diff (2a5db88)
    • Thanks clippy (e4f380e)
    • Merge pull request #2494 from GitoxideLabs/improvements (50fb46f)
    • Adapt to changes in gix-config. (344218a)

0.52.0 (2026-03-22)

0.51.0 (2026-02-22)

... (truncated)

Commits
  • 10c58bb Release gix-error v0.2.4, gix-date v0.15.4, gix-actor v0.41.1, gix-trace v0.1...
  • b6c41cb Montly report for May 2026
  • faecc23 Merge pull request #2607 from SarthakB11/fix/issue-1842
  • 8323858 fix: Derive $0 for sh -c from the shell's basename
  • d62e33c Add tests for $0 deriving from the actually-running shell
  • f6433ac Update downstream test assertions for sh $0 change
  • 6752a96 Pass sh (not --) as $0 to sh -c
  • 4377485 Merge pull request #2612 from GitoxideLabs/improvements
  • 123cdaf spawn_git_daemon now spawns the git daemon on a free port automatically
  • cad26e9 fix: disable automatic Git maintenance in gix-testtools, add `apply_git_confi...
  • Additional commits viewable in compare view

Updates gix-pack from 0.68.0 to 0.70.0

Release notes

Sourced from gix-pack's releases.

gix-pack v0.70.0

Commit Statistics

  • 2 commits contributed to the release over the course of 2 calendar days.
  • 3 days passed between releases.
  • 0 commits were understood as conventional.
  • 0 issues like '(#ID)' were seen in commit messages

Commit Details

  • Uncategorized
    • Adapt to changes in gix-object (91bfab0)
    • Merge pull request #2540 from GitoxideLabs/reporting (4d5ba23)
Commits
  • 53f880c Release gix-error v0.2.3, gix-date v0.15.3, gix-actor v0.41.0, gix-path v0.12...
  • 09687eb fix CI - and probably prevent can't connect to localhost in journey tests
  • d5f9bf5 feat: add Category::is_remote_tracking_branch().
  • 87b2da8 address auto-review
  • 731248f feat!: add sha-256 support to gix-ref.
  • 91bfab0 Adapt to changes in gix-object
  • d4439cd fix!: Limit Commit and Tag parsing to a given gix_hash::Kind
  • 5127973 fix: Allow more pathological cases during parsing just like Git
  • 91c854e fix!: remove winnow and replace it with hand-implemented parsers everywhere.
  • b060eb2 fix!: remove winnow from the public gix-actor API for parsing (#2545)
  • Additional commits viewable in compare view

Updates openssl from 0.10.75 to 0.10.80

Release notes

Sourced from openssl's releases.

openssl-v0.10.80

What's Changed

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.79...openssl-v0.10.80

openssl-v0.10.79

What's Changed

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.78...openssl-v0.10.79

openssl-v0.10.78

What's Changed

... (truncated)

Commits
  • 35be7ae Release openssl 0.10.80 and openssl-sys 0.9.116 (#2639)
  • 19eceb2 Fix output buffer overflow in cipher_update_inplace for AES key-wrap-with-pad...
  • b460eb3 Prefer Homebrew openssl@4 and stop looking for openssl@1.1 (#2633)
  • 649f2d9 Release openssl 0.10.79 and openssl-sys 0.9.115 (#2632)
  • 257f9b2 Fix output buffer overflow for AES key-wrap-with-padding ciphers (#2630)
  • d43e917 Reject non-UTF-8 OCSP responder URLs in X509Ref::ocsp_responders (#2631)
  • f46519c Add PkeyCtxRef::set_context_string for ML-DSA (#2629)
  • ad9ae31 Bind OSSL_PARAM_modified and use it for seed_into (#2628)
  • 4e25c9b Fix process abort when verify/PSK callbacks fire after SSL_CTX swap (#2624)
  • 3dd8f42 Add PKeyRef::seed_into for ML-DSA/ML-KEM seed extraction (#2626)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the cargo group with 6 updates in the /codex-rs directory:

| Package | From | To |
| --- | --- | --- |
| [gix](https://github.com/GitoxideLabs/gitoxide) | `0.81.0` | `0.83.0` |
| [jsonwebtoken](https://github.com/Keats/jsonwebtoken) | `9.3.1` | `10.3.0` |
| [rmcp](https://github.com/modelcontextprotocol/rust-sdk) | `0.15.0` | `1.4.0` |
| [tar](https://github.com/composefs/tar-rs) | `0.4.45` | `0.4.46` |
| [actix-http](https://github.com/actix/actix-web) | `3.11.2` | `3.12.1` |
| [openssl](https://github.com/rust-openssl/rust-openssl) | `0.10.75` | `0.10.80` |



