chore(deps): bump the prod-dependencies group across 1 directory with 11 updates

[dependabot]

Bumps the prod-dependencies group with 11 updates in the / directory:

Package	From	To
jsonwebtoken	10.3.0	10.4.0
normpath	1.5.0	1.5.1
octocrab	0.49.9	0.50.0
opentelemetry	0.31.0	0.32.0
opentelemetry_sdk	0.31.0	0.32.0
opentelemetry-otlp	0.31.1	0.32.0
tokio	1.52.1	1.52.3
tonic	0.14.5	0.14.6
assert_cmd	2.2.1	2.2.2
nix	0.29.0	0.31.2
wait-timeout	0.2.0	0.2.1

Updates jsonwebtoken from 10.3.0 to 10.4.0

Changelog

Sourced from jsonwebtoken's changelog.

10.4.0 (2026-05-11)

• Fix incorrect encoding for Ed25519 JWK thumbprints
• Make Algorithm.family public and add Validation.new_for_family
• EncodingKey and DecodingKey are now partially zeroized on drop (the intermediate PemEncodedKey isn't so far)

Commits

• 69a8fbf v10.4.0
• d18e40f Update changelog for 10.4.0 (#507)
• ddd2389 security: zeroize encoding and decoding keys (#483)
• 991e89a Fix more clippy complaints (#503)
• 75f2113 algorithms: expose AlgorithmFamily (#466)
• 0c5931a Fixup typo in the DecodingKey::from_ec_der method (#501)
• 8a80349 Small fixes (#498)
• 9934c7f Fix formatting in Ed25519 key serialization (#485)
• See full diff in compare view

Updates normpath from 1.5.0 to 1.5.1

Release notes

Sourced from normpath's releases.

1.5.1

• Bumped dependency versions

Commits

• 38697db Bump version
• f1f57bc Merge pull request #26 from dylni/dependabot/cargo/uniquote-5.0
• 94ef358 Adjust to "uniquote" API changes
• 3d8ae77 Update uniquote requirement from 4.0 to 5.0
• 1b670a7 Fix new warning
• See full diff in compare view

Updates octocrab from 0.49.9 to 0.50.0

Release notes

Sourced from octocrab's releases.

v0.50.0

Added

• add create_comment to PullRequestHandler (#880)
• Add support for exchanging oauth code for access token (#780)
• add get_app (#757)
• Add ability to update an existing label (#786)
• Added converted_from_draft to Event (#859)

Fixed

• Use PUT not PATCH for pull request reviews (#879)
• cargo fmt, cargo test, Set MSRV to 1.85.0 (#878)
• deser generate repo as respository (#812)
• use new search model on search function
• revert commit back to correct structure

Other

• [breaking] remove the either dependency (#883)
• added issue_field_added to Event enum (#882)
• update MSRV to 1.95.0
• don't include unconditional backtrace in Display impl (#824)
• add a simple test for compare commits
• remove duplicated GitUser
• create search models submodule
• move repository model from commits module
• move maybe_empty to models module
• remove Option<> for some fields of PullRequest (#873)

Changelog

Sourced from octocrab's changelog.

0.50.0 - 2026-05-05

Added

• add create_comment to PullRequestHandler (#880)
• Add support for exchanging oauth code for access token (#780)
• add get_app (#757)
• Add ability to update an existing label (#786)
• Added converted_from_draft to Event (#859)

Fixed

• Use PUT not PATCH for pull request reviews (#879)
• cargo fmt, cargo test, Set MSRV to 1.85.0 (#878)
• deser generate repo as respository (#812)
• use new search model on search function
• revert commit back to correct structure

Other

• [breaking] remove the either dependency (#883)
• added issue_field_added to Event enum (#882)
• update MSRV to 1.95.0
• don't include unconditional backtrace in Display impl (#824)
• add a simple test for compare commits
• remove duplicated GitUser
• create search models submodule
• move repository model from commits module
• move maybe_empty to models module
• remove Option<> for some fields of PullRequest (#873)

Commits

• af4a52e chore: release v0.50.0 (#877)
• 40b967b chore!: remove the either dependency (#883)
• ce8cc89 added issue_field_added to Event enum (#882)
• 21b13ed feat: add create_comment to PullRequestHandler (#880)
• 6e66bda fix: Use PUT not PATCH for pull request reviews (#879)
• 174950f fix: cargo fmt, cargo test, Set MSRV to 1.85.0 (#878)
• 43f2ef0 chore: update MSRV to 1.95.0
• e10d801 feat: Add support for exchanging oauth code for access token (#780)
• d4fcc18 fix: deser generate repo as respository (#812)
• 675f1fb feat: add get_app (#757)
• Additional commits viewable in compare view

Updates opentelemetry from 0.31.0 to 0.32.0

Release notes

Sourced from opentelemetry's releases.

0.32.0

See release notes: https://github.com/open-telemetry/opentelemetry-rust/blob/main/docs/release_0.32.md

opentelemetry-otlp 0.31.1

What's Changed

• feat(OTLP): add tls-ring, tls-aws-lc, and tls-provider-agnostic feature flags [patch release v0.31.1] by @​lalitb in open-telemetry/opentelemetry-rust#3426

Full Changelog: open-telemetry/opentelemetry-rust@v0.31.0...opentelemetry-otlp-0.31.1

Changelog

Sourced from opentelemetry's changelog.

Release Notes 0.32

OpenTelemetry Rust 0.32 continues to drive the Logs, Metrics, and Distributed Tracing components forward. The Logs and Metrics API and SDK remain stable, with no breaking changes in this release. The OTLP Exporters and the Distributed Tracing API/SDK remain in pre-stable states (Release-Candidate and Beta respectively), and this release introduces a small number of intentional breaking changes in those areas to prepare them for stabilization.

For detailed changelogs of individual crates, please refer to their respective changelog files. This document serves as a summary of the main changes.

Key Changes

Metrics SDK

1. Bound instruments (experimental): Added Counter::bind() and Histogram::bind() returning pre-bound measurement handles (BoundCounter<T>, BoundHistogram<T>). Bound instruments resolve the attribute-to-aggregator mapping once at bind time and cache the result, eliminating per-call HashMap lookups on the hot path. Benchmarks show ~28x speedup for counter operations and ~9x for histograms. Gated behind the experimental_metrics_bound_instruments feature flag.

2. Delta collection efficiency: Delta metrics collection now uses in-place eviction instead of draining the HashMap on every collect cycle. Stale attribute sets that received no measurements since the last collection are evicted.

3. Stable Aggregation API: Aggregation and StreamBuilder::with_aggregation() are now stable and no longer require the spec_unstable_metrics_views feature flag.

Logs

1. Tracing-span attribute enrichment (experimental): The opentelemetry-appender-tracing crate can now copy attributes from active tracing spans onto each emitted log record. ("Span" here refers to tracing::span!, not an opentelemetry::trace::Span.) Enrichment is disabled by default with zero per-span overhead, and is gated behind the new experimental_span_attributes cargo feature.

2. spec_unstable_logs_enabled removed: The capability (and the backing specification) is now stable and is enabled by default. The feature flag has been removed.

Distributed Tracing (Beta)

The Distributed Tracing API and SDK remain in beta. This release contains intentional breaking changes to clean up the public surface ahead of

... (truncated)

Commits

• ec289cb chore: Prepare for release v0.32.0 (#3508)
• 3ddb386 fix(metrics): reject usize::MAX as cardinality limit (#3506)
• bad0a1b feat(appender-tracing): re-gate span attribute enrichment behind experimental...
• f744509 docs: update README status table and remove deprecated crates (#3502)
• 81d5a06 chore(prometheus): restore crate to workspace (#3500)
• 5a07ce1 ci: close stale pull requests (#3499)
• cc87dd9 feat(appender-tracing): stabilize span attribute propagation (#3482)
• f290595 docs(metrics): document experimental bound instruments (#3495)
• a79eb76 fix(sdk): suppress telemetry in SimpleSpanProcessor during export (#3494)
• aa3bda3 chore(zipkin): deprecate opentelemetry-zipkin crate (#3492)
• Additional commits viewable in compare view

Updates opentelemetry_sdk from 0.31.0 to 0.32.0

Changelog

Sourced from opentelemetry_sdk's changelog.

Release Notes 0.32

OpenTelemetry Rust 0.32 continues to drive the Logs, Metrics, and Distributed Tracing components forward. The Logs and Metrics API and SDK remain stable, with no breaking changes in this release. The OTLP Exporters and the Distributed Tracing API/SDK remain in pre-stable states (Release-Candidate and Beta respectively), and this release introduces a small number of intentional breaking changes in those areas to prepare them for stabilization.

For detailed changelogs of individual crates, please refer to their respective changelog files. This document serves as a summary of the main changes.

Key Changes

Metrics SDK

1. Bound instruments (experimental): Added Counter::bind() and Histogram::bind() returning pre-bound measurement handles (BoundCounter<T>, BoundHistogram<T>). Bound instruments resolve the attribute-to-aggregator mapping once at bind time and cache the result, eliminating per-call HashMap lookups on the hot path. Benchmarks show ~28x speedup for counter operations and ~9x for histograms. Gated behind the experimental_metrics_bound_instruments feature flag.

2. Delta collection efficiency: Delta metrics collection now uses in-place eviction instead of draining the HashMap on every collect cycle. Stale attribute sets that received no measurements since the last collection are evicted.

3. Stable Aggregation API: Aggregation and StreamBuilder::with_aggregation() are now stable and no longer require the spec_unstable_metrics_views feature flag.

Logs

1. Tracing-span attribute enrichment (experimental): The opentelemetry-appender-tracing crate can now copy attributes from active tracing spans onto each emitted log record. ("Span" here refers to tracing::span!, not an opentelemetry::trace::Span.) Enrichment is disabled by default with zero per-span overhead, and is gated behind the new experimental_span_attributes cargo feature.

2. spec_unstable_logs_enabled removed: The capability (and the backing specification) is now stable and is enabled by default. The feature flag has been removed.

Distributed Tracing (Beta)

The Distributed Tracing API and SDK remain in beta. This release contains intentional breaking changes to clean up the public surface ahead of

... (truncated)

Commits

• ec289cb chore: Prepare for release v0.32.0 (#3508)
• 3ddb386 fix(metrics): reject usize::MAX as cardinality limit (#3506)
• bad0a1b feat(appender-tracing): re-gate span attribute enrichment behind experimental...
• f744509 docs: update README status table and remove deprecated crates (#3502)
• 81d5a06 chore(prometheus): restore crate to workspace (#3500)
• 5a07ce1 ci: close stale pull requests (#3499)
• cc87dd9 feat(appender-tracing): stabilize span attribute propagation (#3482)
• f290595 docs(metrics): document experimental bound instruments (#3495)
• a79eb76 fix(sdk): suppress telemetry in SimpleSpanProcessor during export (#3494)
• aa3bda3 chore(zipkin): deprecate opentelemetry-zipkin crate (#3492)
• Additional commits viewable in compare view

Updates opentelemetry-otlp from 0.31.1 to 0.32.0

Changelog

Sourced from opentelemetry-otlp's changelog.

Release Notes 0.32

OpenTelemetry Rust 0.32 continues to drive the Logs, Metrics, and Distributed Tracing components forward. The Logs and Metrics API and SDK remain stable, with no breaking changes in this release. The OTLP Exporters and the Distributed Tracing API/SDK remain in pre-stable states (Release-Candidate and Beta respectively), and this release introduces a small number of intentional breaking changes in those areas to prepare them for stabilization.

For detailed changelogs of individual crates, please refer to their respective changelog files. This document serves as a summary of the main changes.

Key Changes

Metrics SDK

1. Bound instruments (experimental): Added Counter::bind() and Histogram::bind() returning pre-bound measurement handles (BoundCounter<T>, BoundHistogram<T>). Bound instruments resolve the attribute-to-aggregator mapping once at bind time and cache the result, eliminating per-call HashMap lookups on the hot path. Benchmarks show ~28x speedup for counter operations and ~9x for histograms. Gated behind the experimental_metrics_bound_instruments feature flag.

2. Delta collection efficiency: Delta metrics collection now uses in-place eviction instead of draining the HashMap on every collect cycle. Stale attribute sets that received no measurements since the last collection are evicted.

3. Stable Aggregation API: Aggregation and StreamBuilder::with_aggregation() are now stable and no longer require the spec_unstable_metrics_views feature flag.

Logs

1. Tracing-span attribute enrichment (experimental): The opentelemetry-appender-tracing crate can now copy attributes from active tracing spans onto each emitted log record. ("Span" here refers to tracing::span!, not an opentelemetry::trace::Span.) Enrichment is disabled by default with zero per-span overhead, and is gated behind the new experimental_span_attributes cargo feature.

2. spec_unstable_logs_enabled removed: The capability (and the backing specification) is now stable and is enabled by default. The feature flag has been removed.

Distributed Tracing (Beta)

The Distributed Tracing API and SDK remain in beta. This release contains intentional breaking changes to clean up the public surface ahead of

... (truncated)

Commits

• ec289cb chore: Prepare for release v0.32.0 (#3508)
• 3ddb386 fix(metrics): reject usize::MAX as cardinality limit (#3506)
• bad0a1b feat(appender-tracing): re-gate span attribute enrichment behind experimental...
• f744509 docs: update README status table and remove deprecated crates (#3502)
• 81d5a06 chore(prometheus): restore crate to workspace (#3500)
• 5a07ce1 ci: close stale pull requests (#3499)
• cc87dd9 feat(appender-tracing): stabilize span attribute propagation (#3482)
• f290595 docs(metrics): document experimental bound instruments (#3495)
• a79eb76 fix(sdk): suppress telemetry in SimpleSpanProcessor during export (#3494)
• aa3bda3 chore(zipkin): deprecate opentelemetry-zipkin crate (#3492)
• Additional commits viewable in compare view

Updates tokio from 1.52.1 to 1.52.3

Release notes

Sourced from tokio's releases.

Tokio v1.52.3

1.52.3 (May 8th, 2026)

Fixed

• sync: fix underflow in mpsc channel len() (#8062)
• sync: notify receivers in mpsc OwnedPermit::release() method (#8075)
• sync: require that an RwLock has max_readers != 0 (#8076)
• sync: return Empty from try_recv() when mpsc is closed with outstanding permits (#8074)

#8062: tokio-rs/tokio#8062 #8074: tokio-rs/tokio#8074 #8075: tokio-rs/tokio#8075 #8076: tokio-rs/tokio#8076

Tokio v1.52.2

1.52.2 (May 4th, 2026)

This release reverts the LIFO slot stealing change introduced in 1.51.0 (#7431), due to [its performance impact]#8065. (#8100)

#7431: tokio-rs/tokio#7431 #8065: tokio-rs/tokio#8065 #8100: tokio-rs/tokio#8100

Commits

• d875691 chore: prepare Tokio v1.52.3 (#8130)
• e1aebb0 Merge 'tokio-1.51.3' into 'tokio-1.52.x' (#8129)
• fd63094 chore: prepare Tokio v1.51.3 (#8127)
• 8c600d0 Merge 'tokio-1.47.5' into 'tokio-1.51.x' (#8123)
• 11bfc13 chore: prepare Tokio v1.47.5 (#8122)
• f085b62 sync: notify receivers in mpsc OwnedPermit::release() method (#8075)
• 30d25cc sync: require that an RwLock has max_readers != 0 (#8076)
• 9fccf53 sync: return Empty from try_recv() when mpsc is closed with outstanding p...
• ebf61b4 sync: fix underflow in mpsc channel len() (#8062)
• 4abe9d7 chore: prepare Tokio v1.52.2 (#8115)
• Additional commits viewable in compare view

Updates tonic from 0.14.5 to 0.14.6

Release notes

Sourced from tonic's releases.

tonic-build-v0.14.6

Other

• update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-health-v0.14.6

Other

• update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-prost-build-v0.14.6

Other

• Support well known types resolved by prost to their rust counterparts (#2544)
• update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-prost-v0.14.6

Other

• update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-reflection-v0.14.6

Other

• fix panic when client drops connection early (#2596)
• update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-types-v0.14.6

Other

• update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-v0.14.6

Added

• (transport/channel) expose ServerCertVerifier API (#2612)

Fixed

• map no trailers ok status to unknown (#2543)

Other

• add max_frame_size to client Endpoint (#2592)
• Allow setting the HTTP/2 client header table size (#2582)
• update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-web-v0.14.6

Other

... (truncated)

Commits

• 6cb6056 chore: release v0.14.6 (#2624)
• efde924 grpc: change helloworld example to pass request as a view (#2632)
• d47b001 transport: add max_frame_size to client Endpoint (#2592)
• 02c01c7 Allow setting the HTTP/2 client header table size (#2582)
• 3185354 examples: add grpc version of helloworld (#2630)
• f585303 fix(grpc): Fix grpc-google build (#2628)
• ff7bcbb feat(grpc): Google call credentials (#2610)
• f93037b feat(tonic-xds): make XdsChannelGrpc Sync (#2627)
• d834beb grpc: Update Status to be a Result<> and make StatusErr which holds non-OK co...
• 2392224 grpc: add route_guide example and make minor tweaks to the generated code API...
• Additional commits viewable in compare view

Updates assert_cmd from 2.2.1 to 2.2.2

Changelog

Sourced from assert_cmd's changelog.

[2.2.2] - 2026-05-11

Fixes

• Ensure #[track_caller] works for better panic messages

Commits

• feece89 chore: Release assert_cmd version 2.2.2
• 367cdf7 docs: Update changelog
• a98cc85 Merge pull request #289 from marcospb19/track_caller
• cd2e167 fix: .success() not reporting panic location
• 45a1c74 chore(deps): Update Prek to v0.3.13 (#293)
• f1d9b5b chore(deps): Update Prek to v0.3.12 (#292)
• 1d34bab Merge pull request #291 from epage/template
• d9a70ad style: Make clippy happy
• 4f5b5af chore: Update from _rust template
• 1e1d586 chore(renovate): Fix the tag
• Additional commits viewable in compare view

Updates nix from 0.29.0 to 0.31.2

Changelog

Sourced from nix's changelog.

[0.31.2] - 2026-02-28

Added

• Add WatchDescriptor::as_raw, to get libc id of WatchDescriptor. (#2718)
• Added process::pthread_getthreadid_np() on FreeBSD. (#2725)
• Added timerfd support on FreeBSD (#2728)

Fixed

• The libc requirement is now 0.2.181, rather than pinned to 0.2.180. (#2744)

[0.31.1] - 2026-01-23

Added

• termios: Add definition for IUCLC to supported platforms (#2702)
• termios: Add definition for XCASE for supported platforms (#2703)

[0.31.0] - 2026-01-22

Added

• Added the UDP GSO/GRO socket options and CMsgs on Android. This includes the following types:

  • UdpGsoSegment
  • UdpGroSegment
  • ControlMessage::UdpGsoSegments
  • ControlMessageOwned::UdpGroSegments

  (#2666)

• Define errno EWOULDBLOCK as an alias of EAGAIN to match the AIX libc definition. (#2692)

• Enable module ifaddrs on GNU Hurd (#2697)

• Add termios OutputFlags::OFILL for Linux, Android, Aix, Cygwin, Fuchsia, Haiku, GNU/Hurd, Nto, Redox, Illumos, Solaris and Apple OSes. (#2701)

• add sync() for cygwin (#2708)

Changed

... (truncated)

Commits

• bf1d0e9 chore: release v0.31.2
• 0dc1dd8 Unpin libc (#2744)
• dad24fb Allow timerfd use on FreeBSD (#2728)
• 6619d8d statfs: Fix definitions for s390x musl with libc 0.2.176 (#2678)
• 478594e Add api to get inner WatchDescriptor id, to work with c code. (#2718)
• 5507629 docs: minor fix in tcgetpgrp and tcsetpgrp doc comments (#2731)
• 9aea929 time: update comment in zero_init_timespec (#2730)
• b44fd1a FreeBSD: add pthread_getthreadid_np() (#2725)
• 06bb1be chore: release 0.31.1
• 49adb8d skip test::sys::test_af_alg_cipher on s390x,powerpc64le/Linux too (#2722)
• Additional commits viewable in compare view

Updates wait-timeout from 0.2.0 to 0.2.1

Commits

• bda62e3 Bump to 0.2.1
• eaf4be7 Merge pull request #37 from davidlattimore/fix-init-race
• c45efd7 Initialize STATE before registering signal handler
• 2a4f0f2 Merge pull request #28 from Minoru/feature/move-from-travis-to-gha
• 6fa63fb Drop AppVeyor config and badge
• 0ef2884 Make the "test" CI job actually run "cargo test"
• a3616a0 Run cargo fmt
• 7d93f3e Add simple CI configuration for GitHub Actions
• 6cc412a Merge pull request #26 from Minoru/bugfix/remove-incorrect-cleanup-commit
• 5e20b24 Revert "Do not manually remove the child from the map"
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[socket-security]

Caution

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. For more information please check in at #security-help. For License Policy Violations please also tag @Aoife in #security-help.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		License policy violation: cargo nix under GPL-2.0+ License: GPL-2.0+ - The applicable license policy does not permit this license (5) (nix-0.31.2/test/test_kmod/hello_mod/hello.c) From: Cargo.lock → cargo/nix@0.31.2 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/nix@0.31.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		License policy violation: cargo webpki-root-certs under CDLA-Permissive-2.0 License: CDLA-Permissive-2.0 - The applicable license policy does not permit this license (5) (webpki-root-certs-1.0.7/Cargo.toml) License: CDLA-Permissive-2.0 - The applicable license policy does not permit this license (5) (webpki-root-certs-1.0.7/LICENSE) From: ? → cargo/opentelemetry-otlp@0.32.0 → cargo/webpki-root-certs@1.0.7 ℹ Read more on: This package | This alert | What is a license policy violation? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/webpki-root-certs@1.0.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.