Skip to content

chore: bump the cargo group across 3 directories with 3 updates #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore: bump the cargo group across 3 directories with 3 updates #1

wants to merge 1 commit into from

Conversation

dependabot[bot]
Copy link

@dependabot dependabot bot commented on behalf of github Aug 29, 2025

Bumps the cargo group with 3 updates in the /experimental/rust-sdk directory: tracing-subscriber, openssl and tokio.
Bumps the cargo group with 3 updates in the /experimental/rust-sdk/examples/basic directory: tracing-subscriber, openssl and tokio.
Bumps the cargo group with 2 updates in the /gpu_stats directory: tracing-subscriber and tokio.

Updates tracing-subscriber from 0.3.19 to 0.3.20

Release notes

Sourced from tracing-subscriber's releases.

tracing-subscriber 0.3.20

Security Fix: ANSI Escape Sequence Injection (CVE-TBD)

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Solution

Version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Affected Versions

All versions of tracing-subscriber prior to 0.3.20 are affected by this vulnerability.

Recommendations

Immediate Action Required: We recommend upgrading to tracing-subscriber 0.3.20 immediately, especially if your application:

  • Logs user-provided input (form data, HTTP headers, query parameters, etc.)
  • Runs in environments where terminal output is displayed to users

Migration

This is a patch release with no breaking API changes. Simply update your Cargo.toml:

[dependencies]
tracing-subscriber = "0.3.20"

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

Commits

Updates openssl from 0.10.70 to 0.10.73

Release notes

Sourced from openssl's releases.

openssl-v0.10.73

What's Changed

Full Changelog: sfackler/rust-openssl@openssl-v0.10.72...openssl-v0.10.73

openssl-v0.10.72

What's Changed

New Contributors

Full Changelog: sfackler/rust-openssl@openssl-v0.10.71...openssl-v0.10.72

openssl-v0.10.71

What's Changed

New Contributors

Full Changelog: sfackler/rust-openssl@openssl-v0.10.70...openssl-v0.10.71

Commits

Updates tokio from 1.43.0 to 1.46.1

Release notes

Sourced from tokio's releases.

Tokio v1.46.1

1.46.1 (July 4th, 2025)

This release fixes incorrect spawn locations in runtime task hooks for tasks spawned using tokio::spawn rather than Runtime::spawn. This issue only effected the spawn location in TaskMeta::spawned_at, and did not effect task locations in Tracing events.

Unstable

  • runtime: add TaskMeta::spawn_location tracking where a task was spawned (#7440)

#7440: tokio-rs/tokio#7440

Tokio v1.46.0

1.46.0 (July 2nd, 2025)

Fixed

  • net: fixed TcpStream::shutdown incorrectly returning an error on macOS (#7290)

Added

  • sync: mpsc::OwnedPermit::{same_channel, same_channel_as_sender} methods (#7389)
  • macros: biased option for join! and try_join!, similar to select! (#7307)
  • net: support for cygwin (#7393)
  • net: support pope::OpenOptions::read_write on Android (#7426)
  • net: add Clone implementation for net::unix::SocketAddr (#7422)

Changed

  • runtime: eliminate unnecessary lfence while operating on queue::Local<T> (#7340)
  • task: disallow blocking in LocalSet::{poll,drop} (#7372)

Unstable

  • runtime: add TaskMeta::spawn_location tracking where a task was spawned (#7417)
  • runtime: removed borrow from LocalOptions parameter to runtime::Builder::build_local (#7346)

Documented

  • io: clarify behavior of seeking when start_seek is not used (#7366)
  • io: document cancellation safety of AsyncWriteExt::flush (#7364)
  • net: fix docs for recv_buffer_size method (#7336)
  • net: fix broken link of RawFd in TcpSocket docs (#7416)
  • net: update AsRawFd doc link to current Rust stdlib location (#7429)
  • readme: fix double period in reactor description (#7363)
  • runtime: add doc note that on_*_task_poll is unstable (#7311)
  • sync: update broadcast docs on allocation failure (#7352)
  • time: add a missing panic scenario of time::advance (#7394)

#7290: tokio-rs/tokio#7290 #7307: tokio-rs/tokio#7307

... (truncated)

Commits
  • ab3ff69 chore: prepare to release v1.46.1 (#7444)
  • a0d5b8a runtime(unstable): fix task hook spawn locations for tokio::spawn (#7440)
  • a1ee3ef chore: fix some minor typos in the comments (#7442)
  • 171cd14 changelog: fix typo in pipe::OpenOptions for 1.46.0 (#7439)
  • 3f1f268 chore: prepare Tokio v1.46.0 (#7437)
  • 3e890cc rt(unstable): add spawn Location to TaskMeta (#7417)
  • 69290a6 net: derive Clone for net::unix::SocketAddr (#7422)
  • e2b1758 fuzz: cfg fuzz tests under cfg(test) (#7428)
  • b7a75b5 net: update AsRawFd doc link to current Rust stdlib location (#7429)
  • 6b705b3 net: allow pipe::OpenOptions::read_write on Android (#7426)
  • Additional commits viewable in compare view

Updates tracing-subscriber from 0.3.19 to 0.3.20

Release notes

Sourced from tracing-subscriber's releases.

tracing-subscriber 0.3.20

Security Fix: ANSI Escape Sequence Injection (CVE-TBD)

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Solution

Version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Affected Versions

All versions of tracing-subscriber prior to 0.3.20 are affected by this vulnerability.

Recommendations

Immediate Action Required: We recommend upgrading to tracing-subscriber 0.3.20 immediately, especially if your application:

  • Logs user-provided input (form data, HTTP headers, query parameters, etc.)
  • Runs in environments where terminal output is displayed to users

Migration

This is a patch release with no breaking API changes. Simply update your Cargo.toml:

[dependencies]
tracing-subscriber = "0.3.20"

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

Commits

Updates openssl from 0.10.70 to 0.10.73

Release notes

Sourced from openssl's releases.

openssl-v0.10.73

What's Changed

Full Changelog: sfackler/rust-openssl@openssl-v0.10.72...openssl-v0.10.73

openssl-v0.10.72

What's Changed

New Contributors

Full Changelog: sfackler/rust-openssl@openssl-v0.10.71...openssl-v0.10.72

openssl-v0.10.71

What's Changed

New Contributors

Full Changelog: sfackler/rust-openssl@openssl-v0.10.70...openssl-v0.10.71

Commits

Updates tokio from 1.43.0 to 1.46.1

Release notes

Sourced from tokio's releases.

Tokio v1.46.1

1.46.1 (July 4th, 2025)

This release fixes incorrect spawn locations in runtime task hooks for tasks spawned using tokio::spawn rather than Runtime::spawn. This issue only effected the spawn location in TaskMeta::spawned_at, and did not effect task locations in Tracing events.

Unstable

  • runtime: add TaskMeta::spawn_location tracking where a task was spawned (#7440)

#7440: tokio-rs/tokio#7440

Tokio v1.46.0

1.46.0 (July 2nd, 2025)

Fixed

  • net: fixed TcpStream::shutdown incorrectly returning an error on macOS (#7290)

Added

  • sync: mpsc::OwnedPermit::{same_channel, same_channel_as_sender} methods (#7389)
  • macros: biased option for join! and try_join!, similar to select! (#7307)
  • net: support for cygwin (#7393)
  • net: support pope::OpenOptions::read_write on Android (#7426)
  • net: add Clone implementation for net::unix::SocketAddr (#7422)

Changed

  • runtime: eliminate unnecessary lfence while operating on queue::Local<T> (#7340)
  • task: disallow blocking in LocalSet::{poll,drop} (#7372)

Unstable

  • runtime: add TaskMeta::spawn_location tracking where a task was spawned (#7417)
  • runtime: removed borrow from LocalOptions parameter to runtime::Builder::build_local (#7346)

Documented

  • io: clarify behavior of seeking when start_seek is not used (#7366)
  • io: document cancellation safety of AsyncWriteExt::flush (#7364)
  • net: fix docs for recv_buffer_size method (#7336)
  • net: fix broken link of RawFd in TcpSocket docs (#7416)
  • net: update AsRawFd doc link to current Rust stdlib location (#7429)
  • readme: fix double period in reactor description (#7363)
  • runtime: add doc note that on_*_task_poll is unstable (#7311)
  • sync: update broadcast docs on allocation failure (#7352)
  • time: add a missing panic scenario of time::advance (#7394)

#7290: tokio-rs/tokio#7290 #7307: tokio-rs/tokio#7307

... (truncated)

Commits
  • ab3ff69 chore: prepare to release v1.46.1 (#7444)
  • a0d5b8a runtime(unstable): fix task hook spawn locations for tokio::spawn (#7440)
  • a1ee3ef chore: fix some minor typos in the comments (#7442)
  • 171cd14 changelog: fix typo in pipe::OpenOptions for 1.46.0 (#7439)
  • 3f1f268 chore: prepare Tokio v1.46.0 (#7437)
  • 3e890cc rt(unstable): add spawn Location to TaskMeta (#7417)
  • 69290a6 net: derive Clone for net::unix::SocketAddr (#7422)
  • e2b1758 fuzz: cfg fuzz tests under cfg(test) (#7428)
  • b7a75b5 net: update AsRawFd doc link to current Rust stdlib location (#7429)
  • 6b705b3 net: allow pipe::OpenOptions::read_write on Android (#7426)
  • Additional commits viewable in compare view

Updates tracing-subscriber from 0.3.19 to 0.3.20

Release notes

Sourced from tracing-subscriber's releases.

tracing-subscriber 0.3.20

Security Fix: ANSI Escape Sequence Injection (CVE-TBD)

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Solution

Version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Affected Versions

All versions of tracing-subscriber prior to 0.3.20 are affected by this vulnerability.

Recommendations

Immediate Action Required: We recommend upgrading to tracing-subscriber 0.3.20 immediately, especially if your application:

  • Logs user-provided input (form data, HTTP headers, query parameters, etc.)
  • Runs in environments where terminal output is displayed to users

Migration

This is a patch release with no breaking API changes. Simply update your Cargo.toml:

[dependencies]
tracing-subscriber = "0.3.20"

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

Commits

Updates tokio from 1.44.0 to 1.44.2

Release notes

Sourced from tokio's releases.

Tokio v1.46.1

1.46.1 (July 4th, 2025)

This release fixes incorrect spawn locations in runtime task hooks for tasks spawned using tokio::spawn rather than Runtime::spawn. This issue only effected the spawn location in TaskMeta::spawned_at, and did not effect task locations in Tracing events.

Unstable

  • runtime: add TaskMeta::spawn_location tracking where a task was spawned (#7440)

#7440: tokio-rs/tokio#7440

Tokio v1.46.0

1.46.0 (July 2nd, 2025)

Fixed

  • net: fixed TcpStream::shutdown incorrectly returning an error on macOS (#7290)

Added

  • sync: mpsc::OwnedPermit::{same_channel, same_channel_as_sender} methods (#7389)
  • macros: biased option for join! and try_join!, similar to select! (#7307)
  • net: support for cygwin (#7393)
  • net: support pope::OpenOptions::read_write on Android (#7426)
  • net: add Clone implementation for net::unix::SocketAddr (#7422)

Changed

  • runtime: eliminate unnecessary lfence while operating on queue::Local<T> (#7340)
  • task: disallow blocking in LocalSet::{poll,drop} (#7372)

Unstable

  • runtime: add TaskMeta::spawn_location tracking where a task was spawned (#7417)
  • runtime: removed borrow from LocalOptions parameter to runtime::Builder::build_local (#7346)

Documented

  • io: clarify behavior of seeking when start_seek is not used (#7366)
  • io: document cancellation safety of AsyncWriteExt::flush (#7364)
  • net: fix docs for recv_buffer_size method (#7336)
  • net: fix broken link of RawFd in TcpSocket docs (#7416)
  • net: update AsRawFd doc link to current Rust stdlib location (#7429)
  • readme: fix double period in reactor description (#7363)
  • runtime: add doc note that on_*_task_poll is unstable (#7311)
  • sync: update broadcast docs on allocation failure (#7352)
  • time: add a missing panic scenario of time::advance (#7394)

#7290: tokio-rs/tokio#7290 #7307: tokio-rs/tokio#7307

... (truncated)

Commits
  • ab3ff69 chore: prepare to release v1.46.1 (#7444)
  • a0d5b8a runtime(unstable): fix task hook spawn locations for tokio::spawn (#7440)
  • a1ee3ef chore: fix some minor typos in the comments (#7442)
  • 171cd14 changelog: fix typo in pipe::OpenOptions for 1.46.0 (#7439)
  • 3f1f268 chore: prepare Tokio v1.46.0 (#7437)
  • 3e890cc rt(unstable): add spawn Location to TaskMeta (#7417)
  • 69290a6 net: derive Clone for net::unix::SocketAddr (#7422)
  • e2b1758 fuzz: cfg fuzz tests under cfg(test) (#7428)
  • b7a75b5 net: update AsRawFd doc link to current Rust stdlib location (#7429)
  • 6b705b3 net: allow pipe::OpenOptions::read_write on Android (#7426)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore: bump the cargo group across 3 directories with 3 updates
9de99ee 
Bumps the cargo group with 3 updates in the /experimental/rust-sdk directory: [tracing-subscriber](https://github.com/tokio-rs/tracing), [openssl](https://github.com/sfackler/rust-openssl) and [tokio](https://github.com/tokio-rs/tokio).
Bumps the cargo group with 3 updates in the /experimental/rust-sdk/examples/basic directory: [tracing-subscriber](https://github.com/tokio-rs/tracing), [openssl](https://github.com/sfackler/rust-openssl) and [tokio](https://github.com/tokio-rs/tokio).
Bumps the cargo group with 2 updates in the /gpu_stats directory: [tracing-subscriber](https://github.com/tokio-rs/tracing) and [tokio](https://github.com/tokio-rs/tokio).


Updates `tracing-subscriber` from 0.3.19 to 0.3.20
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](tokio-rs/tracing@tracing-subscriber-0.3.19...tracing-subscriber-0.3.20)

Updates `openssl` from 0.10.70 to 0.10.73
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](sfackler/rust-openssl@openssl-v0.10.70...openssl-v0.10.73)

Updates `tokio` from 1.43.0 to 1.46.1
- [Release notes](https://github.com/tokio-rs/tokio/releases)
- [Commits](tokio-rs/tokio@tokio-1.43.0...tokio-1.46.1)

Updates `tracing-subscriber` from 0.3.19 to 0.3.20
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](tokio-rs/tracing@tracing-subscriber-0.3.19...tracing-subscriber-0.3.20)

Updates `openssl` from 0.10.70 to 0.10.73
- [Release notes](https://github.com/sfackler/rust-openssl/releases)
- [Commits](sfackler/rust-openssl@openssl-v0.10.70...openssl-v0.10.73)

Updates `tokio` from 1.43.0 to 1.46.1
- [Release notes](https://github.com/tokio-rs/tokio/releases)
- [Commits](tokio-rs/tokio@tokio-1.43.0...tokio-1.46.1)

Updates `tracing-subscriber` from 0.3.19 to 0.3.20
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](tokio-rs/tracing@tracing-subscriber-0.3.19...tracing-subscriber-0.3.20)

Updates `tokio` from 1.44.0 to 1.44.2
- [Release notes](https://github.com/tokio-rs/tokio/releases)
- [Commits](tokio-rs/tokio@tokio-1.43.0...tokio-1.46.1)

---
updated-dependencies:
- dependency-name: tracing-subscriber
  dependency-version: 0.3.20
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: openssl
  dependency-version: 0.10.73
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: tokio
  dependency-version: 1.46.1
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: tracing-subscriber
  dependency-version: 0.3.20
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: openssl
  dependency-version: 0.10.73
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: tokio
  dependency-version: 1.46.1
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: tracing-subscriber
  dependency-version: 0.3.20
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: tokio
  dependency-version: 1.44.2
  dependency-type: direct:production
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Aug 29, 2025
@socket-security Socket Security
Copy link

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedpypi/​psutil@​7.0.072100100100100
Addedpypi/​setuptools@​80.9.07410010010070
Addedpypi/​numpy@​2.0.0rc27510010010070
Addedpypi/​numpy@​2.3.27510010010070
Addedpypi/​pillow@​11.3.08510010010070
Addedpypi/​kubernetes@​33.1.087100100100100
Addedpypi/​moviepy@​2.2.188100100100100
Addedpypi/​imageio@​2.37.090100100100100
Addedpypi/​gitpython@​3.1.4592100100100100
Addedpypi/​minio@​7.2.169310010010070
Addedpypi/​click@​8.2.196100100100100
Addedpypi/​hatchling@​1.27.096100100100100
Addedpypi/​google-cloud-storage@​3.3.096100100100100
Addedpypi/​sentry-sdk@​2.35.197100100100100
Addedpypi/​requests@​2.32.599100100100100
Addedpypi/​setproctitle@​1.3.610010099100100
Addedpypi/​sh@​2.2.299100100100100
Addedpypi/​protobuf@​3.19.6100100100100100
Addedpypi/​protobuf@​6.32.0100100100100100
Addedpypi/​typing-extensions@​4.15.0100100100100100
Addedpypi/​pydantic@​2.11.7100100100100100
Addedpypi/​docker-pycreds@​0.4.0100100100100100
Addedpypi/​platformdirs@​4.4.0100100100100100
Addedpypi/​pyyaml@​6.0.2100100100100100
Addedpypi/​eval-type-backport@​0.2.2100100100100100

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file rust Pull requests that update rust code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants