Skip to content

deps(deps): update lz4_flex requirement from 0.12 to 0.13#17

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/cargo/lz4_flex-0.13
Closed

deps(deps): update lz4_flex requirement from 0.12 to 0.13#17
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/cargo/lz4_flex-0.13

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 16, 2026

Updates the requirements on lz4_flex to permit the latest version.

Changelog

Sourced from lz4_flex's changelog.

0.13.0 (2026-03-15)

Features

Fixes

Invalid match offsets (offset == 0) during decompression were not properly
handled, which could lead to invalid memory reads. This is a security fix
that was also backported to 0.12.1 and 0.11.6.
  • Fix get_maximum_output_size overflow on 32-bit targets #205 (thanks @​dglittle)
Cast input_len to u64 before multiplying by 110, avoiding overflow on
32-bit targets (e.g. wasm32) where input_len * 110 overflows usize
when input_len > ~39MB.

0.12.1 (2026-03-14)

Security Fix

Invalid match offsets (offset == 0) during decompression were not properly
handled, which could lead to invalid memory reads on untrusted input.
Users on 0.12.x should upgrade to 0.12.1.

0.12.0 (2025-11-11)

  • Fix integer overflows when decoding large payloads #192 (thanks @​teh-cmc)
This fixes an u32 integer overflow when decoding large payloads in the block format.
Note: The block format is not suitable for such large payloads, since it
keeps everything in memory. Consider using the frame format for large data.

This change also removes a unsafe fast-path for write_integer to simplify the code.

The performance impact is on incompressible data, which is already fast enough.

0.11.6 (2026-03-14)

Security Fix

Invalid match offsets (offset == 0) during decompression were not properly
handled, which could lead to invalid memory reads on untrusted input.
Users on 0.11.x should upgrade to 0.11.6.

... (truncated)

Commits
  • bfaae84 release 0.13.0
  • 055502e fix handling of invalid match offsets during decompression
  • 7191df8 make hashtable visibility crate public
  • 1bdafca add doc comments
  • c90fc91 lz4_block exposes option to reuse compression dict
  • 22e77f9 Delete .github/workflows/typos.yml
  • 2991a09 fix get_maximum_output_size overflow on 32-bit targets
  • 7b5fb80 add minimal security policy
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
deps(deps): update lz4_flex requirement from 0.12 to 0.13
82fa480 
Updates the requirements on [lz4_flex](https://github.com/pseitz/lz4_flex) to permit the latest version.
- [Release notes](https://github.com/pseitz/lz4_flex/releases)
- [Changelog](https://github.com/PSeitz/lz4_flex/blob/main/CHANGELOG.md)
- [Commits](PSeitz/lz4_flex@0.12.0...0.13.0)

---
updated-dependencies:
- dependency-name: lz4_flex
  dependency-version: 0.13.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Mar 16, 2026

Assignees

The following users could not be added as assignees: infinilabs/core-team. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: dependencies, rust. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@bindiego
Copy link
Copy Markdown
Member

bindiego commented Apr 5, 2026

already done in commit: f5c46a7

@bindiego bindiego closed this Apr 5, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Apr 5, 2026

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot bot deleted the dependabot/cargo/lz4_flex-0.13 branch April 5, 2026 14:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bindiego