Two of the dependencies (openssl and whoami) were discovered to have vulnerabilities which were fixed in minor or patch releases. This crate has been updated to insist that the minor/patch release number of these dependencies is high enough to ensure use of a patched version.
There is no reason to think that the vulnerabilities in these dependencies could have been exercised through this crate. In addition, builds of clients done after the dependencies were patched would have already picked up the non-vulnerable versions. So this change is simply to ensure that future builds cannot use the vulnerable versions.
There are no code changes in this release.
v3.6.0: Add new combination keystore
This release contains a new credential store for Linux: a combination of keyutils (for use by headless processes) and secret service (for persistence of credentials beyond reboot). Thanks very much to @​soywod for the contribution!
v3.5.0: Add debug logging of internal operations
Add debug logging of internal operations (thanks to @​soywod).
Revert iOS security-framework dependency to v2 (see #225).
v3.4.0: allow simultaneous use of secret-service and keyutils
As pointed out in #214, it is possible to use both the secret-service and the keyutils credential stores at the same time, so this should be an allowed combination of specified features. This release allows that combination, selecting the secret-service as the default keystore but also loading the keyutils keystore.
This release fixes a compile regression from 0.22.4 where #[pymethods] with name __clear__ and clear would generate code with a naming conflict. Thanks @​awolverp for the report and @​Icxolu for the fix!
PyO3 0.22.4
This release is a security fix for PyO3 0.22.0 through 0.22.3.
The PyWeakrefMethods trait functions for reading borrowed values from Python weak references have been identified as unsound, because they did not account for the possibility the last strong reference could be cleared at any time, leading the borrowed value to be dangling and risk of use-after-free.
PyO3 0.22.4 protects against this issue by making these methods permanently leak strong references. The methods are also marked deprecated and will be removed in PyO3 0.23. Users should switch to use the use PyWeakrefMethods functions which return owned references (the deprecation messages indicate the appropriate upgrade paths).
These functions were added in PyO3 0.22.0; all versions from 0.22.0 through 0.22.3 have been yanked.
Aside from the security fix, PyO3 0.22.4 contains a number of other bugfixes, including:
A fix for cases where __traverse__ functions of base types were not called when using #[pyclass(extends = ...)]
A fix for a regression in 0.22.3 where PyO3 generated code would trigger compile failures with crates using #![forbid(unsafe_code)]
Thank you to the following contributors for the improvements:
This is a new patch release of regex that fixes compilation on nightly
Rust when the unstable pattern crate feature is enabled. Users on nightly
Rust without this feature enabled are unaffected.
Bug fixes:
[BUG #1231](rust-lang/regex#1231):
Fix the Pattern trait implementation as a result of nightly API breakage.
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot show ignore conditions` will show all of the ignore conditions of the specified dependency
- `@dependabot ignore major version` will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
- `@dependabot ignore minor version` will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
- `@dependabot ignore ` will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
- `@dependabot unignore ` will remove all of the ignore conditions of the specified dependency
- `@dependabot unignore ` will remove the ignore condition of the specified dependency and ignore conditions
Bumps the deps group with 13 updates:
1.40.0
1.41.0
4.5.19
4.5.20
3.3.0
3.6.1
0.10.66
0.10.68
0.22.3
0.22.5
1.0.210
1.0.214
1.0.128
1.0.132
1.11.0
1.11.1
0.20.0
0.21.0
1.0.89
1.0.92
4.5.29
4.5.36
1.0.64
1.0.66
0.12.8
0.12.9
Updates
tokio
from 1.40.0 to 1.41.0Release notes
Sourced from tokio's releases.
... (truncated)
Commits
01e04da
chore: prepare Tokio v1.41.0 (#6917)92ccade
runtime: fix stability feature flags for docs (#6909)fbfeb9a
metrics: rename*_poll_count_*
to*_poll_time_*
(#6924)da745ff
metrics: add H2 Histogram option to improve histogram granularity (#6897)ce1c74f
metrics: fix deadlock in injection_queue_depth_multi_thread test (#6916)28c9a14
metrics: renameinjection_queue_depth
toglobal_queue_depth
(#6918)32e0b43
ci: freeze FreeBSD and wasm-unknown-unknown on rustc 1.81 (#6911)1656d8e
sync: addmpsc::Receiver::blocking_recv_many
(#6867)c9e998e
ci: print the correct sort order of the dictionary on failure (#6905)512e9de
rt: add LocalRuntime (#6808)Updates
clap
from 4.5.19 to 4.5.20Changelog
Sourced from clap's changelog.
Commits
5034cab
chore: Releaseb5b690c
docs: Update changelogabba196
Merge pull request #5688 from epage/rename6ddd5d4
fix(complete)!: Rename ArgValueCompleter to ArgValueCandidates71c5e27
fix(complete)!: Rename CustomCompleter to ValueCandidatesUpdates
keyring
from 3.3.0 to 3.6.1Release notes
Sourced from keyring's releases.
Changelog
Sourced from keyring's changelog.
Commits
779dfe0
Merge pull request #230 from brotskydotcom/master2e646c8
Bump version and update dependencies.eb54c80
Merge pull request #229 from brotskydotcom/masterf18c311
Bump version and update changelog.2e2e915
Merge pull request #222 from soywod/secret-service-with-keyutilsf59afd5
Updated docs for new keystore.658174e
Fix new clippy warning.16236b8
Merge remote-tracking branch 'upstream/master' into secret-service-with-keyutils6df3d93
init doc + unit tests9a4184c
Merge pull request #226 from brotskydotcom/release-3.5Updates
openssl
from 0.10.66 to 0.10.68Release notes
Sourced from openssl's releases.
Commits
be8dcfd
Merge pull request #2318 from alex/msrv-fix065cc77
fixes #2317 -- restore compatibility with our MSRV and release openssl 0.9.687b3ec80
Merge pull request #2316 from alex/bump-for-releaseb510e8c
Release openssl v0.10.67 and openssl-sys v0.9.104ee3b024
Merge pull request #2315 from botovq/libressl-4.0.0c4dabc2
CI: Update LibreSSL CIf9027b7
LibreSSL 4.0.0 is released & stable1b51ba5
Merge pull request #2313 from sfackler/sfackler-patch-1de8a97c
Bump to 3.4.0-beta13930464
Merge pull request #2312 from sfackler/alex-patch-1Updates
pyo3
from 0.22.3 to 0.22.5Release notes
Sourced from pyo3's releases.
Changelog
Sourced from pyo3's changelog.
Commits
4c88e9a
release: 0.22.58f6464e
fix__clear__
slot naming collision withclear
method (#4619)dff9723
release: 0.22.43330bf2
fix garbage collection in inheritance cases (#4563)8b23397
ci: pypy 3.7 macos on x64 stillce63713
ci: run benchmarks on ubuntu 22.04 (#4609)b1173f5
ci: fix more ubuntu-24.04 failures (#4610)7371028
ci: move more jobs to macOS arm (#4600)8e3dc45
avoid callingPyType_GetSlot
on static types before Python 3.10 (#4599)969300d
leak references for safety inPyWeakRefMethods::upgrade_borrowed
(#4590)Updates
serde
from 1.0.210 to 1.0.214Release notes
Sourced from serde's releases.
Commits
4180621
Release 1.0.214210373b
Merge pull request #2568 from Mingun/into_deserializer-for-deserializers9cda015
Implement IntoDeserializer for all Deserializers in serde::de::value module58a8d22
Release 1.0.213ef0ed22
Merge pull request #2847 from dtolnay/newtypewith79925ac
Ignore dead_code warning in regression testb60e409
Hygiene for macro-generated newtype struct deserialization with 'with' attrfdc36e5
Add regression test for issue 284649e11ce
Ignore trivially_copy_pass_by_ref pedantic clippy lint in test7ae1b5f
Release 1.0.212Updates
serde_json
from 1.0.128 to 1.0.132Release notes
Sourced from serde_json's releases.
Commits
86d933c
Release 1.0.132f45b422
Merge pull request #1206 from dtolnay/hasnextf2082d2
Clearer order of comparisons0f54a1a
Handle early return sooner on eof in seq or map2a4cb44
Rearrange 'match peek'4cb90ce
Merge pull request #1205 from dtolnay/hasnextb71ccd2
Reduce duplicative instantiation of logic in SeqAccess and MapAccessa810ba9
Release 1.0.1310d084c5
Touch up PR 1135b4954a9
Merge pull request #1135 from swlynch99/map-deserializerUpdates
regex
from 1.11.0 to 1.11.1Changelog
Sourced from regex's changelog.
Commits
9870c06
1.11.180df54e
changelog: 1.11.1991ba88
unstable: fixPattern
trait implementationUpdates
scraper
from 0.20.0 to 0.21.0Release notes
Sourced from scraper's releases.
Commits
93afdd9
Version 0.21.09843bc8
Merge pull request #213 from rust-scraper/fix-issue2212ede12e
Merge pull request #214 from rust-scraper/bump-selectorsfddd90e
Bump html5ever to its current stable version and adjust our usage accordingly7d422d8
Bump selectors and cssparser to their current stable versions and adjust our ...53ac848
Handle missing Token::Delim variant when rendering errorse0d4ea7
Bump indexmap from 2.5.0 to 2.6.0c3735b2
Merge pull request #205 from rust-scraper/dependabot/cargo/ego-tree-0.9.0faca0a9
Merge pull request #204 from rust-scraper/dependabot/cargo/indexmap-2.5.0b945d5a
Bump ego-tree from 0.8.0 to 0.9.0Updates
anyhow
from 1.0.89 to 1.0.92Release notes
Sourced from anyhow's releases.
Commits
fd03a8e
Release 1.0.92a16252b
Merge pull request #390 from dtolnay/rawaddrfcf2ef8
Compile &raw test on Rust 1.82+ only1e7e9fe
Parse raw address expression syntax7d1a8f9
Add test of raw addr expression syntax6c52daa
Release 1.0.914986853
Merge pull request #388 from dtolnay/outdirf130b76
Clean up dep-info files from OUT_DIRa0b868a
Release 1.0.900f74169
Improve rendering of inline code in macros documentationUpdates
clap_complete
from 4.5.29 to 4.5.36Commits
7a6475e
chore: Release0266c41
docs: Update changelog6ec0b43
Merge pull request #5791 from okapia/zsh-default-fallbacke40168c
fix(zsh): Use _default as zsh completion fallback55a18f5
chore: Release3b05635
fix(complete): Ensure new enough clap is used5d2cdac
chore: Releasef1c10eb
docs: Update changeloga4d1a7f
chore(ci): Take a break from template updatese95ed39
Merge pull request #5775 from vivienm/masterUpdates
thiserror
from 1.0.64 to 1.0.66Release notes
Sourced from thiserror's releases.
Commits
d1a8254
Release 1.0.66e2e9da3
Merge pull request #328 from dtolnay/peekend3d79a90
Use peek2(End) instead of fork/advance_toa9a6c98
Merge pull request #329 from dtolnay/up51a5e4c
Raise minimum compiler for test suite to rust 1.708fb92ff
Resolve uninlined_format_args pedantic clippy lint in build script0e2bef9
Raise required compiler to rust 1.61bb30f2e
Merge pull request #327 from dtolnay/literal5d3edf9
Improve error on malformed format attribute003a89f
Merge pull request #326 from dtolnay/sealedUpdates
reqwest
from 0.12.8 to 0.12.9Release notes
Sourced from reqwest's releases.
Changelog
Sourced from reqwest's changelog.
Commits
797df2b
v0.12.964aa7d1
add webpki roots option for rustls no provider setup (#2447)598f857
Add content length to async_impl::multipart file streams (#2459)d99e90d
fix: re-enable verbose connection read logs (#2454)aba01ff
feat: Add support for Certificate Revocation Lists (#2433)3ad6e02
refactor: remove internal proxy sys cache (#2442)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot show