Skip to content

chore(deps): bump the cargo group across 1 directory with 5 updates#21

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/cargo-bf341e809c
Open

chore(deps): bump the cargo group across 1 directory with 5 updates#21
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/cargo-bf341e809c

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 12, 2026

Copy link
Copy Markdown
Contributor

Bumps the cargo group with 5 updates in the / directory:

Package From To
pyo3 0.24.1 0.25.1
bytes 1.10.0 1.11.1
openssl 0.10.73 0.10.81
rand 0.8.5 0.8.6
rustls-webpki 0.103.7 0.103.13

Updates pyo3 from 0.24.1 to 0.25.1

Release notes

Sourced from pyo3's releases.

PyO3 0.25.1

This release adds testing for arm64 Windows, and fixes a bug with Python 3.14 support on 32-bit systems.

This release also adds a chrono-local feature to enable support for chrono::Local timezone (this was previously available in PyO3 0.24 but would convert the local timezone to a fixed offset, which did not round-trip well).

There are a few other fixes, mostly correcting FFI definitions and improving compiler errors when writing async code without the experimental-async feature enabled.

Thank you to the following contributors for the improvements:

@​bschoenmaeckers @​Cheukting @​davidhewitt @​decathorpe @​dependabot[bot] @​Icxolu @​jessekrubin @​musicinmybrain @​ngoldbaum @​timfel @​tonybaloney @​Tpt @​yogevm15

PyO3 0.25.0

This version extends Python version support to include the new Python 3.14, currently in beta. Please note it is possible that there may yet be changes to 3.14 before stable release which may impact final compatibility.

New optional dependencies on bigdecimal, ordered_float, and time have been added to permit converting types from those crates to Python types (and vice versa).

The experimental-inspect feature now has the capability to autogenerate type stubs. These stubs are still extremely basic and lack much information. Tooling such as setuptools-rust and maturin will also need to be updated to make adoption of these easier. Please follow PyO3/pyo3#5137 to keep abreast of developments of this feature.

The #[pyclass] macro has gained new options #[pyclass(generic)] and #[pyclass(immutable_type)] to offer additional control over the runtime behaviour of the generated Python type object.

The AsPyPointer trait has been removed as PyO3's smart pointer types such as Py<T>, Bound<T> and Borrowed<T> covered this use case with a better API.

As part of the upgrade to support 3.14, there have also been many cleanups to pyo3-ffi. Many definitions which are private implementation details of CPython have been removed; projects downstream of CPython cannot rely on stability of these even across CPython patch releases.

There are also many other incremental improvements, bug fixes and smaller features.

Please consult the migration guide for help upgrading.

Thank you to everyone who contributed code, documentation, design ideas, bug reports, and feedback. The following contributors' commits are included in this release:

@​0x676e67 @​bschoenmaeckers @​clin1234 @​davidbrochart @​davidhewitt @​ddelange @​decathorpe @​dependabot[bot]

... (truncated)

Changelog

Sourced from pyo3's changelog.

[0.25.1] - 2025-06-12

Packaging

  • Add support for Windows on ARM64. #5145
  • Add chrono-local feature for optional conversions for chrono's Local timezone & DateTime<Local> instances. #5174

Added

  • Add FFI definition PyBytes_AS_STRING. #5121
  • Add support for module associated consts introspection. #5150

Changed

  • Enable "vectorcall" FFI definitions on GraalPy. #5121
  • Use Py_Is function on GraalPy #5121

Fixed

  • Report a better compile error for async declarations when not using experimental-async feature. #5156
  • Fix implementation of FromPyObject for uuid::Uuid on big-endian architectures. #5161
  • Fix segmentation faults on 32-bit x86 with Python 3.14. #5180

[0.25.0] - 2025-05-14

Packaging

  • Support Python 3.14.0b1. #4811
  • Bump supported GraalPy version to 24.2. #5116
  • Add optional bigdecimal dependency to add conversions for bigdecimal::BigDecimal. #5011
  • Add optional time dependency to add conversions for time types. #5057
  • Remove cfg-if dependency. #5110
  • Add optional ordered_float dependency to add conversions for ordered_float::NotNan and ordered_float::OrderedFloat. #5114

Added

  • Add initial type stub generation to the experimental-inspect feature. #3977
  • Add #[pyclass(generic)] option to support runtime generic typing. #4926
  • Implement OnceExt & MutexExt for parking_lot & lock_api. Use the new extension traits by enabling the arc_lock, lock_api, or parking_lot cargo features. #5044
  • Implement From/Into for Borrowed<T> -> Py<T>. #5054
  • Add PyTzInfo constructors. #5055
  • Add FFI definition PY_INVALID_STACK_EFFECT. #5064
  • Implement AsRef<Py<PyAny>> for Py<T>, Bound<T> and Borrowed<T>. #5071
  • Add FFI definition PyModule_Add and compat::PyModule_Add. #5085
  • Add FFI definitions Py_HashBuffer, Py_HashPointer, and PyObject_GenericHash. #5086
  • Support #[pymodule_export] on const items in declarative modules. #5096
  • Add #[pyclass(immutable_type)] option (on Python 3.14+ with abi3, or 3.10+ otherwise) for immutable type objects. #5101
  • Support #[pyo3(rename_all)] support on #[derive(IntoPyObject)]. #5112
  • Add PyRange wrapper. #5117

Changed

... (truncated)

Commits

Updates bytes from 1.10.0 to 1.11.1

Release notes

Sourced from bytes's releases.

Bytes v1.11.1

1.11.1 (February 3rd, 2026)

  • Fix integer overflow in BytesMut::reserve

Bytes v1.11.0

1.11.0 (November 14th, 2025)

  • Bump MSRV to 1.57 (#788)

Fixed

  • fix: BytesMut only reuse if src has remaining (#803)
  • Specialize BytesMut::put::<Bytes> (#793)
  • Reserve capacity in BytesMut::put (#794)
  • Change BytesMut::remaining_mut to use isize::MAX instead of usize::MAX (#795)

Internal changes

  • Guarantee address in slice() for empty slices. (#780)
  • Rename Vtable::to_* -> Vtable::into_* (#776)
  • Fix latest clippy warnings (#787)
  • Ignore BytesMut::freeze doctest on wasm (#790)
  • Move drop_fn of from_owner into vtable (#801)

Bytes v1.10.1

1.10.1 (March 5th, 2025)

Fixed

  • Fix memory leak when using to_vec with Bytes::from_owner (#773)

#773: tokio-rs/bytes#773

Changelog

Sourced from bytes's changelog.

1.11.1 (February 3rd, 2026)

  • Fix integer overflow in BytesMut::reserve

1.11.0 (November 14th, 2025)

  • Bump MSRV to 1.57 (#788)

Fixed

  • fix: BytesMut only reuse if src has remaining (#803)
  • Specialize BytesMut::put::<Bytes> (#793)
  • Reserve capacity in BytesMut::put (#794)
  • Change BytesMut::remaining_mut to use isize::MAX instead of usize::MAX (#795)

Internal changes

  • Guarantee address in slice() for empty slices. (#780)
  • Rename Vtable::to_* -> Vtable::into_* (#776)
  • Fix latest clippy warnings (#787)
  • Ignore BytesMut::freeze doctest on wasm (#790)
  • Move drop_fn of from_owner into vtable (#801)

1.10.1 (March 5th, 2025)

Fixed

  • Fix memory leak when using to_vec with Bytes::from_owner (#773)
Commits

Updates openssl from 0.10.73 to 0.10.81

Release notes

Sourced from openssl's releases.

openssl-v0.10.81

What's Changed

New Contributors

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.80...openssl-v0.10.81

openssl-v0.10.80

What's Changed

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.79...openssl-v0.10.80

openssl-v0.10.79

What's Changed

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.78...openssl-v0.10.79

... (truncated)

Commits
  • db9c9e2 Release openssl 0.10.81 and openssl-sys 0.9.117 (#2655)
  • 3a7fb56 Bump actions/checkout from 6.0.2 to 6.0.3 (#2653)
  • d059c43 Fix verify_mode() panic on unmodeled verify mode bits (#2651)
  • 8b1519e Deprecate Asn1StringRef::as_utf8 in favor of a NUL-safe to_string (#2652)
  • d5713d6 add mldsa.h to the boringssl bindgen (#2650)
  • 9fac317 Merge pull request #2538 from ocdlroux/feat/crl-full
  • 4dae20b x509: adding minimal support for X509CrlBuilder
  • 47f7777 Add brainpoolP224r1 and brainpoolP224t1 NID constants (#2642)
  • 659da17 Bump aws-ls-sys to 0.41 (#2640)
  • 35be7ae Release openssl 0.10.80 and openssl-sys 0.9.116 (#2639)
  • Additional commits viewable in compare view

Updates rand from 0.8.5 to 0.8.6

Changelog

Sourced from rand's changelog.

[0.8.6] - 2026-04-14

This release back-ports a fix from v0.10. See also #1763.

Changes

  • Deprecate feature log (#1772)

#1763: rust-random/rand#1763 #1772: rust-random/rand#1772

  • Drop the experimental simd_support feature.
Commits
  • 5309f25 0.8.6 (#1772): update for recent nightly rustc and backport #1764
  • 1126d03 When testing rustc 1.36, use compatible dependencies.
  • 143b602 Add Cargo.lock.msrv.
  • 9be86f2 Fix cross build test.
  • 5e0d50d Drop simd_support.
  • 8ff02f0 Upgrade cache action.
  • 4ad0cc3 Don't test for unsupported target architecture.
  • 258e6d0 Address warning.
  • 9f0e676 Mark some internal traits as potentially unused.
  • 6f123c1 Workaround never constructed and never used warning.
  • Additional commits viewable in compare view

Updates rustls-webpki from 0.103.7 to 0.103.13

Release notes

Sourced from rustls-webpki's releases.

0.103.13

  • Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gfr8. Users who don't use CRLs are not affected.
  • For name constraints on URI names, we incorrectly processed excluded subtrees in a way which inverted the desired meaning. See rustls/webpki#471. This was a case missing in the fix for GHSA-965h-392x-2mh5.

What's Changed

Full Changelog: rustls/webpki@v/0.103.12...v/0.103.13

0.103.12

This release fixes two bugs in name constraint enforcement:

  • GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.
  • GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

0.103.10

Correct selection of candidate CRLs by Distribution Point and Issuing Distribution Point. If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored.

The impact was that correctly provided CRLs would not be consulted to check revocation. With UnknownStatusPolicy::Deny (the default) this would lead to incorrect but safe Error::UnknownRevocationStatus. With UnknownStatusPolicy::Allow this would lead to inappropriate acceptance of revoked certificates.

This vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)

More likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.

This vulnerability is identified by GHSA-pwjx-qhcg-rvj4. Thank you to @​1seal for the report.

What's Changed

Full Changelog: rustls/webpki@v/0.103.9...v/0.103.10

... (truncated)

Commits
  • 2879b2c Prepare 0.103.13
  • 2c49773 Improve tests for padding of BitStringFlags
  • 4e3c0b3 Correct validation of BIT STRING constraints
  • 39c91d2 Actually fail closed for URI matching against excluded subtrees
  • 27131d4 Bump version to 0.103.12
  • 6ecb876 Clean up stuttery enum variant names
  • 318b3e6 Ignore wildcard labels when matching name constraints
  • 1219622 Rewrite constraint matching to avoid permissive catch-all branch
  • 57bc62c Bump version to 0.103.11
  • d0fa01e Allow parsing trust anchors with unknown criticial extensions
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump the cargo group across 1 directory with 5 updates
2885094 
Bumps the cargo group with 5 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [pyo3](https://github.com/pyo3/pyo3) | `0.24.1` | `0.25.1` |
| [bytes](https://github.com/tokio-rs/bytes) | `1.10.0` | `1.11.1` |
| [openssl](https://github.com/rust-openssl/rust-openssl) | `0.10.73` | `0.10.81` |
| [rand](https://github.com/rust-random/rand) | `0.8.5` | `0.8.6` |
| [rustls-webpki](https://github.com/rustls/webpki) | `0.103.7` | `0.103.13` |



Updates `pyo3` from 0.24.1 to 0.25.1
- [Release notes](https://github.com/pyo3/pyo3/releases)
- [Changelog](https://github.com/PyO3/pyo3/blob/main/CHANGELOG.md)
- [Commits](PyO3/pyo3@v0.24.1...v0.25.1)

Updates `bytes` from 1.10.0 to 1.11.1
- [Release notes](https://github.com/tokio-rs/bytes/releases)
- [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md)
- [Commits](tokio-rs/bytes@v1.10.0...v1.11.1)

Updates `openssl` from 0.10.73 to 0.10.81
- [Release notes](https://github.com/rust-openssl/rust-openssl/releases)
- [Commits](rust-openssl/rust-openssl@openssl-v0.10.73...openssl-v0.10.81)

Updates `rand` from 0.8.5 to 0.8.6
- [Release notes](https://github.com/rust-random/rand/releases)
- [Changelog](https://github.com/rust-random/rand/blob/0.8.6/CHANGELOG.md)
- [Commits](rust-random/rand@0.8.5...0.8.6)

Updates `rustls-webpki` from 0.103.7 to 0.103.13
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](rustls/webpki@v/0.103.7...v/0.103.13)

---
updated-dependencies:
- dependency-name: pyo3
  dependency-version: 0.25.1
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: bytes
  dependency-version: 1.11.1
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: openssl
  dependency-version: 0.10.81
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rand
  dependency-version: 0.8.6
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rustls-webpki
  dependency-version: 0.103.13
  dependency-type: indirect
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Jun 12, 2026
@dependabot dependabot Bot mentioned this pull request Jun 12, 2026
Closed
@vesper-review

vesper-review Bot commented Jun 12, 2026

Copy link
Copy Markdown
Vesper

Reviewed commits

Commit Summary
2885094 chore(deps): bump the cargo group across 1 directory with 5 updates

An analysis of the dependency updates in Cargo.lock shows that the changes are generally beneficial, though one major update requires attention.

Analysis

  1. Security & Performance Updates (Safe/Routine)

    • openssl (0.10.73 $\rightarrow$ 0.10.81) and openssl-sys (0.9.109 $\rightarrow$ 0.9.117): These updates are highly recommended as they pull in upstream bug fixes, compatibility improvements, and potential security patches.
    • bytes (1.10.0 $\rightarrow$ 1.11.1) and rand (0.8.5 $\rightarrow$ 0.8.6): Standard minor/patch updates that are backward-compatible and safe to merge.

  2. Breaking Change Warning: pyo3 (0.24.1 $\rightarrow$ 0.25.1)

    • In Rust's SemVer convention, a minor version bump for pre-1.0 crates (e.g., 0.24 to 0.25) is considered a breaking change.
    • Upgrading pyo3 and its companion crates (pyo3-ffi, pyo3-macros, etc.) to 0.25 may require code modifications in your Rust-Python bindings (for example, changes to GIL-bound references or macro attributes).

Recommendation

Ensure that your CI/CD pipeline runs a full build and test suite (cargo test) to verify that the codebase compiles successfully with PyO3 0.25. If the tests pass, these dependency updates are safe to merge. No changes to the Cargo.lock file itself are required.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants