build(deps): bump the cargo group across 1 directory with 8 updates by dependabot[bot] · Pull Request #810 · nix-community/nix-init

dependabot · 2026-06-05T08:55:24Z

Bumps the cargo group with 8 updates in the / directory:

Package	From	To
cargo	`0.96.0`	`0.97.1`
reqwest	`0.13.3`	`0.13.4`
serde_json	`1.0.149`	`1.0.150`
serde_with	`3.19.0`	`3.20.0`
shlex	`1.3.0`	`2.0.1`
tar	`0.4.45`	`0.4.46`
tokio	`1.52.2`	`1.52.3`
clap_complete	`4.6.3`	`4.6.5`

Updates cargo from 0.96.0 to 0.97.1

Commits

a4757e3 [1.96] Bump cargo-util-schemas to 0.14.0 and cargo to 0.97.1 (#17046)
d2a3284 [1.96] Bump cargo-util-schemas to 0.14.0 and cargo to 0.97.1
30a34c6 [1.96] Fix CVE-2026-5222 and CVE-2026-5223 (#17030)
312d557 CVE-2026-5223: prohibit unpacking symlinks and other unexpected entries
3c51f26 CVE-2026-5222: avoid stripping .git suffix when for non git registries
bfa14ef Revert "feat: add frame-pointers profile option (#16742)" (#16998)
c4c8f35 docs(semver-check): update diagnostics to Rust 1.95 (#16895)
11cbd64 Revert "feat: add frame-pointers profile option (#16742)"
9fb1715 [beta-1.96] Always take a shared lock on .cargo-lock (#16887)
964fcdb fix: Always take a shared lock on .cargo-lock
Additional commits viewable in compare view

Updates reqwest from 0.13.3 to 0.13.4

Release notes

Sourced from reqwest's releases.

v0.13.4

tl;dr

Add ClientBuilder::tls_sslkeylogfile(bool) option to allow using the related environment variable.

Add ClientBuilder::http2_keep_alive_* options for the blocking client.

Add TLS 1.3 support when using native-tls backend.

Fix redirect handling to strip sensitive headers when the scheme changes.

Fix HTTP/3 happy-eyeball connection creation.

Upgrade hickory-resolver to 0.26.

What's Changed

fix(tls): improve rustls-no-provider panic message and add module docs by @smythg4 in seanmonstar/reqwest#3021

fix: do not lose the url in error when decoding json by @Dushistov in seanmonstar/reqwest#3026

Add tls_sslkeylogfile builder method by @passcod in seanmonstar/reqwest#2923

fix(redirect): strip sensitive headers on scheme change across redirects by @SAY-5 in seanmonstar/reqwest#3034

chore: upgrade MSRV to 1.85 by @seanmonstar in seanmonstar/reqwest#3038

chore: clean up minimal-versions CI job by @seanmonstar in seanmonstar/reqwest#3039

fix(http3): use happy eyeballs for h3 connect by @lyuzichong in seanmonstar/reqwest#3030

fix: update hickory-resolver to 0.26 and adjust code accordingly by @seanmonstar in seanmonstar/reqwest#3040

fix: remove unwrap in hickory initialization by @mat813 in seanmonstar/reqwest#3041

feat(https): support TLS 1.3 as min version under native-tls 🎉 by @AverageHelper in seanmonstar/reqwest#2975

Expose keep alive configurations in blocking client by @aeb-dev in seanmonstar/reqwest#3043

Prepare v0.13.4 by @seanmonstar in seanmonstar/reqwest#3046

New Contributors

@smythg4 made their first contribution in seanmonstar/reqwest#3021

@Dushistov made their first contribution in seanmonstar/reqwest#3026

@SAY-5 made their first contribution in seanmonstar/reqwest#3034

@mat813 made their first contribution in seanmonstar/reqwest#3041

@AverageHelper made their first contribution in seanmonstar/reqwest#2975

@aeb-dev made their first contribution in seanmonstar/reqwest#3043

Full Changelog: seanmonstar/reqwest@v0.13.3...v0.13.4

Changelog

Sourced from reqwest's changelog.

v0.13.4

Add ClientBuilder::tls_sslkeylogfile(bool) option to allow using the related environment variable.

Add ClientBuilder::http2_keep_alive_* options for the blocking client.

Add TLS 1.3 support when using native-tls backend.

Fix redirect handling to strip sensitive headers when the scheme changes.

Fix HTTP/3 happy-eyeball connection creation.

Upgrade hickory-resolver to 0.26.

Commits

11489b3 v0.13.4
d31ffbb feat: Expose HTTP2 keep alive configurations in blocking client (#3043)
79ed0d7 feat: support TLS 1.3 as min version under native-tls 🎉 (#2975)
fb7bf6a fix: remove unwrap in hickory initialization (#3041)
3da616f fix: update hickory-resolver to 0.26 and adjust code accordingly (#3040)
c77e7b2 fix(http3): use happy eyeballs for h3 connect (#3030)
9cbb65b chore: clean up minimal-versions CI job (#3039)
17a7dc5 chore: upgrade MSRV to 1.85 (#3038)
03db63a fix(redirect): strip sensitive headers on scheme change across redirects (#3034)
4b813a8 feat: add tls_sslkeylogfile builder method (#2923)
Additional commits viewable in compare view

Updates serde_json from 1.0.149 to 1.0.150

Release notes

Sourced from serde_json's releases.

v1.0.150

Reject non-string enum object keys (#1324, thanks @puneetdixit200)

Commits

a1ae73a Release 1.0.150
1a360b0 Merge pull request #1324 from puneetdixit200/reject-non-string-enum-keys
2037b63 Reject non-string enum object keys
5d30df6 Resolve manual_assert_eq pedantic clippy lint
dc8003a Raise required compiler for preserve_order feature to 1.85
a42fa98 Unpin CI miri toolchain
684a60e Pin CI miri to nightly-2026-02-11
7c7da33 Raise required compiler to Rust 1.71
acf4850 Simplify Number::is_f64
6b8ceab Resolve unnecessary_map_or clippy lint
Additional commits viewable in compare view

Updates serde_with from 3.19.0 to 3.20.0

Release notes

Sourced from serde_with's releases.

serde_with v3.20.0

Added

Add support for base58 encoding, similar to the existing base64 setup by @mitinarseny (#943)

Fixed

Extend base64 with schemars support by @mitinarseny (#9949)

Commits

f1b06c7 Bump version to 3.20.0 (#953)
11fe1c5 Bump version to 3.20.0
222b9aa Include Rust 1.95 in the CI matrix (#951)
993770c Include Rust 1.95 in the CI matrix
731b00b feat: automatic schemars support for Base64 (#949)
93d6d9d Bump github/codeql-action from 4.35.2 to 4.35.3 in the github-actions group (...
59bc97b Bump github/codeql-action in the github-actions group
84f2e40 feat: automatic schemars support for base64
ff837ab feat: base58 (#943)
9fda9ce chore: bring back newline
Additional commits viewable in compare view

Updates shlex from 1.3.0 to 2.0.1

Changelog

Sourced from shlex's changelog.

2.0.1

Fixes a compile error when building the documentation.

2.0.0

Breaking: Items that were marked as deprecated in 1.x have been removed: join, quote, bytes::join, and bytes::quote.

Breaking: The DerefMut impl for Shlex has been removed since it was unsound. New unsafe APIs have been added in its place: Shlex::from_bytes, Shlex::as_bytes_mut.

Commits

See full diff in compare view

Updates tar from 0.4.45 to 0.4.46

Release notes

Sourced from tar's releases.

0.4.46

Security

archive: Fix another PAX header desync (GHSA-3cv2-h65g-fgmm) by @cgwalters in composefs/tar-rs#454

See also GHSA-3cv2-h65g-fgmm

Other changes

ci: Fix and re-enable reverse dependency testing by @cgwalters in composefs/tar-rs#444

Update astral-tokio-tar requirement from 0.5 to 0.6 by @dependabot[bot] in composefs/tar-rs#446

Update some links by @atouchet in composefs/tar-rs#445

Add support of absolute paths by @zxvfc in composefs/tar-rs#426

docs: Expand notes on concurrent mutations and following symlinks by @cgwalters in composefs/tar-rs#453

Update repo links by @cgwalters in composefs/tar-rs#451

ci: Add crates.io trusted publishing workflow by @cgwalters in composefs/tar-rs#456

Release 0.4.46 by @cgwalters in composefs/tar-rs#455

New Contributors

@dependabot[bot] made their first contribution in composefs/tar-rs#446

@atouchet made their first contribution in composefs/tar-rs#445

@zxvfc made their first contribution in composefs/tar-rs#426

Full Changelog: composefs/tar-rs@0.4.45...0.4.46

Commits

fc459c1 Release 0.4.46
43e05a8 ci: Add crates.io trusted publishing workflow
bba5666 Update repo links
cd94c46 docs: Document TOCTOU / concurrent-mutation threat model
1b4997c builder: Expand docs for follow_symlinks and append_dir_all
bab14dd archive: Fix another PAX header desync (GHSA-3cv2-h65g-fgmm)
2349b49 Add support of absolute paths
39d0311 Update some links
59d803e Update astral-tokio-tar requirement from 0.5 to 0.6
8296b9a ci: Fix and re-enable reverse dependency testing (#444)
See full diff in compare view

Updates tokio from 1.52.2 to 1.52.3

Release notes

Sourced from tokio's releases.

Tokio v1.52.3

1.52.3 (May 8th, 2026)

Fixed

sync: fix underflow in mpsc channel len() (#8062)

sync: notify receivers in mpsc OwnedPermit::release() method (#8075)

sync: require that an RwLock has max_readers != 0 (#8076)

sync: return Empty from try_recv() when mpsc is closed with outstanding permits (#8074)

#8062: tokio-rs/tokio#8062 #8074: tokio-rs/tokio#8074 #8075: tokio-rs/tokio#8075 #8076: tokio-rs/tokio#8076

Commits

d875691 chore: prepare Tokio v1.52.3 (#8130)
e1aebb0 Merge 'tokio-1.51.3' into 'tokio-1.52.x' (#8129)
fd63094 chore: prepare Tokio v1.51.3 (#8127)
8c600d0 Merge 'tokio-1.47.5' into 'tokio-1.51.x' (#8123)
11bfc13 chore: prepare Tokio v1.47.5 (#8122)
f085b62 sync: notify receivers in mpsc OwnedPermit::release() method (#8075)
30d25cc sync: require that an RwLock has max_readers != 0 (#8076)
9fccf53 sync: return Empty from try_recv() when mpsc is closed with outstanding p...
ebf61b4 sync: fix underflow in mpsc channel len() (#8062)
See full diff in compare view

Updates clap_complete from 4.6.3 to 4.6.5

Commits

c8c9355 chore: Release
af74def docs: Update changelog
c96f222 Merge pull request #6368 from truffle-dev/fix/fish-env-escaping
49a05cd fix(complete): Two-pass quote fish env-completer
e791004 test(complete): Snapshot fish env quoting cases
87ec1ad chore: Release
78f2529 docs: Update changelog
b61f270 Merge pull request #6369 from Metbcy/fix/zsh-completion-ordering
74c6666 fix(complete): Keep zsh candidate order
d142d8f Merge pull request #6360 from epage/string
Additional commits viewable in compare view

Bumps the cargo group with 8 updates in the / directory: | Package | From | To | | --- | --- | --- | | [cargo](https://github.com/rust-lang/cargo) | `0.96.0` | `0.97.1` | | [reqwest](https://github.com/seanmonstar/reqwest) | `0.13.3` | `0.13.4` | | [serde_json](https://github.com/serde-rs/json) | `1.0.149` | `1.0.150` | | [serde_with](https://github.com/jonasbb/serde_with) | `3.19.0` | `3.20.0` | | [shlex](https://github.com/comex/rust-shlex) | `1.3.0` | `2.0.1` | | [tar](https://github.com/composefs/tar-rs) | `0.4.45` | `0.4.46` | | [tokio](https://github.com/tokio-rs/tokio) | `1.52.2` | `1.52.3` | | [clap_complete](https://github.com/clap-rs/clap) | `4.6.3` | `4.6.5` | Updates `cargo` from 0.96.0 to 0.97.1 - [Changelog](https://github.com/rust-lang/cargo/blob/master/CHANGELOG.md) - [Commits](rust-lang/cargo@0.96.0...0.97.1) Updates `reqwest` from 0.13.3 to 0.13.4 - [Release notes](https://github.com/seanmonstar/reqwest/releases) - [Changelog](https://github.com/seanmonstar/reqwest/blob/master/CHANGELOG.md) - [Commits](seanmonstar/reqwest@v0.13.3...v0.13.4) Updates `serde_json` from 1.0.149 to 1.0.150 - [Release notes](https://github.com/serde-rs/json/releases) - [Commits](serde-rs/json@v1.0.149...v1.0.150) Updates `serde_with` from 3.19.0 to 3.20.0 - [Release notes](https://github.com/jonasbb/serde_with/releases) - [Commits](jonasbb/serde_with@v3.19.0...v3.20.0) Updates `shlex` from 1.3.0 to 2.0.1 - [Changelog](https://github.com/comex/rust-shlex/blob/master/CHANGELOG.md) - [Commits](https://github.com/comex/rust-shlex/commits) Updates `tar` from 0.4.45 to 0.4.46 - [Release notes](https://github.com/composefs/tar-rs/releases) - [Commits](composefs/tar-rs@0.4.45...0.4.46) Updates `tokio` from 1.52.2 to 1.52.3 - [Release notes](https://github.com/tokio-rs/tokio/releases) - [Commits](tokio-rs/tokio@tokio-1.52.2...tokio-1.52.3) Updates `clap_complete` from 4.6.3 to 4.6.5 - [Release notes](https://github.com/clap-rs/clap/releases) - [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md) - [Commits](clap-rs/clap@clap_complete-v4.6.3...clap_complete-v4.6.5) --- updated-dependencies: - dependency-name: cargo dependency-version: 0.97.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: cargo - dependency-name: clap_complete dependency-version: 4.6.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cargo - dependency-name: reqwest dependency-version: 0.13.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cargo - dependency-name: serde_json dependency-version: 1.0.150 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cargo - dependency-name: serde_with dependency-version: 3.20.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: cargo - dependency-name: shlex dependency-version: 2.0.1 dependency-type: direct:production update-type: version-update:semver-major dependency-group: cargo - dependency-name: tar dependency-version: 0.4.46 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cargo - dependency-name: tokio dependency-version: 1.52.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cargo ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file rust labels Jun 5, 2026

dependabot Bot force-pushed the dependabot/cargo/cargo-396f3bc3f5 branch from 3fd47ec to 9028db2 Compare June 10, 2026 08:56

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

build(deps): bump the cargo group across 1 directory with 8 updates#810

build(deps): bump the cargo group across 1 directory with 8 updates#810
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/cargo-396f3bc3f5

dependabot Bot commented on behalf of github Jun 5, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

dependabot Bot commented on behalf of github Jun 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v0.13.4

tl;dr

What's Changed

New Contributors

v0.13.4

v1.0.150

serde_with v3.20.0

Added

Fixed

2.0.1

2.0.0

0.4.46

Security

Other changes

New Contributors

Tokio v1.52.3

1.52.3 (May 8th, 2026)

Fixed

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github Jun 5, 2026 •

edited

Loading