chore(deps): bump the cargo group across 4 directories with 10 updates by dependabot[bot] · Pull Request #3470 · BoundaryML/baml

dependabot · 2026-05-06T01:07:53Z

Bumps the cargo group with 4 updates in the /baml_language directory: openssl, rand, rustls-webpki and thin-vec.
Bumps the cargo group with 8 updates in the /engine directory:

Package	From	To
aws-sdk-bedrockruntime	`1.106.0`	`1.107.0`
bytes	`1.10.1`	`1.11.1`
time	`0.3.43`	`0.3.47`
openssl	`0.10.73`	`0.10.79`
quinn-proto	`0.11.13`	`0.11.14`
rand	`0.8.5`	`0.9.2`
jsonwebtoken	`9.3.1`	`10.3.0`
tar	`0.4.44`	`0.4.45`

Bumps the cargo group with 2 updates in the /integ-tests/rust directory: bytes and rustls-webpki.
Bumps the cargo group with 2 updates in the /languages/rust directory: bytes and rustls-webpki.

Updates openssl from 0.10.76 to 0.10.79

Release notes

Sourced from openssl's releases.

openssl-v0.10.79

What's Changed

Bump actions/cache from 5.0.4 to 5.0.5 by @dependabot[bot] in rust-openssl/rust-openssl#2610

Try to fix OpenSSL 1.1.0l download by @botovq in rust-openssl/rust-openssl#2614

Require &mut BigNumContextRef for EcPointRef mul/invert by @alex in rust-openssl/rust-openssl#2615

Fix UB in EcGroupRef::generator on groups without a generator by @alex in rust-openssl/rust-openssl#2617

Replace use libc::*; with targeted imports in openssl-sys by @alex in rust-openssl/rust-openssl#2618

Add PKeyRef::is_a and KeyType for name-based key identification by @reaperhulk in rust-openssl/rust-openssl#2619

Add PKey::{public,private}_key_from_raw_bytes_ex by @reaperhulk in rust-openssl/rust-openssl#2620

Bump MSRV to 1.80 by @reaperhulk in rust-openssl/rust-openssl#2622

Drop once_cell in favor of std::sync::{LazyLock, OnceLock} by @reaperhulk in rust-openssl/rust-openssl#2623

Add PKey::private_key_from_seed for ML-DSA/ML-KEM key import by @reaperhulk in rust-openssl/rust-openssl#2621

parallelize more builds in CI for cold caches by @reaperhulk in rust-openssl/rust-openssl#2625

Add PKeyRef::seed_into for ML-DSA/ML-KEM seed extraction by @reaperhulk in rust-openssl/rust-openssl#2626

Fix process abort when verify/PSK callbacks fire after SSL_CTX swap by @alex in rust-openssl/rust-openssl#2624

Bind OSSL_PARAM_modified and use it for seed_into by @reaperhulk in rust-openssl/rust-openssl#2628

Add PkeyCtxRef::set_context_string for ML-DSA by @reaperhulk in rust-openssl/rust-openssl#2629

Reject non-UTF-8 OCSP responder URLs in X509Ref::ocsp_responders by @alex in rust-openssl/rust-openssl#2631

Fix output buffer overflow for AES key-wrap-with-padding ciphers by @alex in rust-openssl/rust-openssl#2630

Release openssl 0.10.79 and openssl-sys 0.9.115 by @reaperhulk in rust-openssl/rust-openssl#2632

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.78...openssl-v0.10.79

openssl-v0.10.78

What's Changed

Fix Suite B flag assignments in verify.rs by @alex in rust-openssl/rust-openssl#2592

Use cvt_p for OPENSSL_malloc error handling by @alex in rust-openssl/rust-openssl#2593

Mark BIO_get_mem_data on AWS-LC to be unsafe by @alex in rust-openssl/rust-openssl#2594

Set timeout for package installation step by @alex in rust-openssl/rust-openssl#2595

Panic in Crypter::new when IV is required but not provided by @alex in rust-openssl/rust-openssl#2596

openssl 4 support by @reaperhulk in rust-openssl/rust-openssl#2591

Avoid panic for overlong OIDs by @botovq in rust-openssl/rust-openssl#2598

Fix dangling stack pointer in custom extension add callback by @alex in rust-openssl/rust-openssl#2599

Add support for LibreSSL 4.3.x by @botovq in rust-openssl/rust-openssl#2603

fix inverted bounds assertion in AES key unwrap by @reaperhulk in rust-openssl/rust-openssl#2604

Reject oversized length returns from password callback trampoline by @alex in rust-openssl/rust-openssl#2605

Validate callback-returned lengths in PSK and cookie trampolines by @alex in rust-openssl/rust-openssl#2607

Error for short out in MdCtxRef::digest_final() by @botovq in rust-openssl/rust-openssl#2608

Check derive output buffer length on OpenSSL 1.1.x by @alex in rust-openssl/rust-openssl#2606

Release openssl v0.10.78 and openssl-sys v0.9.114 by @alex in rust-openssl/rust-openssl#2609

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.77...openssl-v0.10.78

openssl-v0.10.77

What's Changed

CI: Hash-pin all action usage, avoid credential persistence in actions/checkout by @woodruffw in rust-openssl/rust-openssl#2587

Bump aws-lc-sys to 0.39 by @goffrie in rust-openssl/rust-openssl#2588

md_ctx: enable sign/verify/reset on BoringSSL, LibreSSL, and AWS-LC by @alex in rust-openssl/rust-openssl#2589

... (truncated)

Commits

649f2d9 Release openssl 0.10.79 and openssl-sys 0.9.115 (#2632)
257f9b2 Fix output buffer overflow for AES key-wrap-with-padding ciphers (#2630)
d43e917 Reject non-UTF-8 OCSP responder URLs in X509Ref::ocsp_responders (#2631)
f46519c Add PkeyCtxRef::set_context_string for ML-DSA (#2629)
ad9ae31 Bind OSSL_PARAM_modified and use it for seed_into (#2628)
4e25c9b Fix process abort when verify/PSK callbacks fire after SSL_CTX swap (#2624)
3dd8f42 Add PKeyRef::seed_into for ML-DSA/ML-KEM seed extraction (#2626)
2c5e5a8 parallelize more builds in CI for cold caches (#2625)
6685591 Add PKey::private_key_from_seed for ML-DSA/ML-KEM key import (#2621)
8f8fdce Drop once_cell in favor of std::sync::{LazyLock, OnceLock} (#2623)
Additional commits viewable in compare view

Updates rand from 0.8.5 to 0.8.6

Changelog

Sourced from rand's changelog.

[0.8.6] - 2026-04-14

This release back-ports a fix from v0.10. See also #1763.

Changes

Deprecate feature log (#1772)

#1763: rust-random/rand#1763 #1772: rust-random/rand#1772

Drop the experimental simd_support feature.

Commits

5309f25 0.8.6 (#1772): update for recent nightly rustc and backport #1764
1126d03 When testing rustc 1.36, use compatible dependencies.
143b602 Add Cargo.lock.msrv.
9be86f2 Fix cross build test.
5e0d50d Drop simd_support.
8ff02f0 Upgrade cache action.
4ad0cc3 Don't test for unsupported target architecture.
258e6d0 Address warning.
9f0e676 Mark some internal traits as potentially unused.
6f123c1 Workaround never constructed and never used warning.
Additional commits viewable in compare view

Updates rustls-webpki from 0.103.10 to 0.103.13

Release notes

Sourced from rustls-webpki's releases.

0.103.13

Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gfr8. Users who don't use CRLs are not affected.

For name constraints on URI names, we incorrectly processed excluded subtrees in a way which inverted the desired meaning. See rustls/webpki#471. This was a case missing in the fix for GHSA-965h-392x-2mh5.

What's Changed

Actually fail closed for URI matching against excluded subtrees by @djc in rustls/webpki#473

Prepare 0.103.13 by @ctz in rustls/webpki#474

Full Changelog: rustls/webpki@v/0.103.12...v/0.103.13

0.103.12

This release fixes two bugs in name constraint enforcement:

GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.

GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

Prepare 0.103.12 by @djc in rustls/webpki#470

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

Backport parsing trust anchors with unknown critical extensions to 0.103 by @djc in rustls/webpki#466

Commits

2879b2c Prepare 0.103.13
2c49773 Improve tests for padding of BitStringFlags
4e3c0b3 Correct validation of BIT STRING constraints
39c91d2 Actually fail closed for URI matching against excluded subtrees
27131d4 Bump version to 0.103.12
6ecb876 Clean up stuttery enum variant names
318b3e6 Ignore wildcard labels when matching name constraints
1219622 Rewrite constraint matching to avoid permissive catch-all branch
57bc62c Bump version to 0.103.11
d0fa01e Allow parsing trust anchors with unknown criticial extensions
See full diff in compare view

Updates thin-vec from 0.2.14 to 0.2.18

Changelog

Sourced from thin-vec's changelog.

Versions 0.2.17 and 0.2.18 (2026-04-29)

Fix compiling some feature combinations in no_std mode

Version 0.2.16 (2026-04-14)

Fix reserve() on auto arrays in gecko-ffi mode.

Fix two double-drop issues with ThinVec::clear() and ThinVec::into_iter() when the Drop implementation of the item panics.

Version 0.2.15 (2026-04-08)

Support AutoTArrays created from Rust in Gecko FFI mode.

Add extract_if.

Add const new() support behind feature flag.

Fix thin_vec macro not being hygienic when recursing

Improve extend() performance.

Commits

See full diff in compare view

Updates rand from 0.8.5 to 0.8.6

Changelog

Sourced from rand's changelog.

[0.8.6] - 2026-04-14

This release back-ports a fix from v0.10. See also #1763.

Changes

Deprecate feature log (#1772)

#1763: rust-random/rand#1763 #1772: rust-random/rand#1772

Drop the experimental simd_support feature.

Commits

5309f25 0.8.6 (#1772): update for recent nightly rustc and backport #1764
1126d03 When testing rustc 1.36, use compatible dependencies.
143b602 Add Cargo.lock.msrv.
9be86f2 Fix cross build test.
5e0d50d Drop simd_support.
8ff02f0 Upgrade cache action.
4ad0cc3 Don't test for unsupported target architecture.
258e6d0 Address warning.
9f0e676 Mark some internal traits as potentially unused.
6f123c1 Workaround never constructed and never used warning.
Additional commits viewable in compare view

Updates openssl from 0.10.76 to 0.10.79

Release notes

Sourced from openssl's releases.

openssl-v0.10.79

What's Changed

Bump actions/cache from 5.0.4 to 5.0.5 by @dependabot[bot] in rust-openssl/rust-openssl#2610

Try to fix OpenSSL 1.1.0l download by @botovq in rust-openssl/rust-openssl#2614

Require &mut BigNumContextRef for EcPointRef mul/invert by @alex in rust-openssl/rust-openssl#2615

Fix UB in EcGroupRef::generator on groups without a generator by @alex in rust-openssl/rust-openssl#2617

Replace use libc::*; with targeted imports in openssl-sys by @alex in rust-openssl/rust-openssl#2618

Add PKeyRef::is_a and KeyType for name-based key identification by @reaperhulk in rust-openssl/rust-openssl#2619

Add PKey::{public,private}_key_from_raw_bytes_ex by @reaperhulk in rust-openssl/rust-openssl#2620

Bump MSRV to 1.80 by @reaperhulk in rust-openssl/rust-openssl#2622

Drop once_cell in favor of std::sync::{LazyLock, OnceLock} by @reaperhulk in rust-openssl/rust-openssl#2623

Add PKey::private_key_from_seed for ML-DSA/ML-KEM key import by @reaperhulk in rust-openssl/rust-openssl#2621

parallelize more builds in CI for cold caches by @reaperhulk in rust-openssl/rust-openssl#2625

Add PKeyRef::seed_into for ML-DSA/ML-KEM seed extraction by @reaperhulk in rust-openssl/rust-openssl#2626

Fix process abort when verify/PSK callbacks fire after SSL_CTX swap by @alex in rust-openssl/rust-openssl#2624

Bind OSSL_PARAM_modified and use it for seed_into by @reaperhulk in rust-openssl/rust-openssl#2628

Add PkeyCtxRef::set_context_string for ML-DSA by @reaperhulk in rust-openssl/rust-openssl#2629

Reject non-UTF-8 OCSP responder URLs in X509Ref::ocsp_responders by @alex in rust-openssl/rust-openssl#2631

Fix output buffer overflow for AES key-wrap-with-padding ciphers by @alex in rust-openssl/rust-openssl#2630

Release openssl 0.10.79 and openssl-sys 0.9.115 by @reaperhulk in rust-openssl/rust-openssl#2632

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.78...openssl-v0.10.79

openssl-v0.10.78

What's Changed

Fix Suite B flag assignments in verify.rs by @alex in rust-openssl/rust-openssl#2592

Use cvt_p for OPENSSL_malloc error handling by @alex in rust-openssl/rust-openssl#2593

Mark BIO_get_mem_data on AWS-LC to be unsafe by @alex in rust-openssl/rust-openssl#2594

Set timeout for package installation step by @alex in rust-openssl/rust-openssl#2595

Panic in Crypter::new when IV is required but not provided by @alex in rust-openssl/rust-openssl#2596

openssl 4 support by @reaperhulk in rust-openssl/rust-openssl#2591

Avoid panic for overlong OIDs by @botovq in rust-openssl/rust-openssl#2598

Fix dangling stack pointer in custom extension add callback by @alex in rust-openssl/rust-openssl#2599

Add support for LibreSSL 4.3.x by @botovq in rust-openssl/rust-openssl#2603

fix inverted bounds assertion in AES key unwrap by @reaperhulk in rust-openssl/rust-openssl#2604

Reject oversized length returns from password callback trampoline by @alex in rust-openssl/rust-openssl#2605

Validate callback-returned lengths in PSK and cookie trampolines by @alex in rust-openssl/rust-openssl#2607

Error for short out in MdCtxRef::digest_final() by @botovq in rust-openssl/rust-openssl#2608

Check derive output buffer length on OpenSSL 1.1.x by @alex in rust-openssl/rust-openssl#2606

Release openssl v0.10.78 and openssl-sys v0.9.114 by @alex in rust-openssl/rust-openssl#2609

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.77...openssl-v0.10.78

openssl-v0.10.77

What's Changed

CI: Hash-pin all action usage, avoid credential persistence in actions/checkout by @woodruffw in rust-openssl/rust-openssl#2587

Bump aws-lc-sys to 0.39 by @goffrie in rust-openssl/rust-openssl#2588

md_ctx: enable sign/verify/reset on BoringSSL, LibreSSL, and AWS-LC by @alex in rust-openssl/rust-openssl#2589

... (truncated)

Commits

649f2d9 Release openssl 0.10.79 and openssl-sys 0.9.115 (#2632)
257f9b2 Fix output buffer overflow for AES key-wrap-with-padding ciphers (#2630)
d43e917 Reject non-UTF-8 OCSP responder URLs in X509Ref::ocsp_responders (#2631)
f46519c Add PkeyCtxRef::set_context_string for ML-DSA (#2629)
ad9ae31 Bind OSSL_PARAM_modified and use it for seed_into (#2628)
4e25c9b Fix process abort when verify/PSK callbacks fire after SSL_CTX swap (#2624)
3dd8f42 Add PKeyRef::seed_into for ML-DSA/ML-KEM seed extraction (#2626)
2c5e5a8 parallelize more builds in CI for cold caches (#2625)
6685591 Add PKey::private_key_from_seed for ML-DSA/ML-KEM key import (#2621)
8f8fdce Drop once_cell in favor of std::sync::{LazyLock, OnceLock} (#2623)
Additional commits viewable in compare view

Updates rustls-webpki from 0.103.10 to 0.103.13

Release notes

Sourced from rustls-webpki's releases.

0.103.13

Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gfr8. Users who don't use CRLs are not affected.

For name constraints on URI names, we incorrectly processed excluded subtrees in a way which inverted the desired meaning. See rustls/webpki#471. This was a case missing in the fix for GHSA-965h-392x-2mh5.

What's Changed

Actually fail closed for URI matching against excluded subtrees by @djc in rustls/webpki#473

Prepare 0.103.13 by @ctz in rustls/webpki#474

Full Changelog: rustls/webpki@v/0.103.12...v/0.103.13

0.103.12

This release fixes two bugs in name constraint enforcement:

GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.

GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

Prepare 0.103.12 by @djc in rustls/webpki#470

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

Backport parsing trust anchors with unknown critical extensions to 0.103 by @djc in rustls/webpki#466

Commits

2879b2c Prepare 0.103.13
2c49773 Improve tests for padding of BitStringFlags
4e3c0b3 Correct validation of BIT STRING constraints
39c91d2 Actually fail closed for URI matching against excluded subtrees
27131d4 Bump version to 0.103.12
6ecb876 Clean up stuttery enum variant names
318b3e6 Ignore wildcard labels when matching name constraints
1219622 Rewrite constraint matching to avoid permissive catch-all branch
57bc62c Bump version to 0.103.11
d0fa01e Allow parsing trust anchors with unknown criticial extensions
See full diff in compare view

Updates rustls-webpki from 0.103.10 to 0.103.13

Release notes

Sourced from rustls-webpki's releases.

0.103.13

Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gfr8. Users who don't use CRLs are not affected.

For name constraints on URI names, we incorrectly processed excluded subtrees in a way which inverted the desired meaning. See rustls/webpki#471. This was a case missing in the fix for GHSA-965h-392x-2mh5.

What's Changed

Actually fail closed for URI matching against excluded subtrees by @djc in rustls/webpki#473

Prepare 0.103.13 by @ctz in rustls/webpki#474

Full Changelog: rustls/webpki@v/0.103.12...v/0.103.13

0.103.12

This release fixes two bugs in name constraint enforcement:

GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.

GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

Prepare 0.103.12 by @djc in rustls/webpki#470

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

Backport parsing trust anchors with unknown critical extensions to 0.103 by @djc in rustls/webpki#466

Commits

2879b2c Prepare 0.103.13
2c49773 Improve tests for padding of BitStringFlags
4e3c0b3 Correct validation of BIT STRING constraints
39c91d2 Actually fail closed for URI matching against excluded subtrees
27131d4 Bump version to 0.103.12
6ecb876 Clean up stuttery enum variant names
318b3e6 Ignore wildcard labels when matching name constraints
1219622 Rewrite constraint matching to avoid permissive catch-all branch
57bc62c Bump version to 0.103.11
d0fa01e Allow parsing trust anchors with unknown criticial extensions
See full diff in compare view

Updates rustls-webpki from 0.103.10 to 0.103.13

Release notes

Sourced from rustls-webpki's releases.

0.103.13

Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gfr8. Users who don't use CRLs are not affected.

For name constraints on URI names, we incorrectly processed excluded subtrees in a way which inverted the desired meaning. See rustls/webpki#471. This was a case missing in the fix for GHSA-965h-392x-2mh5.

What's Changed

Actually fail closed for URI matching against excluded subtrees by @djc in rustls/webpki#473

Prepare 0.103.13 by @ctz in rustls/webpki#474

Full Changelog: rustls/webpki@v/0.103.12...v/0.103.13

0.103.12

This release fixes two bugs in name constraint enforcement:

GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.

GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

Prepare 0.103.12 by @djc in rustls/webpki#470

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

Backport parsing trust anchors with unknown critical extensions to 0.103 by @djc in rustls/webpki#466

Commits

2879b2c Prepare 0.103.13
2c49773 Improve tests for padding of BitStringFlags
4e3c0b3 Correct validation of BIT STRING constraints
39c91d2 Actually fail closed for URI matching against excluded subtrees
27131d4 Bump version to 0.103.12
6ecb876 Clean up stuttery enum variant names
318b3e6 Ignore wildcard labels when matching name constraints
1219622 Rewrite constraint matching to avoid permissive catch-all branch
57bc62c Bump version to 0.103.11
d0fa01e Allow parsing trust anchors with unknown criticial extensions
See full diff in compare view

Updates aws-sdk-bedrockruntime from 1.106.0 to 1.107.0

Commits

See full diff in compare view

Updates bytes from 1.10.1 to 1.11.1

Release notes

Sourced from bytes's releases.

Bytes v1.11.1

1.11.1 (February 3rd, 2026)

Fix integer overflow in BytesMut::reserve

Bytes v1.11.0

1.11.0 (November 14th, 2025)

Bump MSRV to 1.57 (#788)

Fixed

fix: BytesMut only reuse if src has remaining (#803)

Specialize BytesMut::put::<Bytes> (#793)

Reserve capacity in BytesMut::put (#794)

Change BytesMut::remaining_mut to use isize::MAX instead of usize::MAX (#795)

Internal changes

Guarantee address in slice() for empty slices. (#780)

Rename Vtable::to_* -> Vtable::into_* (#776)

Fix latest clippy warnings (#787)

Ignore BytesMut::freeze doctest on wasm (#790)

Move drop_fn of from_owner into vtable (#801)

Changelog

Sourced from bytes's changelog.

1.11.1 (February 3rd, 2026)

Fix integer overflow in BytesMut::reserve

1.11.0 (November 14th, 2025)

Bump MSRV to 1.57 (#788)

Fixed

fix: BytesMut only reuse if src has remaining (#803)

Specialize BytesMut::put::<Bytes> (#793)

Reserve capacity in BytesMut::put (#794)

Change BytesMut::remaining_mut to use isize::MAX instead of usize::MAX (#795)

Internal changes

Guarantee address in slice() for empty slices. (#780)

Rename Vtable::to_* -> Vtable::into_* (#776)

Fix latest clippy warnings (#787)

Ignore BytesMut::freeze doctest on wasm (#790)

Move drop_fn of from_owner into vtable (#801)

Commits

417dccd Release bytes v1.11.1 (#820)
d0293b0 Merge commit from fork
a7952fb chore: prepare bytes v1.11.0 (#804)
60cbb77 fix: BytesMut only reuse if src has remaining (#803)
7ce330f Move drop_fn of from_owner into vtable (#801)
4b53a29 Tweak BytesMut::remaining_mut (#795)
016fdbd Reserve capacity in BytesMut::put (#794)
ef7f257 Specialize BytesMut::put::<Bytes> (#793)
8b4f54d Ignore BytesMut::freeze doctest on wasm (#790)
16132ad Fix latest clippy warnings (#787)
Additional commits viewable in compare view

Updates time from 0.3.43 to 0.3.47

Release notes

Sourced from time's releases.

v0.3.47

See the changelog for details.

v0.3.46

See the changelog for details.

v0.3.45

See the changelog for details.

v0.3.44

See the changelog for details.

Changelog

Sourced from time's changelog.

0.3.47 [2026-02-05]

Security

The possibility of a stack exhaustion denial of service attack when parsing RFC 2822 has been eliminated. Previously, it was possible to craft input that would cause unbounded recursion. Now, the depth of the recursion is tracked, causing an error to be returned if it exceeds a reasonable limit.

This attack vector requires parsing user-provided input, with any type, using the RFC 2822 format.

Compatibility

Attempting to format a value with a well-known format (i.e. RFC 3339, RFC 2822, or ISO 8601) will error at compile time if the type being formatted does not provide sufficient information. This would previously fail at runtime. Similarly, attempting to format a value with ISO 8601 that is only configured for parsing (i.e. Iso8601::PARSING) will error at compile time.

Added

Builder methods for format description modifiers, eliminating the need for verbose initialization when done manually.

date!(2026-W01-2) is now supported. Previously, a space was required between W and 01.

[end] now has a trailing_input modifier which can either be prohibit (the default) or discard. When it is discard, all remaining input is ignored. Note that if there are components after [end], they will still attempt to be parsed, likely resulting in an error.

Changed

More performance gains when parsing.

Fixed

If manually formatting a value, the number of bytes written was one short for some components. This has been fixed such that the number of bytes written is always correct.

The possibility of integer overflow when parsing an owned format description has been effectively eliminated. This would previously wrap when overflow checks were disabled. Instead of storing the depth as u8, it is stored as u32. This would require multiple gigabytes of nested input to overflow, at which point we've got other problems and trivial mitigations are available by downstream users.

0.3.46 [2026-01-23]

Added

All possible panics are now documented for the relevant methods.

The need to use #[serde(default)] when using custom serde formats is documented. This applies only when deserializing an Option<T>.

Duration::nanoseconds_i128 has been made public, mirroring std::time::Duration::from_nanos_u128.

... (truncated)

Commits

d5144cd v0.3.47 release
f6206b0 Guard against integer overflow ...
Description has been truncated

vercel · 2026-05-06T01:07:58Z

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
beps	Ready	Preview, Comment	May 8, 2026 8:57pm
promptfiddle	Error		May 8, 2026 8:57pm

codspeed-hq · 2026-05-06T01:17:42Z

Merging this PR will improve performance by 16.08%

⚠️

Unknown Walltime execution environment detected

Using the Walltime instrument on standard Hosted Runners will lead to inconsistent data.

For the most accurate results, we recommend using CodSpeed Macro Runners: bare-metal machines fine-tuned for performance measurement consistency.

⚡ 1 improved benchmark
✅ 18 untouched benchmarks

Performance Changes

	Mode	Benchmark	`BASE`	`HEAD`	Efficiency
⚡	WallTime	`engine_init_cost`	4.5 ms	3.9 ms	+16.08%

_{Comparing dependabot/cargo/baml_language/cargo-7c13c705c3 (66622b1) with canary (6f3b4ee)}

github-actions · 2026-05-06T01:31:20Z

Binary size checks failed

❌ 1 violations · ✅ 6 passed

⚠️ Please fix the size gate issues or acknowledge them by updating baselines.

	Artifact	Platform	Gzip	Baseline	Delta	Status
✅	`bridge_cffi`	Linux	6.3 MB	6.2 MB	+34.5 KB (+0.6%)	OK
✅	`bridge_cffi-stripped`	Linux	5.3 MB	5.7 MB	-352.9 KB (-6.2%)	OK
✅	`bridge_cffi`	macOS	5.2 MB	5.1 MB	+79.4 KB (+1.6%)	OK
✅	`bridge_cffi-stripped`	macOS	4.4 MB	4.7 MB	-292.0 KB (-6.3%)	OK
✅	`bridge_cffi`	Windows	5.2 MB	5.1 MB	+88.0 KB (+1.7%)	OK
✅	`bridge_cffi-stripped`	Windows	4.5 MB	4.7 MB	-175.2 KB (-3.8%)	OK
❌	`bridge_wasm`	WASM	3.4 MB	3.3 MB	+109.2 KB (+3.3%)	FAIL

Details & how to fix

Violations:

bridge_wasm (WASM) gzip_bytes: 3.4 MB exceeds limit of 3.4 MB (exceeded by +19.2 KB, policy: max_gzip_bytes)

Add/update baselines:

.ci/size-gate/wasm32-unknown-unknown.toml:

[artifacts.bridge_wasm]
file_bytes = 11922070
gzip_bytes = 3419176

Generated by cargo size-gate · workflow run

Bumps the cargo group with 4 updates in the /baml_language directory: [openssl](https://github.com/rust-openssl/rust-openssl), [rand](https://github.com/rust-random/rand), [rustls-webpki](https://github.com/rustls/webpki) and [thin-vec](https://github.com/mozilla/thin-vec). Bumps the cargo group with 8 updates in the /engine directory: | Package | From | To | | --- | --- | --- | | [aws-sdk-bedrockruntime](https://github.com/awslabs/aws-sdk-rust) | `1.106.0` | `1.107.0` | | [bytes](https://github.com/tokio-rs/bytes) | `1.10.1` | `1.11.1` | | [time](https://github.com/time-rs/time) | `0.3.43` | `0.3.47` | | [openssl](https://github.com/rust-openssl/rust-openssl) | `0.10.73` | `0.10.79` | | [quinn-proto](https://github.com/quinn-rs/quinn) | `0.11.13` | `0.11.14` | | [rand](https://github.com/rust-random/rand) | `0.8.5` | `0.9.2` | | [jsonwebtoken](https://github.com/Keats/jsonwebtoken) | `9.3.1` | `10.3.0` | | [tar](https://github.com/alexcrichton/tar-rs) | `0.4.44` | `0.4.45` | Bumps the cargo group with 2 updates in the /integ-tests/rust directory: [bytes](https://github.com/tokio-rs/bytes) and [rustls-webpki](https://github.com/rustls/webpki). Bumps the cargo group with 2 updates in the /languages/rust directory: [bytes](https://github.com/tokio-rs/bytes) and [rustls-webpki](https://github.com/rustls/webpki). Updates `openssl` from 0.10.76 to 0.10.79 - [Release notes](https://github.com/rust-openssl/rust-openssl/releases) - [Commits](rust-openssl/rust-openssl@openssl-v0.10.76...openssl-v0.10.79) Updates `rand` from 0.8.5 to 0.8.6 - [Release notes](https://github.com/rust-random/rand/releases) - [Changelog](https://github.com/rust-random/rand/blob/0.8.6/CHANGELOG.md) - [Commits](rust-random/rand@0.8.5...0.8.6) Updates `rustls-webpki` from 0.103.10 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `thin-vec` from 0.2.14 to 0.2.18 - [Changelog](https://github.com/mozilla/thin-vec/blob/main/RELEASES.md) - [Commits](https://github.com/mozilla/thin-vec/commits) Updates `rand` from 0.8.5 to 0.8.6 - [Release notes](https://github.com/rust-random/rand/releases) - [Changelog](https://github.com/rust-random/rand/blob/0.8.6/CHANGELOG.md) - [Commits](rust-random/rand@0.8.5...0.8.6) Updates `openssl` from 0.10.76 to 0.10.79 - [Release notes](https://github.com/rust-openssl/rust-openssl/releases) - [Commits](rust-openssl/rust-openssl@openssl-v0.10.76...openssl-v0.10.79) Updates `rustls-webpki` from 0.103.10 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `rustls-webpki` from 0.103.10 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `rustls-webpki` from 0.103.10 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `aws-sdk-bedrockruntime` from 1.106.0 to 1.107.0 - [Release notes](https://github.com/awslabs/aws-sdk-rust/releases) - [Commits](https://github.com/awslabs/aws-sdk-rust/commits) Updates `bytes` from 1.10.1 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `time` from 0.3.43 to 0.3.47 - [Release notes](https://github.com/time-rs/time/releases) - [Changelog](https://github.com/time-rs/time/blob/main/CHANGELOG.md) - [Commits](time-rs/time@v0.3.43...v0.3.47) Updates `openssl` from 0.10.73 to 0.10.79 - [Release notes](https://github.com/rust-openssl/rust-openssl/releases) - [Commits](rust-openssl/rust-openssl@openssl-v0.10.76...openssl-v0.10.79) Updates `quinn-proto` from 0.11.13 to 0.11.14 - [Release notes](https://github.com/quinn-rs/quinn/releases) - [Commits](quinn-rs/quinn@quinn-proto-0.11.13...quinn-proto-0.11.14) Updates `rand` from 0.8.5 to 0.9.2 - [Release notes](https://github.com/rust-random/rand/releases) - [Changelog](https://github.com/rust-random/rand/blob/0.8.6/CHANGELOG.md) - [Commits](rust-random/rand@0.8.5...0.8.6) Updates `bytes` from 1.10.1 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `rand` from 0.8.5 to 0.9.2 - [Release notes](https://github.com/rust-random/rand/releases) - [Changelog](https://github.com/rust-random/rand/blob/0.8.6/CHANGELOG.md) - [Commits](rust-random/rand@0.8.5...0.8.6) Updates `time` from 0.3.43 to 0.3.47 - [Release notes](https://github.com/time-rs/time/releases) - [Changelog](https://github.com/time-rs/time/blob/main/CHANGELOG.md) - [Commits](time-rs/time@v0.3.43...v0.3.47) Updates `aws-sdk-bedrockruntime` from 1.106.0 to 1.107.0 - [Release notes](https://github.com/awslabs/aws-sdk-rust/releases) - [Commits](https://github.com/awslabs/aws-sdk-rust/commits) Updates `jsonwebtoken` from 9.3.1 to 10.3.0 - [Changelog](https://github.com/Keats/jsonwebtoken/blob/master/CHANGELOG.md) - [Commits](Keats/jsonwebtoken@v9.3.1...v10.3.0) Updates `tar` from 0.4.44 to 0.4.45 - [Commits](composefs/tar-rs@0.4.44...0.4.45) Updates `openssl` from 0.10.73 to 0.10.79 - [Release notes](https://github.com/rust-openssl/rust-openssl/releases) - [Commits](rust-openssl/rust-openssl@openssl-v0.10.76...openssl-v0.10.79) Updates `quinn-proto` from 0.11.13 to 0.11.14 - [Release notes](https://github.com/quinn-rs/quinn/releases) - [Commits](quinn-rs/quinn@quinn-proto-0.11.13...quinn-proto-0.11.14) Updates `bytes` from 1.10.1 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `bytes` from 1.10.1 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `bytes` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `rustls-webpki` from 0.103.8 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `bytes` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `rustls-webpki` from 0.103.8 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `bytes` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `rustls-webpki` from 0.103.8 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `bytes` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `rustls-webpki` from 0.103.8 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `bytes` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `rustls-webpki` from 0.103.8 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `bytes` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `rustls-webpki` from 0.103.8 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `bytes` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `rustls-webpki` from 0.103.8 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) Updates `bytes` from 1.11.0 to 1.11.1 - [Release notes](https://github.com/tokio-rs/bytes/releases) - [Changelog](https://github.com/tokio-rs/bytes/blob/master/CHANGELOG.md) - [Commits](tokio-rs/bytes@v1.10.1...v1.11.1) Updates `rustls-webpki` from 0.103.8 to 0.103.13 - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.10...v/0.103.13) --- updated-dependencies: - dependency-name: aws-sdk-bedrockruntime dependency-version: 1.107.0 dependency-type: direct:production - dependency-name: bytes dependency-version: 1.11.1 dependency-type: direct:production - dependency-name: bytes dependency-version: 1.11.1 dependency-type: indirect - dependency-name: bytes dependency-version: 1.11.1 dependency-type: indirect - dependency-name: jsonwebtoken dependency-version: 10.3.0 dependency-type: direct:production - dependency-name: openssl dependency-version: 0.10.79 dependency-type: indirect - dependency-name: openssl dependency-version: 0.10.79 dependency-type: indirect - dependency-name: quinn-proto dependency-version: 0.11.14 dependency-type: indirect - dependency-name: rand dependency-version: 0.8.6 dependency-type: indirect - dependency-name: rand dependency-version: 0.9.2 dependency-type: direct:production - dependency-name: rustls-webpki dependency-version: 0.103.13 dependency-type: indirect - dependency-name: rustls-webpki dependency-version: 0.103.13 dependency-type: indirect - dependency-name: rustls-webpki dependency-version: 0.103.13 dependency-type: indirect - dependency-name: tar dependency-version: 0.4.45 dependency-type: direct:production - dependency-name: thin-vec dependency-version: 0.2.18 dependency-type: indirect - dependency-name: time dependency-version: 0.3.47 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update Rust code labels May 6, 2026

dependabot Bot mentioned this pull request May 6, 2026

chore(deps): bump the cargo group across 4 directories with 10 updates #3446

Closed

vercel Bot deployed to Preview – beps May 6, 2026 01:08 View deployment

vercel Bot had a problem deploying to Preview – promptfiddle May 6, 2026 01:12 Failure

dependabot Bot force-pushed the dependabot/cargo/baml_language/cargo-7c13c705c3 branch from b8910c1 to 5e2752a Compare May 6, 2026 22:17

vercel Bot deployed to Preview – beps May 6, 2026 22:18 View deployment

vercel Bot had a problem deploying to Preview – promptfiddle May 6, 2026 22:21 Failure

dependabot Bot force-pushed the dependabot/cargo/baml_language/cargo-7c13c705c3 branch from 5e2752a to 550d3fc Compare May 7, 2026 21:32

vercel Bot deployed to Preview – beps May 7, 2026 21:33 View deployment

vercel Bot had a problem deploying to Preview – promptfiddle May 7, 2026 21:37 Failure

dependabot Bot force-pushed the dependabot/cargo/baml_language/cargo-7c13c705c3 branch from 550d3fc to b3a7efe Compare May 7, 2026 23:45

vercel Bot deployed to Preview – beps May 7, 2026 23:46 View deployment

vercel Bot had a problem deploying to Preview – promptfiddle May 7, 2026 23:50 Failure

dependabot Bot force-pushed the dependabot/cargo/baml_language/cargo-7c13c705c3 branch from b3a7efe to 66622b1 Compare May 8, 2026 09:43

vercel Bot deployed to Preview – beps May 8, 2026 09:44 View deployment

vercel Bot had a problem deploying to Preview – promptfiddle May 8, 2026 09:48 Failure

dependabot Bot force-pushed the dependabot/cargo/baml_language/cargo-7c13c705c3 branch from 66622b1 to b66309d Compare May 8, 2026 20:53

vercel Bot deployed to Preview – beps May 8, 2026 20:54 View deployment

vercel Bot had a problem deploying to Preview – promptfiddle May 8, 2026 20:57 Failure

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): bump the cargo group across 4 directories with 10 updates#3470

chore(deps): bump the cargo group across 4 directories with 10 updates#3470
dependabot[bot] wants to merge 1 commit into
canaryfrom
dependabot/cargo/baml_language/cargo-7c13c705c3

dependabot Bot commented on behalf of github May 6, 2026 •

edited

Loading

Uh oh!

vercel Bot commented May 6, 2026 •

edited

Loading

Uh oh!

codspeed-hq Bot commented May 6, 2026 •

edited

Loading

Uh oh!

github-actions Bot commented May 6, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github May 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

openssl-v0.10.79

What's Changed

openssl-v0.10.78

What's Changed

openssl-v0.10.77

What's Changed

[0.8.6] - 2026-04-14

Changes

0.103.13

What's Changed

0.103.12

What's Changed

0.103.11

What's Changed

Versions 0.2.17 and 0.2.18 (2026-04-29)

Version 0.2.16 (2026-04-14)

Version 0.2.15 (2026-04-08)

[0.8.6] - 2026-04-14

Changes

openssl-v0.10.79

What's Changed

openssl-v0.10.78

What's Changed

openssl-v0.10.77

What's Changed

0.103.13

What's Changed

0.103.12

What's Changed

0.103.11

What's Changed

0.103.13

What's Changed

0.103.12

What's Changed

0.103.11

What's Changed

0.103.13

What's Changed

0.103.12

What's Changed

0.103.11

What's Changed

Bytes v1.11.1

1.11.1 (February 3rd, 2026)

Bytes v1.11.0

1.11.0 (November 14th, 2025)

Fixed

Internal changes

1.11.1 (February 3rd, 2026)

1.11.0 (November 14th, 2025)

Fixed

Internal changes

v0.3.47

v0.3.46

v0.3.45

v0.3.44

0.3.47 [2026-02-05]

Security

Compatibility

Added

Changed

Fixed

0.3.46 [2026-01-23]

Added

Uh oh!

vercel Bot commented May 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codspeed-hq Bot commented May 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Merging this PR will improve performance by 16.08%

Performance Changes

Uh oh!

github-actions Bot commented May 6, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Binary size checks failed

dependabot Bot commented on behalf of github May 6, 2026 •

edited

Loading

vercel Bot commented May 6, 2026 •

edited

Loading

codspeed-hq Bot commented May 6, 2026 •

edited

Loading

github-actions Bot commented May 6, 2026 •

edited

Loading