Skip to content

chore: update dependencies#181

Merged
rubenhensen merged 1 commit into
mainfrom
chore/update-dependencies
Jul 2, 2026
Merged

chore: update dependencies#181
rubenhensen merged 1 commit into
mainfrom
chore/update-dependencies

Conversation

@dobby-coder

@dobby-coder dobby-coder Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Resolves the dependency updates tracked in the dep-scan issue.

Security fixes (CVEs)

Both CVEs from the issue were still present in main's Cargo.toml constraints and are now resolved:

CVE / Advisory Package Bump Notes
RUSTSEC-2026-0141 lettre 0.11.19 → 0.11.22 Inverted-boolean bug disabling TLS hostname verification on the boring-tls backend. This project does not enable boring-tls; upgraded as a precaution.
RUSTSEC-2026-0097 rand 0.10.0 → 0.10.1 Aliased mutable reference / UB when a custom log logger calls rand::rng() during reseeding.

Minor / patch bumps

  • tokio 1.48.0 → 1.52.3
  • uuid 1.18.1 → 1.23.4
  • reqwest 0.13.0 → 0.13.4
  • serde_json 1.0.145 → 1.0.150
  • chrono 0.4.42 → 0.4.45
  • log 0.4.28 → 0.4.33
  • url 2.5.7 → 2.5.8
  • tokio-util 0.7.17 → 0.7.18

Major bump

  • minreq 2.14.1 → 3.0.0 — the only breaking change affecting us is the feature rename https-nativehttps-native-tls (updated in Cargo.toml). The single call site in rocket() uses get/with_timeout/send/json, whose signatures are unchanged in 3.0. Builds and runs unchanged.

Verification

  • cargo fmt --all -- --check — clean
  • cargo clippy --all-targets -- -D warnings — clean
  • cargo test --all-targets127 passed, 0 failed
  • cargo auditno vulnerabilities. One informational unmaintained warning remains for rustls-pemfile (RUSTSEC-2025-0134), pulled transitively via irma → reqwest 0.11.27; not fixable without an upstream irma release and out of scope for this issue.

Closes #180

Resolve dependency CVEs and refresh outdated crates.

Security fixes:
- lettre 0.11.19 -> 0.11.22 (RUSTSEC-2026-0141: inverted-boolean bug
  disabling TLS hostname verification on the boring-tls backend)
- rand 0.10.0 -> 0.10.1 (RUSTSEC-2026-0097: aliased mutable reference /
  UB when a custom log logger calls rand::rng() during reseeding)

minor/patch bumps:
- tokio 1.48.0 -> 1.52.3
- uuid 1.18.1 -> 1.23.4
- reqwest 0.13.0 -> 0.13.4
- serde_json 1.0.145 -> 1.0.150
- chrono 0.4.42 -> 0.4.45
- log 0.4.28 -> 0.4.33
- url 2.5.7 -> 2.5.8
- tokio-util 0.7.17 -> 0.7.18

major bump:
- minreq 2.14.1 -> 3.0.0: renamed the https-native feature to
  https-native-tls (3.0 feature rename); call site in rocket() uses only
  get/with_timeout/send/json which are unchanged.

cargo audit reports no vulnerabilities. cargo fmt/clippy/test all pass
(127 tests).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@dobby-coder dobby-coder Bot marked this pull request as ready for review July 1, 2026 22:31
@dobby-coder dobby-coder Bot mentioned this pull request Jul 1, 2026
@rubenhensen rubenhensen merged commit 71b7e21 into main Jul 2, 2026
7 checks passed
@rubenhensen rubenhensen deleted the chore/update-dependencies branch July 2, 2026 08:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

chore: update dependencies

1 participant