chore(deps): bump the cargo group across 4 directories with 10 updates by dependabot[bot] · Pull Request #3397 · BoundaryML/baml

dependabot · 2026-04-22T23:29:23Z

Bumps the cargo group with 4 updates in the /baml_language directory: openssl, rand, rustls-webpki and thin-vec.
Bumps the cargo group with 8 updates in the /engine directory:

Package	From	To
aws-sdk-bedrockruntime	`1.106.0`	`1.107.0`
bytes	`1.10.1`	`1.11.1`
time	`0.3.43`	`0.3.47`
openssl	`0.10.73`	`0.10.78`
quinn-proto	`0.11.13`	`0.11.14`
rand	`0.8.5`	`0.9.2`
jsonwebtoken	`9.3.1`	`10.3.0`
tar	`0.4.44`	`0.4.45`

Bumps the cargo group with 2 updates in the /integ-tests/rust directory: bytes and rustls-webpki.
Bumps the cargo group with 2 updates in the /languages/rust directory: bytes and rustls-webpki.

Updates openssl from 0.10.76 to 0.10.78

Release notes

Sourced from openssl's releases.

openssl-v0.10.78

What's Changed

Fix Suite B flag assignments in verify.rs by @alex in rust-openssl/rust-openssl#2592

Use cvt_p for OPENSSL_malloc error handling by @alex in rust-openssl/rust-openssl#2593

Mark BIO_get_mem_data on AWS-LC to be unsafe by @alex in rust-openssl/rust-openssl#2594

Set timeout for package installation step by @alex in rust-openssl/rust-openssl#2595

Panic in Crypter::new when IV is required but not provided by @alex in rust-openssl/rust-openssl#2596

openssl 4 support by @reaperhulk in rust-openssl/rust-openssl#2591

Avoid panic for overlong OIDs by @botovq in rust-openssl/rust-openssl#2598

Fix dangling stack pointer in custom extension add callback by @alex in rust-openssl/rust-openssl#2599

Add support for LibreSSL 4.3.x by @botovq in rust-openssl/rust-openssl#2603

fix inverted bounds assertion in AES key unwrap by @reaperhulk in rust-openssl/rust-openssl#2604

Reject oversized length returns from password callback trampoline by @alex in rust-openssl/rust-openssl#2605

Validate callback-returned lengths in PSK and cookie trampolines by @alex in rust-openssl/rust-openssl#2607

Error for short out in MdCtxRef::digest_final() by @botovq in rust-openssl/rust-openssl#2608

Check derive output buffer length on OpenSSL 1.1.x by @alex in rust-openssl/rust-openssl#2606

Release openssl v0.10.78 and openssl-sys v0.9.114 by @alex in rust-openssl/rust-openssl#2609

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.77...openssl-v0.10.78

openssl-v0.10.77

What's Changed

CI: Hash-pin all action usage, avoid credential persistence in actions/checkout by @woodruffw in rust-openssl/rust-openssl#2587

Bump aws-lc-sys to 0.39 by @goffrie in rust-openssl/rust-openssl#2588

md_ctx: enable sign/verify/reset on BoringSSL, LibreSSL, and AWS-LC by @alex in rust-openssl/rust-openssl#2589

Release openssl v0.10.77 and openssl-sys v0.9.113 by @alex in rust-openssl/rust-openssl#2590

New Contributors

@woodruffw made their first contribution in rust-openssl/rust-openssl#2587

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.76...openssl-v0.10.77

Commits

a6debf5 Release openssl v0.10.78 and openssl-sys v0.9.114 (#2609)
09b425e Check derive output buffer length on OpenSSL 1.1.x (#2606)
826c388 Error for short out in MdCtxRef::digest_final() (#2608)
1d10902 Validate callback-returned lengths in PSK and cookie trampolines (#2607)
5af6895 Reject oversized length returns from password callback trampoline (#2605)
718d07f fix inverted bounds assertion in AES key unwrap (#2604)
53cc69d Add support for LibreSSL 4.3.x (#2603)
0b41e79 Fix dangling stack pointer in custom extension add callback (#2599)
cbdedf8 Avoid panic for overlong OIDs (#2598)
1fc51ef openssl 4 support (#2591)
Additional commits viewable in compare view

Updates rand from 0.8.5 to 0.8.6

Changelog

Sourced from rand's changelog.

[0.8.6] - 2026-04-14

This release back-ports a fix from v0.10. See also #1763.

Changes

Deprecate feature log (#1772)

#1763: rust-random/rand#1763 #1772: rust-random/rand#1772

Drop the experimental simd_support feature.

Commits

5309f25 0.8.6 (#1772): update for recent nightly rustc and backport #1764
1126d03 When testing rustc 1.36, use compatible dependencies.
143b602 Add Cargo.lock.msrv.
9be86f2 Fix cross build test.
5e0d50d Drop simd_support.
8ff02f0 Upgrade cache action.
4ad0cc3 Don't test for unsupported target architecture.
258e6d0 Address warning.
9f0e676 Mark some internal traits as potentially unused.
6f123c1 Workaround never constructed and never used warning.
Additional commits viewable in compare view

Updates rustls-webpki from 0.103.10 to 0.103.13

Release notes

Sourced from rustls-webpki's releases.

0.103.13

Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gfr8. Users who don't use CRLs are not affected.

For name constraints on URI names, we incorrectly processed excluded subtrees in a way which inverted the desired meaning. See rustls/webpki#471. This was a case missing in the fix for GHSA-965h-392x-2mh5.

What's Changed

Actually fail closed for URI matching against excluded subtrees by @djc in rustls/webpki#473

Prepare 0.103.13 by @ctz in rustls/webpki#474

Full Changelog: rustls/webpki@v/0.103.12...v/0.103.13

0.103.12

This release fixes two bugs in name constraint enforcement:

GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.

GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

Prepare 0.103.12 by @djc in rustls/webpki#470

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

Backport parsing trust anchors with unknown critical extensions to 0.103 by @djc in rustls/webpki#466

Commits

2879b2c Prepare 0.103.13
2c49773 Improve tests for padding of BitStringFlags
4e3c0b3 Correct validation of BIT STRING constraints
39c91d2 Actually fail closed for URI matching against excluded subtrees
27131d4 Bump version to 0.103.12
6ecb876 Clean up stuttery enum variant names
318b3e6 Ignore wildcard labels when matching name constraints
1219622 Rewrite constraint matching to avoid permissive catch-all branch
57bc62c Bump version to 0.103.11
d0fa01e Allow parsing trust anchors with unknown criticial extensions
See full diff in compare view

Updates thin-vec from 0.2.14 to 0.2.16

Changelog

Sourced from thin-vec's changelog.

Version 0.2.16 (2026-04-14)

Fix reserve() on auto arrays in gecko-ffi mode.

Fix two double-drop issues with ThinVec::clear() and ThinVec::into_iter() when the Drop implementation of the item panics.

Version 0.2.15 (2026-04-08)

Support AutoTArrays created from Rust in Gecko FFI mode.

Add extract_if.

Add const new() support behind feature flag.

Fix thin_vec macro not being hygienic when recursing

Improve extend() performance.

Commits

3c96f1e chore: Bump version to v0.2.16
df64748 Fix two panic=unwind issues.
4e3a217 ci: Ignore msrv job for now since it just hangs trying to pull deps.
63c2f5f gecko-ffi: Fix auto-t-array push.
6797813 tests: Appease clippy.
af81b17 ci: Don't use actions-rs/{cargo,clippy-check} as it's not allowed in mozilla/...
360f9ef Update repository URL and various cleanups
70bcca0 chore: Bump version to v0.2.15
322423b Fix miri error on extract_if().
eca5334 Don't make push_unchecked public.
Additional commits viewable in compare view

Updates rand from 0.8.5 to 0.8.6

Changelog

Sourced from rand's changelog.

[0.8.6] - 2026-04-14

This release back-ports a fix from v0.10. See also #1763.

Changes

Deprecate feature log (#1772)

#1763: rust-random/rand#1763 #1772: rust-random/rand#1772

Drop the experimental simd_support feature.

Commits

5309f25 0.8.6 (#1772): update for recent nightly rustc and backport #1764
1126d03 When testing rustc 1.36, use compatible dependencies.
143b602 Add Cargo.lock.msrv.
9be86f2 Fix cross build test.
5e0d50d Drop simd_support.
8ff02f0 Upgrade cache action.
4ad0cc3 Don't test for unsupported target architecture.
258e6d0 Address warning.
9f0e676 Mark some internal traits as potentially unused.
6f123c1 Workaround never constructed and never used warning.
Additional commits viewable in compare view

Updates openssl from 0.10.76 to 0.10.78

Release notes

Sourced from openssl's releases.

openssl-v0.10.78

What's Changed

Fix Suite B flag assignments in verify.rs by @alex in rust-openssl/rust-openssl#2592

Use cvt_p for OPENSSL_malloc error handling by @alex in rust-openssl/rust-openssl#2593

Mark BIO_get_mem_data on AWS-LC to be unsafe by @alex in rust-openssl/rust-openssl#2594

Set timeout for package installation step by @alex in rust-openssl/rust-openssl#2595

Panic in Crypter::new when IV is required but not provided by @alex in rust-openssl/rust-openssl#2596

openssl 4 support by @reaperhulk in rust-openssl/rust-openssl#2591

Avoid panic for overlong OIDs by @botovq in rust-openssl/rust-openssl#2598

Fix dangling stack pointer in custom extension add callback by @alex in rust-openssl/rust-openssl#2599

Add support for LibreSSL 4.3.x by @botovq in rust-openssl/rust-openssl#2603

fix inverted bounds assertion in AES key unwrap by @reaperhulk in rust-openssl/rust-openssl#2604

Reject oversized length returns from password callback trampoline by @alex in rust-openssl/rust-openssl#2605

Validate callback-returned lengths in PSK and cookie trampolines by @alex in rust-openssl/rust-openssl#2607

Error for short out in MdCtxRef::digest_final() by @botovq in rust-openssl/rust-openssl#2608

Check derive output buffer length on OpenSSL 1.1.x by @alex in rust-openssl/rust-openssl#2606

Release openssl v0.10.78 and openssl-sys v0.9.114 by @alex in rust-openssl/rust-openssl#2609

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.77...openssl-v0.10.78

openssl-v0.10.77

What's Changed

CI: Hash-pin all action usage, avoid credential persistence in actions/checkout by @woodruffw in rust-openssl/rust-openssl#2587

Bump aws-lc-sys to 0.39 by @goffrie in rust-openssl/rust-openssl#2588

md_ctx: enable sign/verify/reset on BoringSSL, LibreSSL, and AWS-LC by @alex in rust-openssl/rust-openssl#2589

Release openssl v0.10.77 and openssl-sys v0.9.113 by @alex in rust-openssl/rust-openssl#2590

New Contributors

@woodruffw made their first contribution in rust-openssl/rust-openssl#2587

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.76...openssl-v0.10.77

Commits

a6debf5 Release openssl v0.10.78 and openssl-sys v0.9.114 (#2609)
09b425e Check derive output buffer length on OpenSSL 1.1.x (#2606)
826c388 Error for short out in MdCtxRef::digest_final() (#2608)
1d10902 Validate callback-returned lengths in PSK and cookie trampolines (#2607)
5af6895 Reject oversized length returns from password callback trampoline (#2605)
718d07f fix inverted bounds assertion in AES key unwrap (#2604)
53cc69d Add support for LibreSSL 4.3.x (#2603)
0b41e79 Fix dangling stack pointer in custom extension add callback (#2599)
cbdedf8 Avoid panic for overlong OIDs (#2598)
1fc51ef openssl 4 support (#2591)
Additional commits viewable in compare view

Updates rustls-webpki from 0.103.10 to 0.103.13

Release notes

Sourced from rustls-webpki's releases.

0.103.13

Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gfr8. Users who don't use CRLs are not affected.

For name constraints on URI names, we incorrectly processed excluded subtrees in a way which inverted the desired meaning. See rustls/webpki#471. This was a case missing in the fix for GHSA-965h-392x-2mh5.

What's Changed

Actually fail closed for URI matching against excluded subtrees by @djc in rustls/webpki#473

Prepare 0.103.13 by @ctz in rustls/webpki#474

Full Changelog: rustls/webpki@v/0.103.12...v/0.103.13

0.103.12

This release fixes two bugs in name constraint enforcement:

GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.

GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

Prepare 0.103.12 by @djc in rustls/webpki#470

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

Backport parsing trust anchors with unknown critical extensions to 0.103 by @djc in rustls/webpki#466

Commits

2879b2c Prepare 0.103.13
2c49773 Improve tests for padding of BitStringFlags
4e3c0b3 Correct validation of BIT STRING constraints
39c91d2 Actually fail closed for URI matching against excluded subtrees
27131d4 Bump version to 0.103.12
6ecb876 Clean up stuttery enum variant names
318b3e6 Ignore wildcard labels when matching name constraints
1219622 Rewrite constraint matching to avoid permissive catch-all branch
57bc62c Bump version to 0.103.11
d0fa01e Allow parsing trust anchors with unknown criticial extensions
See full diff in compare view

Updates rustls-webpki from 0.103.10 to 0.103.13

Release notes

Sourced from rustls-webpki's releases.

0.103.13

Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gfr8. Users who don't use CRLs are not affected.

For name constraints on URI names, we incorrectly processed excluded subtrees in a way which inverted the desired meaning. See rustls/webpki#471. This was a case missing in the fix for GHSA-965h-392x-2mh5.

What's Changed

Actually fail closed for URI matching against excluded subtrees by @djc in rustls/webpki#473

Prepare 0.103.13 by @ctz in rustls/webpki#474

Full Changelog: rustls/webpki@v/0.103.12...v/0.103.13

0.103.12

This release fixes two bugs in name constraint enforcement:

GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.

GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

Prepare 0.103.12 by @djc in rustls/webpki#470

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

Backport parsing trust anchors with unknown critical extensions to 0.103 by @djc in rustls/webpki#466

Commits

2879b2c Prepare 0.103.13
2c49773 Improve tests for padding of BitStringFlags
4e3c0b3 Correct validation of BIT STRING constraints
39c91d2 Actually fail closed for URI matching against excluded subtrees
27131d4 Bump version to 0.103.12
6ecb876 Clean up stuttery enum variant names
318b3e6 Ignore wildcard labels when matching name constraints
1219622 Rewrite constraint matching to avoid permissive catch-all branch
57bc62c Bump version to 0.103.11
d0fa01e Allow parsing trust anchors with unknown criticial extensions
See full diff in compare view

Updates rustls-webpki from 0.103.10 to 0.103.13

Release notes

Sourced from rustls-webpki's releases.

0.103.13

Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gfr8. Users who don't use CRLs are not affected.

For name constraints on URI names, we incorrectly processed excluded subtrees in a way which inverted the desired meaning. See rustls/webpki#471. This was a case missing in the fix for GHSA-965h-392x-2mh5.

What's Changed

Actually fail closed for URI matching against excluded subtrees by @djc in rustls/webpki#473

Prepare 0.103.13 by @ctz in rustls/webpki#474

Full Changelog: rustls/webpki@v/0.103.12...v/0.103.13

0.103.12

This release fixes two bugs in name constraint enforcement:

GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.

GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

Prepare 0.103.12 by @djc in rustls/webpki#470

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

Backport parsing trust anchors with unknown critical extensions to 0.103 by @djc in rustls/webpki#466

Commits

2879b2c Prepare 0.103.13
2c49773 Improve tests for padding of BitStringFlags
4e3c0b3 Correct validation of BIT STRING constraints
39c91d2 Actually fail closed for URI matching against excluded subtrees
27131d4 Bump version to 0.103.12
6ecb876 Clean up stuttery enum variant names
318b3e6 Ignore wildcard labels when matching name constraints
1219622 Rewrite constraint matching to avoid permissive catch-all branch
57bc62c Bump version to 0.103.11
d0fa01e Allow parsing trust anchors with unknown criticial extensions
See full diff in compare view

Updates aws-sdk-bedrockruntime from 1.106.0 to 1.107.0

Commits

See full diff in compare view

Updates bytes from 1.10.1 to 1.11.1

Release notes

Sourced from bytes's releases.

Bytes v1.11.1

1.11.1 (February 3rd, 2026)

Fix integer overflow in BytesMut::reserve

Bytes v1.11.0

1.11.0 (November 14th, 2025)

Bump MSRV to 1.57 (#788)

Fixed

fix: BytesMut only reuse if src has remaining (#803)

Specialize BytesMut::put::<Bytes> (#793)

Reserve capacity in BytesMut::put (#794)

Change BytesMut::remaining_mut to use isize::MAX instead of usize::MAX (#795)

Internal changes

Guarantee address in slice() for empty slices. (#780)

Rename Vtable::to_* -> Vtable::into_* (#776)

Fix latest clippy warnings (#787)

Ignore BytesMut::freeze doctest on wasm (#790)

Move drop_fn of from_owner into vtable (#801)

Changelog

Sourced from bytes's changelog.

1.11.1 (February 3rd, 2026)

Fix integer overflow in BytesMut::reserve

1.11.0 (November 14th, 2025)

Bump MSRV to 1.57 (#788)

Fixed

fix: BytesMut only reuse if src has remaining (#803)

Specialize BytesMut::put::<Bytes> (#793)

Reserve capacity in BytesMut::put (#794)

Change BytesMut::remaining_mut to use isize::MAX instead of usize::MAX (#795)

Internal changes

Guarantee address in slice() for empty slices. (#780)

Rename Vtable::to_* -> Vtable::into_* (#776)

Fix latest clippy warnings (#787)

Ignore BytesMut::freeze doctest on wasm (#790)

Move drop_fn of from_owner into vtable (#801)

Commits

417dccd Release bytes v1.11.1 (#820)
d0293b0 Merge commit from fork
a7952fb chore: prepare bytes v1.11.0 (#804)
60cbb77 fix: BytesMut only reuse if src has remaining (#803)
7ce330f Move drop_fn of from_owner into vtable (#801)
4b53a29 Tweak BytesMut::remaining_mut (#795)
016fdbd Reserve capacity in BytesMut::put (#794)
ef7f257 Specialize BytesMut::put::<Bytes> (#793)
8b4f54d Ignore BytesMut::freeze doctest on wasm (#790)
16132ad Fix latest clippy warnings (#787)
Additional commits viewable in compare view

Updates time from 0.3.43 to 0.3.47

Release notes

Sourced from time's releases.

v0.3.47

See the changelog for details.

v0.3.46

See the changelog for details.

v0.3.45

See the changelog for details.

v0.3.44

See the changelog for details.

Changelog

Sourced from time's changelog.

0.3.47 [2026-02-05]

Security

The possibility of a stack exhaustion denial of service attack when parsing RFC 2822 has been eliminated. Previously, it was possible to craft input that would cause unbounded recursion. Now, the depth of the recursion is tracked, causing an error to be returned if it exceeds a reasonable limit.

This attack vector requires parsing user-provided input, with any type, using the RFC 2822 format.

Compatibility

Attempting to format a value with a well-known format (i.e. RFC 3339, RFC 2822, or ISO 8601) will error at compile time if the type being formatted does not provide sufficient information. This would previously fail at runtime. Similarly, attempting to format a value with ISO 8601 that is only configured for parsing (i.e. Iso8601::PARSING) will error at compile time.

Added

Builder methods for format description modifiers, eliminating the need for verbose initialization when done manually.

date!(2026-W01-2) is now supported. Previously, a space was required between W and 01.

[end] now has a trailing_input modifier which can either be prohibit (the default) or discard. When it is discard, all remaining input is ignored. Note that if there are components after [end], they will still attempt to be parsed, likely resulting in an error.

Changed

More performance gains when parsing.

Fixed

If manually formatting a value, the number of bytes written was one short for some components. This has been fixed such that the number of bytes written is always correct.

The possibility of integer overflow when parsing an owned format description has been effectively eliminated. This would previously wrap when overflow checks were disabled. Instead of storing the depth as u8, it is stored as u32. This would require multiple gigabytes of nested input to overflow, at which point we've got other problems and trivial mitigations are available by downstream users.

0.3.46 [2026-01-23]

Added

All possible panics are now documented for the relevant methods.

The need to use #[serde(default)] when using custom serde formats is documented. This applies only when deserializing an Option<T>.

Duration::nanoseconds_i128 has been made public, mirroring std::time::Duration::from_nanos_u128.

... (truncated)

Commits

d5144cd v0.3.47 release
f6206b0 Guard against integer overflow in release mode
1c63dc7 Avoid denial of service when parsing Rfc2822
5940df6 Add builder methods to avoid verbose construction
00881a4 Manually format macros everywhere
bb723b6 Add trailing_input modifier to end
31c4f8e Permit W12 in date! macro
490a17b Mark error paths in well-known formats as cold
6cb1896 Optimize Rfc2822 parsing
6d264d5 Remove erroneous #[inline(never)] attributes
Additional commits viewable in compare view

Updates openssl from 0.10.73 to 0.10.78

Release notes

Sourced from openssl's releases.

openssl-v0.10.78

What's Changed

Fix Suite B flag assignments in verify.rs by @alex in rust-openssl/rust-openssl#2592

Use cvt_p for OPENSSL_malloc error handling by @alex in rust-openssl/rust-openssl#2593

Mark BIO_get_mem_data on AWS-LC to be unsafe by @alex in rust-openssl/rust-openssl#2594

Set timeout for package installation step by @alex in rust-openssl/rust-openssl#2595

Panic in Crypter::new when IV is required but not provided by @alex in rust-openssl/rust-openssl#2596

openssl 4 support by @reaperhulk in rust-openssl/rust-openssl#2591

Avoid panic for overlong OIDs by @botovq in rust-openssl/rust-openssl#2598

Fix dangling stack pointer in custom extension add callback by @alex in rust-openssl/rust-openssl#2599

Add support for LibreSSL 4.3.x by @botovq in rust-openssl/rust-openssl#2603

fix inverted bounds assertion in AES key unwrap by @reaperhulk in rust-openssl/rust-openssl#2604

Reject oversized length returns from password callback trampoline by @alex in rust-openssl/rust-openssl#2605

Validate callback-returned lengths in PSK and cookie trampolines by @alex in rust-openssl/rust-openssl#2607

Error for short out in MdCtxRef::digest_final() by @botovq in rust-openssl/rust-openssl#2608

Check derive output buffer length on OpenSSL 1.1.x by @alex in rust-openssl/rust-openssl#2606

Release openssl v0.10.78 and openssl-sys v0.9.114 by @alex in rust-openssl/rust-openssl#2609

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.77...openssl-v0.10.78

openssl-v0.10.77

What's Changed

CI: Hash-pin all action usage, avoid credential persistence in actions/checkout by @woodruffw in rust-openssl/rust-openssl#2587

Bump aws-lc-sys to 0.39 by @goffrie in rust-openssl/rust-openssl#2588

md_ctx: enable sign/verify/reset on BoringSSL, LibreSSL, and AWS-LC by @alex in rust-openssl/rust-openssl#2589

Release openssl v0.10.77 and openssl-sys v0.9.113 by @alex in rust-openssl/rust-openssl#2590

New Contributors

vercel · 2026-04-22T23:29:29Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
beps	Ready	Preview, Comment	Apr 27, 2026 9:52pm
promptfiddle	Error		Apr 27, 2026 9:52pm

codspeed-hq · 2026-04-22T23:42:55Z

Merging this PR will not alter performance

⚠️

Unknown Walltime execution environment detected

Using the Walltime instrument on standard Hosted Runners will lead to inconsistent data.

For the most accurate results, we recommend using CodSpeed Macro Runners: bare-metal machines fine-tuned for performance measurement consistency.

✅ 15 untouched benchmarks
⏩ 105 skipped benchmarks¹

_{Comparing dependabot/cargo/baml_language/cargo-0ef43d590c (81622f0) with canary (2a6ce4b)}

105 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

github-actions · 2026-04-22T23:51:36Z

Binary size checks passed

✅ 7 passed

	Artifact	Platform	Gzip	Baseline	Delta	Status
✅	`bridge_cffi`	Linux	6.0 MB	5.7 MB	+364.5 KB (+6.4%)	OK
✅	`bridge_cffi-stripped`	Linux	6.0 MB	5.7 MB	+334.3 KB (+5.9%)	OK
✅	`bridge_cffi`	macOS	5.0 MB	4.6 MB	+349.2 KB (+7.6%)	OK
✅	`bridge_cffi-stripped`	macOS	5.0 MB	4.7 MB	+280.5 KB (+6.0%)	OK
✅	`bridge_cffi`	Windows	5.0 MB	4.6 MB	+349.8 KB (+7.6%)	OK
✅	`bridge_cffi-stripped`	Windows	5.0 MB	4.7 MB	+289.8 KB (+6.2%)	OK
✅	`bridge_wasm`	WASM	3.3 MB	3.2 MB	+43.3 KB (+1.3%)	OK

Generated by cargo size-gate · workflow run

Bumps the cargo group with 4 updates in the /baml_language directory: [openssl](https://github.com/rust-openssl/rust-openssl), [rand](https://github.com/rust-random/rand), [rustls-webpki](https://github.com/rustls/webpki) and [thin-vec](https://github.com/mozilla/thin-vec). Bumps the cargo group with 8 updates in the /engine directory: | Package | From | To | | --- | --- | --- | | [aws-sdk-bedrockruntime](https://github.com/awslabs/aws-sdk-rust) | `1.106.0` | `1.107.0` | | [bytes](https://github.com/tokio-rs/bytes) | `1.10.1` | `1.11.1` | | [time](https://github.com/time-rs/time) | `0.3.43` | `0.3.47` | | [openssl](https://github.com/rust-openssl/rust-openssl) | `0.10.73` | `0.10.78` | | [quinn-proto](https://github.com/quinn-rs/quinn) | `0.11.13` | `0.11.14` | | [rand](https://github.com/rust-random/rand) | `0.8.5` | `0.9.2` | | [jsonwebtoken](https://github.com/Keats/jsonwebtoken) | `9.3.1` | `10.3.0` | | [tar](https://github.com/alexcrichton/tar-rs) | `0.4.44` | `0.4.45` | Bumps the cargo group with 2 updates in the /integ-tests/rust directory: [bytes](https://github.com/tokio-rs/bytes) and [rustls-webpki](https://github.com/rustls/webpki). Bumps the cargo group with 2 updates in the /languages/rust directory: [bytes](https://github.com/tokio-rs/bytes) and [rustls-webpki](https://github.com/rustls/webpki). Updates `openssl` from 0.10.76 to 0.10.78 - [Release notes](https://github.com/rust-openssl/rust-openssl/releases) - [Commits](rust-openssl/rust-openssl@openssl-v0.10.76...openssl-v0.10.78) Updates `rand` from 0.8.5 to 0.8.6 - [Release notes](https://github.com/rust-random/rand/releases) - [Changelog](https://github.com/rust-random/rand/blob/0.8.6/CHANGELOG.md) - [Commits](rust-random/rand@0.8.5...0.8.6) Updates `rustls-webpki` from 0.103.10 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `thin-vec` from 0.2.14 to 0.2.16 - [Changelog](https://github.com/mozilla/thin-vec/blob/main/RELEASES.md) - [Commits](mozilla/thin-vec@v0.2.14...v0.2.16) Updates `rand` from 0.8.5 to 0.8.6 - [Release notes](https://github.com/rust-random/rand/releases) - [Changelog](https://github.com/rust-random/rand/blob/0.8.6/CHANGELOG.md) - [Commits](rust-random/rand@0.8.5...0.8.6) Updates `openssl` from 0.10.76 to 0.10.78 - [Release notes](https://github.com/rust-openssl/rust-openssl/releases) - [Commits](rust-openssl/rust-openssl@openssl-v0.10.76...openssl-v0.10.78) Updates `rustls-webpki` from 0.103.10 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `rustls-webpki` from 0.103.10 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `rustls-webpki` from 0.103.10 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `aws-sdk-bedrockruntime` from 1.106.0 to 1.107.0 - [Release notes](https://github.com/awslabs/aws-sdk-rust/releases) - [Commits](https://github.com/awslabs/aws-sdk-rust/commits) Updates `bytes` from 1.10.1 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `time` from 0.3.43 to 0.3.47 - [Release notes](https://github.com/time-rs/time/releases) - [Changelog](https://github.com/time-rs/time/blob/main/CHANGELOG.md) - [Commits](time-rs/time@v0.3.43...v0.3.47) Updates `openssl` from 0.10.73 to 0.10.78 - [Release notes](https://github.com/rust-openssl/rust-openssl/releases) - [Commits](rust-openssl/rust-openssl@openssl-v0.10.76...openssl-v0.10.78) Updates `quinn-proto` from 0.11.13 to 0.11.14 - [Release notes](https://github.com/quinn-rs/quinn/releases) - [Commits](quinn-rs/quinn@quinn-proto-0.11.13...quinn-proto-0.11.14) Updates `rand` from 0.8.5 to 0.9.2 - [Release notes](https://github.com/rust-random/rand/releases) - [Changelog](https://github.com/rust-random/rand/blob/0.8.6/CHANGELOG.md) - [Commits](rust-random/rand@0.8.5...0.8.6) Updates `bytes` from 1.10.1 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `rand` from 0.8.5 to 0.9.2 - [Release notes](https://github.com/rust-random/rand/releases) - [Changelog](https://github.com/rust-random/rand/blob/0.8.6/CHANGELOG.md) - [Commits](rust-random/rand@0.8.5...0.8.6) Updates `time` from 0.3.43 to 0.3.47 - [Release notes](https://github.com/time-rs/time/releases) - [Changelog](https://github.com/time-rs/time/blob/main/CHANGELOG.md) - [Commits](time-rs/time@v0.3.43...v0.3.47) Updates `aws-sdk-bedrockruntime` from 1.106.0 to 1.107.0 - [Release notes](https://github.com/awslabs/aws-sdk-rust/releases) - [Commits](https://github.com/awslabs/aws-sdk-rust/commits) Updates `jsonwebtoken` from 9.3.1 to 10.3.0 - [Changelog](https://github.com/Keats/jsonwebtoken/blob/master/CHANGELOG.md) - [Commits](Keats/jsonwebtoken@v9.3.1...v10.3.0) Updates `tar` from 0.4.44 to 0.4.45 - [Commits](alexcrichton/tar-rs@0.4.44...0.4.45) Updates `openssl` from 0.10.73 to 0.10.78 - [Release notes](https://github.com/rust-openssl/rust-openssl/releases) - [Commits](rust-openssl/rust-openssl@openssl-v0.10.76...openssl-v0.10.78) Updates `quinn-proto` from 0.11.13 to 0.11.14 - [Release notes](https://github.com/quinn-rs/quinn/releases) - [Commits](quinn-rs/quinn@quinn-proto-0.11.13...quinn-proto-0.11.14) Updates `bytes` from 1.10.1 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `bytes` from 1.10.1 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `bytes` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `rustls-webpki` from 0.103.8 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `bytes` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `rustls-webpki` from 0.103.8 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `bytes` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `rustls-webpki` from 0.103.8 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `bytes` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `rustls-webpki` from 0.103.8 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `bytes` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `rustls-webpki` from 0.103.8 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `bytes` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `rustls-webpki` from 0.103.8 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `bytes` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `rustls-webpki` from 0.103.8 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `bytes` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `rustls-webpki` from 0.103.8 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) --- updated-dependencies: - dependency-name: aws-sdk-bedrockruntime dependency-version: 1.107.0 dependency-type: direct:production - dependency-name: bytes dependency-version: 1.11.1 dependency-type: direct:production - dependency-name: bytes dependency-version: 1.11.1 dependency-type: indirect - dependency-name: bytes dependency-version: 1.11.1 dependency-type: indirect - dependency-name: jsonwebtoken dependency-version: 10.3.0 dependency-type: direct:production - dependency-name: openssl dependency-version: 0.10.78 dependency-type: indirect - dependency-name: openssl dependency-version: 0.10.78 dependency-type: indirect - dependency-name: quinn-proto dependency-version: 0.11.14 dependency-type: indirect - dependency-name: rand dependency-version: 0.8.6 dependency-type: indirect - dependency-name: rand dependency-version: 0.9.2 dependency-type: direct:production - dependency-name: rustls-webpki dependency-version: 0.103.13 dependency-type: indirect - dependency-name: rustls-webpki dependency-version: 0.103.13 dependency-type: indirect - dependency-name: rustls-webpki dependency-version: 0.103.13 dependency-type: indirect - dependency-name: tar dependency-version: 0.4.45 dependency-type: direct:production - dependency-name: thin-vec dependency-version: 0.2.16 dependency-type: indirect - dependency-name: time dependency-version: 0.3.47 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update Rust code labels Apr 22, 2026

dependabot Bot mentioned this pull request Apr 22, 2026

build(deps): bump the cargo group across 4 directories with 9 updates #3395

Closed

vercel Bot deployed to Preview – beps April 22, 2026 23:30 View deployment

vercel Bot had a problem deploying to Preview – promptfiddle April 22, 2026 23:33 Failure

dependabot Bot force-pushed the dependabot/cargo/baml_language/cargo-0ef43d590c branch from 41ecefa to 7ef8d0b Compare April 23, 2026 21:15

vercel Bot deployed to Preview – beps April 23, 2026 21:16 View deployment

vercel Bot had a problem deploying to Preview – promptfiddle April 23, 2026 21:20 Failure

dependabot Bot force-pushed the dependabot/cargo/baml_language/cargo-0ef43d590c branch from 7ef8d0b to 351a760 Compare April 24, 2026 01:00

vercel Bot deployed to Preview – beps April 24, 2026 01:01 View deployment

vercel Bot had a problem deploying to Preview – promptfiddle April 24, 2026 01:05 Failure

dependabot Bot changed the title ~~build(deps): bump the cargo group across 4 directories with 10 updates~~ chore(deps): bump the cargo group across 4 directories with 10 updates Apr 27, 2026

dependabot Bot force-pushed the dependabot/cargo/baml_language/cargo-0ef43d590c branch from 351a760 to 81622f0 Compare April 27, 2026 21:48

vercel Bot deployed to Preview – beps April 27, 2026 21:49 View deployment

vercel Bot had a problem deploying to Preview – promptfiddle April 27, 2026 21:52 Failure

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the cargo group across 4 directories with 10 updates#3397

chore(deps): bump the cargo group across 4 directories with 10 updates#3397
dependabot[bot] wants to merge 1 commit intocanaryfrom
dependabot/cargo/baml_language/cargo-0ef43d590c

dependabot Bot commented on behalf of github Apr 22, 2026 •

edited

Loading

Uh oh!

vercel Bot commented Apr 22, 2026 •

edited

Loading

Uh oh!

codspeed-hq Bot commented Apr 22, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented Apr 22, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Apr 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

openssl-v0.10.78

What's Changed

openssl-v0.10.77

What's Changed

New Contributors

[0.8.6] - 2026-04-14

Changes

0.103.13

What's Changed

0.103.12

What's Changed

0.103.11

What's Changed

Version 0.2.16 (2026-04-14)

Version 0.2.15 (2026-04-08)

[0.8.6] - 2026-04-14

Changes

openssl-v0.10.78

What's Changed

openssl-v0.10.77

What's Changed

New Contributors

0.103.13

What's Changed

0.103.12

What's Changed

0.103.11

What's Changed

0.103.13

What's Changed

0.103.12

What's Changed

0.103.11

What's Changed

0.103.13

What's Changed

0.103.12

What's Changed

0.103.11

What's Changed

Bytes v1.11.1

1.11.1 (February 3rd, 2026)

Bytes v1.11.0

1.11.0 (November 14th, 2025)

Fixed

Internal changes

1.11.1 (February 3rd, 2026)

1.11.0 (November 14th, 2025)

Fixed

Internal changes

v0.3.47

v0.3.46

v0.3.45

v0.3.44

0.3.47 [2026-02-05]

Security

Compatibility

Added

Changed

Fixed

0.3.46 [2026-01-23]

Added

openssl-v0.10.78

What's Changed

openssl-v0.10.77

What's Changed

New Contributors

Uh oh!

vercel Bot commented Apr 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codspeed-hq Bot commented Apr 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Merging this PR will not alter performance

Footnotes

Uh oh!

github-actions Bot commented Apr 22, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

dependabot Bot commented on behalf of github Apr 22, 2026 •

edited

Loading

vercel Bot commented Apr 22, 2026 •

edited

Loading

codspeed-hq Bot commented Apr 22, 2026 •

edited

Loading

github-actions Bot commented Apr 22, 2026 •

edited

Loading