Skip to content

chore(deps): weekly safe cargo updates · 6 packages#23

Open
mendral-app[bot] wants to merge 1 commit into
mainfrom
mendral/deps/weekly-safe-cargo-20260608
Open

chore(deps): weekly safe cargo updates · 6 packages#23
mendral-app[bot] wants to merge 1 commit into
mainfrom
mendral/deps/weekly-safe-cargo-20260608

Conversation

@mendral-app

@mendral-app mendral-app Bot commented Jun 8, 2026

Copy link
Copy Markdown

Packages bumped

Package Old New Published
http 1.4.0 1.4.1 2026-05-25
jsonwebtoken 10.3.0 10.4.0 2026-05-11
serde_json 1.0.149 1.0.150 2026-05-21
tokio 1.49.0 1.50.0 2026-03-03
tracing-subscriber 0.3.22 0.3.23 2026-03-13
uuid 1.21.0 1.23.2 2026-05-29

All updates are within existing caret-compatible ranges — lockfile-only change, no Cargo.toml edits.

Per-package changelog & impact

http 1.4.1

  • Fixed PathAndQuery::from_static() rejecting invalid inputs not starting with /
  • Fixed HeaderMap::Extend overflow when size hint wasn't clamped
  • Fixed potential use-after-free in header::IntoIter

Impact: We use http via axum/reqwest for request types. These are correctness/safety fixes — no API changes.

jsonwebtoken 10.4.0

  • Minor release (no detailed release notes published)

Impact: Used for GitHub App JWT signing. No API changes within minor bump.

serde_json 1.0.150

  • Reject non-string enum object keys (tighter validation)

Impact: We use serde_json for webhook payload deserialization. This tightens invalid-input rejection, no risk to valid payloads.

tokio 1.50.0

  • Added TcpStream::set_zero_linger and is_rt_shutdown_err() APIs
  • Vectored writes for write_buf, improved io-uring support
  • Fixed double increment of idle thread counter on shutdown

Impact: Runtime dependency — new APIs are additive, fixes improve stability. No behavioral changes to existing usage.

tracing-subscriber 0.3.23

  • Allow ANSI sanitization to be disabled

Impact: Additive feature, no change to existing behavior.

uuid 1.23.2

  • Added hyphenated format support in serde module
  • Fixed timestamp logic bugs and Uuid::get_version for max/nil UUIDs
  • Improved error messages for ambiguous formats

Impact: We use uuid v4 generation only. Fixes don't affect Uuid::new_v4() path.

Files modified

  • Cargo.lock
Skipped this ecosystem
Package Current Latest Reason
askama_escape 0.15.4 0.16.0 0.x minor bump (breaking per semver); separate PR
tokio 1.49.0 1.52.3 Incompatible with project MSRV; took 1.50.0 instead
ammonia 4.1.2 Already latest
async-trait 0.1.89 Already latest
hex 0.4.3 Already latest
octocrab 0.49.5 Already latest
thiserror 2.0.18 Already latest
mockall 0.14.0 Already latest
tower 0.5.3 Already latest

Note

Created by Mendral. Tag @mendral-app with feedback or questions.

Update lockfile for compatible dependency bumps:
- http 1.4.0 → 1.4.1
- jsonwebtoken 10.3.0 → 10.4.0
- serde_json 1.0.149 → 1.0.150
- tokio 1.49.0 → 1.50.0
- tracing-subscriber 0.3.22 → 0.3.23
- uuid 1.21.0 → 1.23.2
@mendral-app mendral-app Bot marked this pull request as ready for review June 8, 2026 09:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants