build(deps): Bump the cargo-minor-patch group across 1 directory with 10 updates#378
build(deps): Bump the cargo-minor-patch group across 1 directory with 10 updates#378dependabot[bot] wants to merge 1 commit into
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: fe5fae7429
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| [[package]] | ||
| name = "arc-swap" | ||
| version = "1.9.1" | ||
| version = "1.9.2" |
There was a problem hiding this comment.
The root /workspace/registry-stack/AGENTS.md says “Every commit needs a DCO sign-off: git commit -s,” but git log -1 --format=full 27079afe8d79a89f56af87f0cb43d36bf11e0205 has no Signed-off-by: trailer. In repositories that enforce DCO, this commit cannot merge as-is even though the lockfile change is mechanical, so please recreate or amend it with -s.
Useful? React with 👍 / 👎.
| [[package]] | ||
| name = "aws-lc-rs" | ||
| version = "1.17.0" | ||
| version = "1.17.1" |
There was a problem hiding this comment.
Add security notes for the AWS-LC bump
The root /workspace/registry-stack/AGENTS.md requires explicit review notes for changes to signing or credential issuance; this lockfile line updates aws-lc-rs, which crates/registry-platform-crypto/src/lib.rs uses for RSA signing and crates/registry-notary-server/src/state_plane/sensitive.rs uses for AEAD/HMAC state protection. The commit body only carries Dependabot release notes, so reviewers lack the required repo-specific security note/validation for the affected crypto paths; please add that note before merging.
Useful? React with 👍 / 👎.
fe5fae7 to
5432ba0
Compare
… 10 updates Bumps the cargo-minor-patch group with 10 updates in the / directory: | Package | From | To | | --- | --- | --- | | [arc-swap](https://github.com/vorner/arc-swap) | `1.9.1` | `1.9.2` | | [aws-lc-rs](https://github.com/aws/aws-lc-rs) | `1.17.0` | `1.17.3` | | [bytes](https://github.com/tokio-rs/bytes) | `1.12.0` | `1.12.1` | | [clap](https://github.com/clap-rs/clap) | `4.6.1` | `4.6.2` | | [ryu-js](https://github.com/boa-dev/ryu-js) | `1.0.2` | `1.0.3` | | [time](https://github.com/time-rs/time) | `0.3.51` | `0.3.53` | | [tokio](https://github.com/tokio-rs/tokio) | `1.52.3` | `1.53.0` | | [toml](https://github.com/toml-rs/toml) | `1.1.2+spec-1.1.0` | `1.1.3+spec-1.1.0` | | [uuid](https://github.com/uuid-rs/uuid) | `1.23.4` | `1.24.0` | | [regex](https://github.com/rust-lang/regex) | `1.12.4` | `1.13.1` | Updates `arc-swap` from 1.9.1 to 1.9.2 - [Changelog](https://github.com/vorner/arc-swap/blob/master/CHANGELOG.md) - [Commits](https://github.com/vorner/arc-swap/commits) Updates `aws-lc-rs` from 1.17.0 to 1.17.3 - [Release notes](https://github.com/aws/aws-lc-rs/releases) - [Commits](aws/aws-lc-rs@v1.17.0...v1.17.3) Updates `bytes` from 1.12.0 to 1.12.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.12.0...v1.12.1) Updates `clap` from 4.6.1 to 4.6.2 - [Release notes](https://github.com/clap-rs/clap/releases) - [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md) - [Commits](clap-rs/clap@clap_complete-v4.6.1...clap_complete-v4.6.2) Updates `ryu-js` from 1.0.2 to 1.0.3 - [Release notes](https://github.com/boa-dev/ryu-js/releases) - [Changelog](https://github.com/boa-dev/ryu-js/blob/main/CHANGELOG.md) - [Commits](boa-dev/ryu-js@v1.0.2...v1.0.3) Updates `time` from 0.3.51 to 0.3.53 - [Release notes](https://github.com/time-rs/time/releases) - [Changelog](https://github.com/time-rs/time/blob/main/CHANGELOG.md) - [Commits](time-rs/time@v0.3.51...v0.3.53) Updates `tokio` from 1.52.3 to 1.53.0 - [Release notes](https://github.com/tokio-rs/tokio/releases) - [Commits](tokio-rs/tokio@tokio-1.52.3...tokio-1.53.0) Updates `toml` from 1.1.2+spec-1.1.0 to 1.1.3+spec-1.1.0 - [Commits](toml-rs/toml@toml-v1.1.2...toml-v1.1.3) Updates `uuid` from 1.23.4 to 1.24.0 - [Release notes](https://github.com/uuid-rs/uuid/releases) - [Commits](uuid-rs/uuid@v1.23.4...v1.24.0) Updates `regex` from 1.12.4 to 1.13.1 - [Release notes](https://github.com/rust-lang/regex/releases) - [Changelog](https://github.com/rust-lang/regex/blob/master/CHANGELOG.md) - [Commits](rust-lang/regex@1.12.4...1.13.1) --- updated-dependencies: - dependency-name: arc-swap dependency-version: 1.9.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cargo-minor-patch - dependency-name: aws-lc-rs dependency-version: 1.17.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cargo-minor-patch - dependency-name: bytes dependency-version: 1.12.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cargo-minor-patch - dependency-name: clap dependency-version: 4.6.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cargo-minor-patch - dependency-name: regex dependency-version: 1.13.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: cargo-minor-patch - dependency-name: ryu-js dependency-version: 1.0.3 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cargo-minor-patch - dependency-name: time dependency-version: 0.3.53 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cargo-minor-patch - dependency-name: tokio dependency-version: 1.52.4 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cargo-minor-patch - dependency-name: toml dependency-version: 1.1.3+spec-1.1.0 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cargo-minor-patch - dependency-name: uuid dependency-version: 1.24.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: cargo-minor-patch ... Signed-off-by: dependabot[bot] <support@github.com>
5432ba0 to
6770582
Compare
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 67705826eb
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| [[package]] | ||
| name = "arc-swap" | ||
| version = "1.9.1" | ||
| version = "1.9.2" |
There was a problem hiding this comment.
For this replacement commit, git log -1 --format='%(trailers)' 868cbfc1a63e07678aa2f63e207af2093befb8b5 is empty. I checked .github/workflows/dco.yml, and the PR workflow fails every commit in the PR range that lacks a Signed-off-by: ... <...> trailer, matching the root AGENTS.md DCO rule, so this commit cannot merge until it is recreated with git commit -s or an equivalent trailer.
Useful? React with 👍 / 👎.
| [[package]] | ||
| name = "aws-lc-rs" | ||
| version = "1.17.0" | ||
| version = "1.17.3" |
There was a problem hiding this comment.
Record security review for the AWS-LC bump
This bump changes aws-lc-rs/aws-lc-sys; I checked the current call sites and crates/registry-platform-crypto/src/lib.rs uses it for RSA signing/verification while crates/registry-notary-server/src/state_plane/sensitive.rs uses it for AES-GCM/HMAC state protection. The root AGENTS.md requires explicit review notes for signing, credential issuance, and audit-integrity-sensitive changes, but this 868cbfc commit message contains only upstream Dependabot release notes, so reviewers still lack the repo-specific security validation before merging.
Useful? React with 👍 / 👎.
| [[package]] | ||
| name = "ryu-js" | ||
| version = "1.0.2" | ||
| version = "1.0.3" |
There was a problem hiding this comment.
Re-run the ryu-js vetting before bumping it
This changes the locked ryu-js version/checksum, but release/notes/dependency-vetting-ryu-js.md explicitly lists that as a review trigger and notes the crate feeds canonical JSON bytes used by crypto, manifests, hashes, signatures, and configuration artifacts. Without updating that vetting evidence or otherwise recording the repeat review against 1.0.3, this lockfile-only bump violates the documented control for a security-sensitive canonicalization dependency.
Useful? React with 👍 / 👎.
Bumps the cargo-minor-patch group with 10 updates in the / directory:
1.9.11.9.21.17.01.17.31.12.01.12.14.6.14.6.21.0.21.0.30.3.510.3.531.52.31.53.01.1.2+spec-1.1.01.1.3+spec-1.1.01.23.41.24.01.12.41.13.1Updates
arc-swapfrom 1.9.1 to 1.9.2Changelog
Sourced from arc-swap's changelog.
Commits
Updates
aws-lc-rsfrom 1.17.0 to 1.17.3Release notes
Sourced from aws-lc-rs's releases.
... (truncated)
Commits
9232f4dPrepare aws lc fips sys v0.13.16 (#1180)d722b90Prepare aws-lc-rs v1.17.2 (#1178)33cbbacAdd public API to check AWS-LC and FIPS versions (#1167)f031b06Clarify PqdsaKeyPair serialized formats (#1174)deeff57build(deps): bump actions/setup-go from 6 to 7 (#1177)aac7333Prepare aws-lc-sys v0.43.0 (#1176)6e92439fix: restore cc default flags in memcmp probe; only fail build on confirmed b...997202fci: only run push-triggered workflows on main (#1163)e017679fix: memcmp probe PIE mismatch and TARGET_* env leakage into host builds (#1171)5336e79ci: fix cross windows-gnu pre-build wine dpkg conflict (#1172)Updates
bytesfrom 1.12.0 to 1.12.1Release notes
Sourced from bytes's releases.
Changelog
Sourced from bytes's changelog.
Commits
76c0fbbRelease bytes v1.12.1 (#838)924c82bHandle unwinding from Box::new (#837)Updates
clapfrom 4.6.1 to 4.6.2Release notes
Sourced from clap's releases.
Changelog
Sourced from clap's changelog.
Commits
0fe0be3chore: Release480af9ddocs: Update changelog2b3ddd0Merge pull request #6340 from liskin/fix-completion-escape7ffe739fix(complete): Do not suggest options after "--"d47fc4ftest(complete): Options suggested after escape (--)Updates
ryu-jsfrom 1.0.2 to 1.0.3Release notes
Sourced from ryu-js's releases.
Changelog
Sourced from ryu-js's changelog.
Commits
f8d6626Releasev1.0.3(#64)9a936cbMakeCursorstore unsigned integer len and index (#63)97e8180Bump actions/cache from 4 to 6 (#62)4beec89Fix panic in format64_to_fixed when rounding carries past all integer digits ...03bf0f3Sync upstream/main (#57)Updates
timefrom 0.3.51 to 0.3.53Release notes
Sourced from time's releases.
Changelog
Sourced from time's changelog.
Commits
0ae2f84v0.3.53 releasecea8c96Avoid issue withcookiecrate temporarily55e1f2bRequire private type to properly seal traits7cf4780v0.3.52 release0e5b04fFix trusted publishing workflow6e4140aSupport default values when parsing10ac36aAdd more doctests toTimestamp6b0d468Restore lexer depth on the unclosed-bracket error path0abc06dAdd trusted publishing43cf0c0Preferentially group shards by targetUpdates
tokiofrom 1.52.3 to 1.53.0Release notes
Sourced from tokio's releases.
... (truncated)
Commits
be689a3chore: prepare Tokio v1.53.0 (#8294)50f76c7chore: prepare tokio-macros v2.7.1 (#8295)f61fccaMerge 'tokio-1.52.4' into 'master' (#8290)efdba5fchore: prepare Tokio v1.52.4 (#8289)b0ba02eMerge 'tokio-1.51.4' into 'tokio-1.52.x' (#8288)7bcd2d3taskdump: remove crate disambiguators from output (#8288)f84b209chore: prepare Tokio v1.51.4 (#8286)eacb98eruntime: don't skip the driver whenbefore_parkschedules work (#8222)5e16ee0task: avoid replacing the JoinQueue waker intry_join_next(#8279)88212absync: document memory ordering guarantees for Semaphore (#8119)Updates
tomlfrom 1.1.2+spec-1.1.0 to 1.1.3+spec-1.1.0Commits
eb25160chore: Releasef36fb52docs: Update changelog3adbbb7fix(writer): Don't overflow (#1189)fb0c1b3fix(writer): Don't overflow5e70a70test(writer): Add overflow test771a975chore: Upgrade toml-test (#1186)28f6c9cchore: Upgrade toml-test30d75cachore(deps): Update Prek to v0.4.9 (#1185)17efe57chore(deps): Update Rust Stable to v1.97 (#1184)c9d0d54style: Make clippy happyUpdates
uuidfrom 1.23.4 to 1.24.0Release notes
Sourced from uuid's releases.
Commits
6a8aeabMerge pull request #896 from uuid-rs/cargo/v1.24.0e6db8ecprepare for 1.24.0 release606f236Merge pull request #892 from weifanglab/mainab848dbfeat(fmt): support encoding into MaybeUninit buffers5dc6b3dMerge pull request #895 from uuid-rs/cargo/v1.23.55a7dfe5prepare for 1.23.5 release9b4bfc8Merge pull request #894 from geeknoid/main5acc5a5perf: Optimize UUID hex parsing and formatting6fa1a1efeat(fmt): support encoding into MaybeUninit buffers1e5d867Merge pull request #891 from frostyplanet/docUpdates
regexfrom 1.12.4 to 1.13.1Changelog
Sourced from regex's changelog.
Commits
2b527591.13.1, redux40e98231.13.175fcb96changelog: 1.13.164ad0b6automata: fix bug in reverse suffix/inner optimizationfa91c31automata: fix a bug caught by Codex review30390ecautomata: formatting tweaks821a8ebautomata: refactor reverse suffix/inner search slightly10afd70automata: expose the extracted literals for inner literal extraction8c34f41automata: avoid reverse suffix optimization for non-leftmost-first5524f02test: add regression tests for failed reverse suffix/inner optimizations