Skip to content

build(deps): bump the cargo group across 3 directories with 4 updates#28

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/cargo/cargo-f7fcb72e60
Open

build(deps): bump the cargo group across 3 directories with 4 updates#28
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/cargo/cargo-f7fcb72e60

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 8, 2026

Bumps the cargo group with 1 update in the / directory: rand.
Bumps the cargo group with 2 updates in the /packages/player/src-tauri directory: tauri and rustls-webpki.
Bumps the cargo group with 2 updates in the /packages/skia-player directory: rand and openssl.

Updates rand from 0.9.2 to 0.9.4

Changelog

Sourced from rand's changelog.

[0.9.4] — 2026-04-13

Fixes

#1766: rust-random/rand#1766

[0.9.3] — 2026-04-11

This release back-ports a fix from v0.10. See also #1763.

Changes

  • Deprecate feature log (#1764)
  • Replace usages of doc_auto_cfg (#1764)

#1763: rust-random/rand#1763

Commits

Updates tauri from 2.9.2 to 2.9.3

Release notes

Sourced from tauri's releases.

tauri-cli v2.9.3

Updating git repository `https://github.com/tauri-apps/schemars.git`
    Updating crates.io index
warning: Patch `schemars_derive v0.8.21 (https://github.com/tauri-apps/schemars.git?branch=feat%2Fpreserve-description-newlines#c30f9848)` was not used in the crate graph.
Check that the patched package version and available features are compatible
with the dependency requirements. If the patch has a different version from
what is locked in the Cargo.lock file, run `cargo update` to use the new
version. This may also occur with an optional dependency that is not enabled.
     Locking 1050 packages to latest compatible versions
      Adding apple-codesign v0.27.0 (available: v0.29.0)
      Adding cargo-mobile2 v0.21.2 (available: v0.22.1)
      Adding cargo_metadata v0.19.2 (available: v0.23.0)
      Adding colored v2.2.0 (available: v3.0.0)
      Adding ctor v0.2.9 (available: v0.6.1)
      Adding dialoguer v0.11.0 (available: v0.12.0)
      Adding elf v0.7.4 (available: v0.8.0)
      Adding goblin v0.9.3 (available: v0.10.3)
      Adding html5ever v0.29.1 (available: v0.35.0)
      Adding itertools v0.13.0 (available: v0.14.0)
      Adding json-patch v3.0.1 (available: v4.1.0)
      Adding jsonrpsee v0.24.10 (available: v0.26.0)
      Adding jsonrpsee-client-transport v0.24.10 (available: v0.26.0)
      Adding jsonrpsee-core v0.24.10 (available: v0.26.0)
      Adding jsonrpsee-ws-client v0.24.10 (available: v0.26.0)
      Adding matchit v0.8.4 (available: v0.8.6)
      Adding minisign v0.7.3 (available: v0.7.9)
      Adding object v0.36.7 (available: v0.37.3)
      Adding oxc_allocator v0.36.0 (available: v0.96.0)
      Adding oxc_ast v0.36.0 (available: v0.96.0)
      Adding oxc_parser v0.36.0 (available: v0.96.0)
      Adding oxc_span v0.36.0 (available: v0.96.0)
      Adding phf v0.11.3 (available: v0.13.1)
      Adding png v0.17.16 (available: v0.18.0)
      Adding rpm v0.16.1 (available: v0.18.4)
      Adding schemars v0.8.22 (available: v1.0.5)
      Adding tiny_http v0.11.0 (available: v0.12.0)
      Adding toml v0.8.2 (available: v0.8.23)
      Adding toml_datetime v0.6.3 (available: v0.6.11)
      Adding toml_edit v0.20.2 (available: v0.20.7)
      Adding urlpattern v0.3.0 (available: v0.4.0)
      Adding windows v0.61.3 (available: v0.62.2)
      Adding windows-registry v0.5.3 (available: v0.6.1)
      Adding windows-sys v0.60.2 (available: v0.61.2)
      Adding x509-certificate v0.23.1 (available: v0.25.0)
      Adding zip v4.6.1 (available: v6.0.0)
Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
</tr></table>

... (truncated)

Commits

Updates rustls-webpki from 0.103.10 to 0.103.13

Release notes

Sourced from rustls-webpki's releases.

0.103.13

  • Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gfr8. Users who don't use CRLs are not affected.
  • For name constraints on URI names, we incorrectly processed excluded subtrees in a way which inverted the desired meaning. See rustls/webpki#471. This was a case missing in the fix for GHSA-965h-392x-2mh5.

What's Changed

Full Changelog: rustls/webpki@v/0.103.12...v/0.103.13

0.103.12

This release fixes two bugs in name constraint enforcement:

  • GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.
  • GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

Commits
  • 2879b2c Prepare 0.103.13
  • 2c49773 Improve tests for padding of BitStringFlags
  • 4e3c0b3 Correct validation of BIT STRING constraints
  • 39c91d2 Actually fail closed for URI matching against excluded subtrees
  • 27131d4 Bump version to 0.103.12
  • 6ecb876 Clean up stuttery enum variant names
  • 318b3e6 Ignore wildcard labels when matching name constraints
  • 1219622 Rewrite constraint matching to avoid permissive catch-all branch
  • 57bc62c Bump version to 0.103.11
  • d0fa01e Allow parsing trust anchors with unknown criticial extensions
  • See full diff in compare view

Updates rand from 0.8.5 to 0.8.6

Changelog

Sourced from rand's changelog.

[0.9.4] — 2026-04-13

Fixes

#1766: rust-random/rand#1766

[0.9.3] — 2026-04-11

This release back-ports a fix from v0.10. See also #1763.

Changes

  • Deprecate feature log (#1764)
  • Replace usages of doc_auto_cfg (#1764)

#1763: rust-random/rand#1763

Commits

Updates openssl from 0.10.76 to 0.10.79

Release notes

Sourced from openssl's releases.

openssl-v0.10.79

What's Changed

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.78...openssl-v0.10.79

openssl-v0.10.78

What's Changed

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.77...openssl-v0.10.78

openssl-v0.10.77

What's Changed

... (truncated)

Commits
  • 649f2d9 Release openssl 0.10.79 and openssl-sys 0.9.115 (#2632)
  • 257f9b2 Fix output buffer overflow for AES key-wrap-with-padding ciphers (#2630)
  • d43e917 Reject non-UTF-8 OCSP responder URLs in X509Ref::ocsp_responders (#2631)
  • f46519c Add PkeyCtxRef::set_context_string for ML-DSA (#2629)
  • ad9ae31 Bind OSSL_PARAM_modified and use it for seed_into (#2628)
  • 4e25c9b Fix process abort when verify/PSK callbacks fire after SSL_CTX swap (#2624)
  • 3dd8f42 Add PKeyRef::seed_into for ML-DSA/ML-KEM seed extraction (#2626)
  • 2c5e5a8 parallelize more builds in CI for cold caches (#2625)
  • 6685591 Add PKey::private_key_from_seed for ML-DSA/ML-KEM key import (#2621)
  • 8f8fdce Drop once_cell in favor of std::sync::{LazyLock, OnceLock} (#2623)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): bump the cargo group across 3 directories with 4 updates
656eef8 
Bumps the cargo group with 1 update in the / directory: [rand](https://github.com/rust-random/rand).
Bumps the cargo group with 2 updates in the /packages/player/src-tauri directory: [tauri](https://github.com/tauri-apps/tauri) and [rustls-webpki](https://github.com/rustls/webpki).
Bumps the cargo group with 2 updates in the /packages/skia-player directory: [rand](https://github.com/rust-random/rand) and [openssl](https://github.com/rust-openssl/rust-openssl).


Updates `rand` from 0.9.2 to 0.9.4
- [Release notes](https://github.com/rust-random/rand/releases)
- [Changelog](https://github.com/rust-random/rand/blob/0.9.4/CHANGELOG.md)
- [Commits](rust-random/rand@rand_core-0.9.2...0.9.4)

Updates `tauri` from 2.9.2 to 2.9.3
- [Release notes](https://github.com/tauri-apps/tauri/releases)
- [Commits](tauri-apps/tauri@tauri-v2.9.2...tauri-v2.9.3)

Updates `rustls-webpki` from 0.103.10 to 0.103.13
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](rustls/webpki@v/0.103.10...v/0.103.13)

Updates `rand` from 0.8.5 to 0.8.6
- [Release notes](https://github.com/rust-random/rand/releases)
- [Changelog](https://github.com/rust-random/rand/blob/0.9.4/CHANGELOG.md)
- [Commits](rust-random/rand@rand_core-0.9.2...0.9.4)

Updates `openssl` from 0.10.76 to 0.10.79
- [Release notes](https://github.com/rust-openssl/rust-openssl/releases)
- [Commits](rust-openssl/rust-openssl@openssl-v0.10.76...openssl-v0.10.79)

---
updated-dependencies:
- dependency-name: rand
  dependency-version: 0.9.4
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: tauri
  dependency-version: 2.9.3
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: rustls-webpki
  dependency-version: 0.103.13
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rand
  dependency-version: 0.8.6
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: openssl
  dependency-version: 0.10.79
  dependency-type: indirect
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels May 8, 2026
@vercel
Copy link
Copy Markdown

vercel Bot commented May 8, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
amll-page-player-vkdv Ready Ready Preview, Comment May 8, 2026 6:18am

@dependabot dependabot Bot mentioned this pull request May 8, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants