build(deps): bump the cargo group across 1 directory with 8 updates#2
build(deps): bump the cargo group across 1 directory with 8 updates#2dependabot[bot] wants to merge 1 commit into
Conversation
Bumps the cargo group with 6 updates in the /codex-rs directory: | Package | From | To | | --- | --- | --- | | [gix](https://github.com/GitoxideLabs/gitoxide) | `0.81.0` | `0.83.0` | | [jsonwebtoken](https://github.com/Keats/jsonwebtoken) | `9.3.1` | `10.3.0` | | [rmcp](https://github.com/modelcontextprotocol/rust-sdk) | `0.15.0` | `1.4.0` | | [tar](https://github.com/composefs/tar-rs) | `0.4.45` | `0.4.46` | | [actix-http](https://github.com/actix/actix-web) | `3.11.2` | `3.12.1` | | [openssl](https://github.com/rust-openssl/rust-openssl) | `0.10.75` | `0.10.80` | Updates `gix` from 0.81.0 to 0.83.0 - [Release notes](https://github.com/GitoxideLabs/gitoxide/releases) - [Changelog](https://github.com/GitoxideLabs/gitoxide/blob/main/CHANGELOG.md) - [Commits](GitoxideLabs/gitoxide@gix-v0.81.0...gix-v0.83.0) Updates `jsonwebtoken` from 9.3.1 to 10.3.0 - [Changelog](https://github.com/Keats/jsonwebtoken/blob/master/CHANGELOG.md) - [Commits](Keats/jsonwebtoken@v9.3.1...v10.3.0) Updates `rmcp` from 0.15.0 to 1.4.0 - [Release notes](https://github.com/modelcontextprotocol/rust-sdk/releases) - [Changelog](https://github.com/modelcontextprotocol/rust-sdk/blob/main/release-plz.toml) - [Commits](modelcontextprotocol/rust-sdk@rmcp-v0.15.0...rmcp-v1.4.0) Updates `tar` from 0.4.45 to 0.4.46 - [Release notes](https://github.com/composefs/tar-rs/releases) - [Commits](composefs/tar-rs@0.4.45...0.4.46) Updates `actix-http` from 3.11.2 to 3.12.1 - [Release notes](https://github.com/actix/actix-web/releases) - [Changelog](https://github.com/actix/actix-web/blob/main/CHANGES.md) - [Commits](actix/actix-web@http-v3.11.2...http-v3.12.1) Updates `gix-fs` from 0.19.2 to 0.21.2 - [Release notes](https://github.com/GitoxideLabs/gitoxide/releases) - [Changelog](https://github.com/GitoxideLabs/gitoxide/blob/main/CHANGELOG.md) - [Commits](GitoxideLabs/gitoxide@gix-fs-v0.19.2...gix-fs-v0.21.2) Updates `gix-pack` from 0.68.0 to 0.70.0 - [Release notes](https://github.com/GitoxideLabs/gitoxide/releases) - [Changelog](https://github.com/GitoxideLabs/gitoxide/blob/main/CHANGELOG.md) - [Commits](GitoxideLabs/gitoxide@gix-pack-v0.68.0...gix-pack-v0.70.0) Updates `openssl` from 0.10.75 to 0.10.80 - [Release notes](https://github.com/rust-openssl/rust-openssl/releases) - [Commits](rust-openssl/rust-openssl@openssl-v0.10.75...openssl-v0.10.80) --- updated-dependencies: - dependency-name: gix dependency-version: 0.83.0 dependency-type: direct:production dependency-group: cargo - dependency-name: jsonwebtoken dependency-version: 10.3.0 dependency-type: direct:production dependency-group: cargo - dependency-name: rmcp dependency-version: 1.4.0 dependency-type: direct:production dependency-group: cargo - dependency-name: tar dependency-version: 0.4.46 dependency-type: direct:production dependency-group: cargo - dependency-name: actix-http dependency-version: 3.12.1 dependency-type: indirect dependency-group: cargo - dependency-name: gix-fs dependency-version: 0.21.2 dependency-type: indirect dependency-group: cargo - dependency-name: gix-pack dependency-version: 0.70.0 dependency-type: indirect dependency-group: cargo - dependency-name: openssl dependency-version: 0.10.80 dependency-type: indirect dependency-group: cargo ... Signed-off-by: dependabot[bot] <support@github.com>
VesperReviewed commits
An analysis of the changes in 1. Correctness: Truncated Lockfile (Critical)The diff ends abruptly at the very end of @@ -2774,7 +2781,7 @@ dependencies = [
"http 1.4.0",
"pretty_assertions",
"prost 0.14.3",
- "reqwest",
+ "reqwestThe replacement line 2. Performance & Binary Size: Dependency DuplicationThe updates introduce multiple co-existing versions of several foundational crates:
While Cargo handles duplicate major/minor versions safely, having multiple versions of cryptographic and utility crates increases compilation times and final binary size. If you have control over the parent dependencies, consider aligning them to use the same versions of these crates. Suggestionsdiff --git a/codex-rs/Cargo.lock b/codex-rs/Cargo.lock
index b800d2112..7c2c5c945 100644
--- a/codex-rs/Cargo.lock
+++ b/codex-rs/Cargo.lock
@@ -2774,7 +2781,7 @@ dependencies = [
"http 1.4.0",
"pretty_assertions",
"prost 0.14.3",
- "reqwest",
+ "reqwest 0.12.28", |
Bumps the cargo group with 6 updates in the /codex-rs directory:
0.81.00.83.09.3.110.3.00.15.01.4.00.4.450.4.463.11.23.12.10.10.750.10.80Updates
gixfrom 0.81.0 to 0.83.0Release notes
Sourced from gix's releases.
Commits
53f880cRelease gix-error v0.2.3, gix-date v0.15.3, gix-actor v0.41.0, gix-path v0.12...09687ebfix CI - and probably preventcan't connect to localhostin journey testsd5f9bf5feat: addCategory::is_remote_tracking_branch().87b2da8address auto-review731248ffeat!: addsha-256support togix-ref.91bfab0Adapt to changes ingix-objectd4439cdfix!: Limit Commit and Tag parsing to a givengix_hash::Kind5127973fix: Allow more pathological cases during parsing just like Git91c854efix!: removewinnowand replace it with hand-implemented parsers everywhere.b060eb2fix!: removewinnowfrom the publicgix-actorAPI for parsing (#2545)Updates
jsonwebtokenfrom 9.3.1 to 10.3.0Changelog
Sourced from jsonwebtoken's changelog.
Commits
abbc307Fix type confusione99740dfix: bump minimal version requirements (#481)50d15e0Use try_sign to avoid panics (#479)245858fBump some dep122c2edBump action number in CI72e0c7fExpose cryptography backends via CryptoProvider (#452)53a3fc2Do not fail for clippy3226cfcPrepare for releasedfe58f9Remove unnecessary Clone bounds from decode functions (#458)9b3e19cFix function names in README (#457)Updates
rmcpfrom 0.15.0 to 1.4.0Release notes
Sourced from rmcp's releases.
... (truncated)
Commits
4628720chore: release v1.4.0 (#779)65d2b29fix(server): remove initialized notification gate to support Streamable HTTP ...a7b5700fix: pass GIT_TOKEN to release-plz CLI (#798)8a8c036chore: update Rust toolchain to 1.92 (#797)34d0bc6fix: upgrade rustc in actions (#796)45a4cc5feat: add Default and constructors to ServerSseMessage (#794)5f43283feat: add meta to elicitation results (#792)be321a4feat(macros): auto-generate get_info and default router (#785)5891b45refactor: unify IntoCallToolResult Result impls (#787)d98248aci: add --locked to release-plz install (#786)Updates
tarfrom 0.4.45 to 0.4.46Release notes
Sourced from tar's releases.
Commits
fc459c1Release 0.4.4643e05a8ci: Add crates.io trusted publishing workflowbba5666Update repo linkscd94c46docs: Document TOCTOU / concurrent-mutation threat model1b4997cbuilder: Expand docs for follow_symlinks and append_dir_allbab14ddarchive: Fix another PAX header desync (GHSA-3cv2-h65g-fgmm)2349b49Add support of absolute paths39d0311Update some links59d803eUpdate astral-tokio-tar requirement from 0.5 to 0.68296b9aci: Fix and re-enable reverse dependency testing (#444)Updates
actix-httpfrom 3.11.2 to 3.12.1Release notes
Sourced from actix-http's releases.
Commits
0fb8945chore(http): prepare v3.12.1 (#4029)3c056bdMerge commit from forke6d0991chore(multipart,derive): prepare 0.8.0 (#4027)4434a49fix(multipart): count ignored fields towardsMultipartFormConfigli… (#4026)be62050fix(multipart): set cap for parser buffering (#4025)be4566dfix(multipart): do not parse with fixed index not to panic (#4024)6d2c2f4chore(http): upgradesha1to 0.11 (#4022)253cd4fchore: address new advisories (#4023)e766ca6chore: upgrade rand to 0.10.1 (#4021)d747959build(deps): bump EmbarkStudios/cargo-deny-action from 2.0.15 to 2.0.16 (#4018)Updates
gix-fsfrom 0.19.2 to 0.21.2Release notes
Sourced from gix-fs's releases.
... (truncated)
Changelog
Sourced from gix-fs's changelog.
... (truncated)
Commits
10c58bbRelease gix-error v0.2.4, gix-date v0.15.4, gix-actor v0.41.1, gix-trace v0.1...b6c41cbMontly report for May 2026faecc23Merge pull request #2607 from SarthakB11/fix/issue-18428323858fix: Derive$0forsh -cfrom the shell's basenamed62e33cAdd tests for$0deriving from the actually-running shellf6433acUpdate downstream test assertions for sh $0 change6752a96Pass sh (not --) as $0 to sh -c4377485Merge pull request #2612 from GitoxideLabs/improvements123cdafspawn_git_daemonnow spawns the git daemon on a free port automaticallycad26e9fix: disable automatic Git maintenance in gix-testtools, add `apply_git_confi...Updates
gix-packfrom 0.68.0 to 0.70.0Release notes
Sourced from gix-pack's releases.
Commits
53f880cRelease gix-error v0.2.3, gix-date v0.15.3, gix-actor v0.41.0, gix-path v0.12...09687ebfix CI - and probably preventcan't connect to localhostin journey testsd5f9bf5feat: addCategory::is_remote_tracking_branch().87b2da8address auto-review731248ffeat!: addsha-256support togix-ref.91bfab0Adapt to changes ingix-objectd4439cdfix!: Limit Commit and Tag parsing to a givengix_hash::Kind5127973fix: Allow more pathological cases during parsing just like Git91c854efix!: removewinnowand replace it with hand-implemented parsers everywhere.b060eb2fix!: removewinnowfrom the publicgix-actorAPI for parsing (#2545)Updates
opensslfrom 0.10.75 to 0.10.80Release notes
Sourced from openssl's releases.
... (truncated)
Commits
35be7aeRelease openssl 0.10.80 and openssl-sys 0.9.116 (#2639)19eceb2Fix output buffer overflow in cipher_update_inplace for AES key-wrap-with-pad...b460eb3Prefer Homebrew openssl@4 and stop looking for openssl@1.1 (#2633)649f2d9Release openssl 0.10.79 and openssl-sys 0.9.115 (#2632)257f9b2Fix output buffer overflow for AES key-wrap-with-padding ciphers (#2630)d43e917Reject non-UTF-8 OCSP responder URLs in X509Ref::ocsp_responders (#2631)f46519cAdd PkeyCtxRef::set_context_string for ML-DSA (#2629)ad9ae31Bind OSSL_PARAM_modified and use it for seed_into (#2628)4e25c9bFix process abort when verify/PSK callbacks fire after SSL_CTX swap (#2624)3dd8f42Add PKeyRef::seed_into for ML-DSA/ML-KEM seed extraction (#2626)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsYou can disable automated security fix PRs for this repo from the Security Alerts page.