Updates `gix` from 0.81.0 to 0.83.0
- [Release notes](https://github.com/GitoxideLabs/gitoxide/releases)
- [Changelog](https://github.com/GitoxideLabs/gitoxide/blob/main/CHANGELOG.md)
- [Commits](GitoxideLabs/gitoxide@gix-v0.81.0...gix-v0.83.0)

Updates `jsonwebtoken` from 9.3.1 to 10.3.0
- [Changelog](https://github.com/Keats/jsonwebtoken/blob/master/CHANGELOG.md)
- [Commits](Keats/jsonwebtoken@v9.3.1...v10.3.0)

Updates `rmcp` from 0.15.0 to 1.4.0
- [Release notes](https://github.com/modelcontextprotocol/rust-sdk/releases)
- [Changelog](https://github.com/modelcontextprotocol/rust-sdk/blob/main/release-plz.toml)
- [Commits](modelcontextprotocol/rust-sdk@rmcp-v0.15.0...rmcp-v1.4.0)

Updates `tar` from 0.4.45 to 0.4.46
- [Release notes](https://github.com/composefs/tar-rs/releases)
- [Commits](composefs/tar-rs@0.4.45...0.4.46)

Updates `actix-http` from 3.11.2 to 3.12.1
- [Release notes](https://github.com/actix/actix-web/releases)
- [Changelog](https://github.com/actix/actix-web/blob/main/CHANGES.md)
- [Commits](actix/actix-web@http-v3.11.2...http-v3.12.1)

Updates `gix-fs` from 0.19.2 to 0.21.2
- [Release notes](https://github.com/GitoxideLabs/gitoxide/releases)
- [Changelog](https://github.com/GitoxideLabs/gitoxide/blob/main/CHANGELOG.md)
- [Commits](GitoxideLabs/gitoxide@gix-fs-v0.19.2...gix-fs-v0.21.2)

Updates `gix-pack` from 0.68.0 to 0.70.0
- [Release notes](https://github.com/GitoxideLabs/gitoxide/releases)
- [Changelog](https://github.com/GitoxideLabs/gitoxide/blob/main/CHANGELOG.md)
- [Commits](GitoxideLabs/gitoxide@gix-pack-v0.68.0...gix-pack-v0.70.0)

Updates `openssl` from 0.10.75 to 0.10.80
- [Release notes](https://github.com/rust-openssl/rust-openssl/releases)
- [Commits](rust-openssl/rust-openssl@openssl-v0.10.75...openssl-v0.10.80)

---
updated-dependencies:
- dependency-name: gix
  dependency-version: 0.83.0
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: jsonwebtoken
  dependency-version: 10.3.0
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: rmcp
  dependency-version: 1.4.0
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: tar
  dependency-version: 0.4.46
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: actix-http
  dependency-version: 3.12.1
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: gix-fs
  dependency-version: 0.21.2
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: gix-pack
  dependency-version: 0.70.0
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: openssl
  dependency-version: 0.10.80
  dependency-type: indirect
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels May 31, 2026
@nuntius-review

Copy link
Copy Markdown
Vesper

Reviewed commits

Commit Summary
ffc8932 build(deps): bump the cargo group across 1 directory with 8 updates

An analysis of the changes in codex-rs/Cargo.lock reveals a critical correctness issue due to a truncated diff, as well as some observations regarding dependency duplication.

1. Correctness: Truncated Lockfile (Critical)

The diff ends abruptly at the very end of codex-rs/Cargo.lock:

@@ -2774,7 +2781,7 @@ dependencies = [
  "http 1.4.0",
  "pretty_assertions",
  "prost 0.14.3",
- "reqwest",
+ "reqwest

The replacement line + "reqwest is incomplete (missing the version, closing quote, comma, and newline). If applied as-is, this will result in a malformed Cargo.lock file, causing Cargo commands to fail with parsing errors. Based on the other reqwest updates in this diff, this should be completed to "reqwest 0.12.28",.

2. Performance & Binary Size: Dependency Duplication

The updates introduce multiple co-existing versions of several foundational crates:

  • chacha20: Both 0.9.1 and 0.10.0 are now present.
  • cpufeatures: Both 0.2.17 and 0.3.0 are now present.
  • rand: Both 0.9.3 and 0.10.1 are now present.

While Cargo handles duplicate major/minor versions safely, having multiple versions of cryptographic and utility crates increases compilation times and final binary size. If you have control over the parent dependencies, consider aligning them to use the same versions of these crates.


Suggestions

diff --git a/codex-rs/Cargo.lock b/codex-rs/Cargo.lock
index b800d2112..7c2c5c945 100644
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -2774,7 +2781,7 @@ dependencies = [
  "http 1.4.0",
  "pretty_assertions",
  "prost 0.14.3",
- "reqwest",
+ "reqwest 0.12.28",

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants