Skip to content

chore(deps): bump the rust-patch group with 2 updates#4

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/rust-patch-78c7522277
Closed

chore(deps): bump the rust-patch group with 2 updates#4
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/rust-patch-78c7522277

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown

Bumps the rust-patch group with 2 updates: sanitization and trybuild.

Updates sanitization from 1.2.2 to 1.2.4

Release notes

Sourced from sanitization's releases.

Sanitization 1.2.4

Release 1.2.4

  • Switched the pinned/default toolchain to Rust 1.97.0 while retaining Rust 1.90.0 as the minimum supported version.
  • Verified the complete all-features workspace across every supported stable compiler from Rust 1.90.0 through Rust 1.97.0.
  • Refreshed compatible dependency locks, including zeroize 1.9.0, arrayvec 0.7.8, bytes 1.12.1, quote 1.0.46, and syn 2.0.118.
  • Pinned every GitHub Action to the immutable commit for its documented release, added Dependabot maintenance, and added a check that rejects mutable action references.
  • Updated fallible secret constructors for Rust 1.97 Clippy without changing their clear-on-error RAII behavior.
  • Surfaced guard-page setup cleanup failures consistently with locked mappings and documented that unmap errors take precedence when setup and cleanup both fail.
  • Bounded Linux AArch64 auxiliary-vector read retries before falling back to the conservative page granule.
  • Added SecretArrayVec::push_or_sanitize with a payload-free error for secure rejection while preserving conventional push behavior and its unchanged recoverable CapacityError<T> value.
  • Added unwind-safe eager clearing guards to ReadOnceSecret::consume and consume_mut, including when another shared owner keeps the wrapper alive.
  • Added BoundedSecretVec<MAX> for application-defined dynamic secret limits, including strict bounded serde handling for borrowed bytes, owned buffers, and sequences.
  • Added a 1 MiB default ceiling to ordinary SecretVec deserialization so existing serde call sites are no longer unbounded by default.
  • Pinned CI installation of cargo-audit to version 0.22.2.
  • Added reproducible deployment guidance for locked, frozen, vendored final application dependency graphs.
  • Updated all workspace crates and crates.io-facing version references for the 1.2.4 patch release.

Sanitization 1.2.3

Release 1.2.3

  • Fixed ct::CtOrdering::new so hidden Choice inputs are normalized without secret-dependent branches.
  • Added constant-time verification helpers for HMAC-SHA256, HMAC-SHA384, HMAC-SHA512, BLAKE3 digest, keyed BLAKE3 digest, and fixed 64-byte BLAKE3 XOF outputs in sanitization-crypto-interop.
  • Clamped serde sequence preallocation for SecretVec so untrusted size_hint values cannot trigger attacker-sized initial allocations.
  • Hardened native SecretPool by storing the construction-validated slot stride and removing a destructor-path overflow expect.
  • Surfaced native mapping unmap failures during setup-error cleanup instead of silently discarding them.
  • Added dependency-advisory auditing to CI and opportunistic local checks.

... (truncated)

Changelog

Sourced from sanitization's changelog.

1.2.4

  • Switched the pinned/default toolchain to Rust 1.97.0 while retaining Rust 1.90.0 as the minimum supported version and checking every supported stable compiler from 1.90.0 through 1.97.0.
  • Refreshed compatible dependency locks, including zeroize 1.9.0, arrayvec 0.7.8, bytes 1.12.1, quote 1.0.46, and syn 2.0.118.
  • Pinned every GitHub Action to the immutable commit for its documented release, added Dependabot maintenance, and added a check that rejects mutable action references.
  • Updated fallible secret constructors for Rust 1.97 Clippy without changing their clear-on-error RAII behavior.
  • Surfaced guard-page setup cleanup failures consistently with locked mappings and documented that unmap errors take precedence when setup and cleanup both fail.
  • Bounded Linux AArch64 auxiliary-vector read retries before falling back to the conservative page granule.
  • Added SecretArrayVec::push_or_sanitize with a payload-free error for secure rejection while preserving conventional push behavior and its unchanged recoverable CapacityError<T> value.
  • Added unwind-safe eager clearing guards to ReadOnceSecret::consume and consume_mut, including when another shared owner keeps the wrapper alive.
  • Added BoundedSecretVec<MAX> for application-defined dynamic secret limits, including strict bounded serde handling for borrowed bytes, owned buffers, and sequences.
  • Added a 1 MiB default ceiling to ordinary SecretVec deserialization so existing serde call sites are no longer unbounded by default.
  • Pinned CI installation of cargo-audit to version 0.22.2.
  • Documented locked, frozen, vendored application builds for deployments that require a reproducibly constrained complete dependency graph.

1.2.3

  • Fixed ct::CtOrdering::new so hidden Choice inputs are normalized without secret-dependent branches.
  • Added constant-time verification helpers for HMAC-SHA256, HMAC-SHA384, HMAC-SHA512, BLAKE3 digest, keyed BLAKE3 digest, and fixed 64-byte BLAKE3 XOF outputs in sanitization-crypto-interop.
  • Clamped serde sequence preallocation for SecretVec so untrusted size_hint values cannot trigger attacker-sized initial allocations.
  • Hardened native SecretPool by storing the construction-validated slot stride and removing a destructor-path overflow expect.
  • Surfaced native mapping unmap failures during setup-error cleanup instead of silently discarding them.
  • Added dependency-advisory auditing to CI and opportunistic local checks.
  • Switched the pinned/default release toolchain to Rust 1.96.1 while keeping rust-version = "1.90" and adding a compatibility check gate for Rust 1.90.0 through 1.96.1.
  • Updated crates.io-facing version references for the 1.2.3 patch release.
Commits
  • 65196cc Record 1.2.4 pentest attestation
  • bbf3a52 Close remaining 1.2.4 pentest gaps
  • 762ad57 Resolve follow-up 1.2.4 pentest findings
  • 1e0aa4c Resolve 1.2.4 pentest findings
  • f9ecc51 Refresh 1.2.4 dependencies and CI tooling
  • 68f2b84 Prepare 1.2.4 Rust 1.97.0 compatibility release
  • f402deb Update default toolchain to Rust 1.97.0
  • 8c71c1a Finalize 1.2.3 pentest record
  • c200c09 Add release documentation gates
  • 7a5b4b1 Pin release toolchain to Rust 1.96.1
  • Additional commits viewable in compare view

Updates trybuild from 1.0.117 to 1.0.118

Release notes

Sourced from trybuild's releases.

1.0.118

  • Normalize cargo registry paths for any registry source (#331, thanks @​devjgm)
  • Limit custom registry to new normalization level (#334)
Commits
  • 7ce4c26 Release 1.0.118
  • b359f4a Update to 2024 edition
  • 3551315 Merge pull request #334 from dtolnay/customregistry
  • 5209787 Limit custom registry to new normalization level
  • 528223c Merge pull request 331 from devjgm/greg/trybuild-custom-registry-normalization
  • 69689b3 Update actions/upload-artifact@v6 -> v7
  • 585d6f7 Normalize cargo registry paths for any registry source
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the rust-patch group with 2 updates: [sanitization](https://github.com/valkyoth/sanitization) and [trybuild](https://github.com/dtolnay/trybuild).


Updates `sanitization` from 1.2.2 to 1.2.4
- [Release notes](https://github.com/valkyoth/sanitization/releases)
- [Changelog](https://github.com/valkyoth/sanitization/blob/main/CHANGELOG.md)
- [Commits](valkyoth/sanitization@v1.2.2...v1.2.4)

Updates `trybuild` from 1.0.117 to 1.0.118
- [Release notes](https://github.com/dtolnay/trybuild/releases)
- [Commits](dtolnay/trybuild@1.0.117...1.0.118)

---
updated-dependencies:
- dependency-name: sanitization
  dependency-version: 1.2.4
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: rust-patch
- dependency-name: trybuild
  dependency-version: 1.0.118
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: rust-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github

dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies, rust. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@dependabot dependabot Bot requested a review from eldryoth as a code owner July 13, 2026 04:24
@dependabot @github

dependabot Bot commented on behalf of github Jul 13, 2026

Copy link
Copy Markdown
Author

Looks like these dependencies are no longer updatable, so this is no longer needed.

@dependabot dependabot Bot closed this Jul 13, 2026
@dependabot dependabot Bot deleted the dependabot/cargo/rust-patch-78c7522277 branch July 13, 2026 11:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants