Bump the cargo group across 1 directory with 2 updates

[dependabot]

Bumps the cargo group with 2 updates in the /flyteidl directory: bytes and tokio.

Updates bytes from 1.6.0 to 1.11.1

Release notes

Sourced from bytes's releases.

Bytes v1.11.1

1.11.1 (February 3rd, 2026)

• Fix integer overflow in BytesMut::reserve

Bytes v1.11.0

1.11.0 (November 14th, 2025)

• Bump MSRV to 1.57 (#788)

Fixed

• fix: BytesMut only reuse if src has remaining (#803)
• Specialize BytesMut::put::<Bytes> (#793)
• Reserve capacity in BytesMut::put (#794)
• Change BytesMut::remaining_mut to use isize::MAX instead of usize::MAX (#795)

Internal changes

• Guarantee address in slice() for empty slices. (#780)
• Rename Vtable::to_* -> Vtable::into_* (#776)
• Fix latest clippy warnings (#787)
• Ignore BytesMut::freeze doctest on wasm (#790)
• Move drop_fn of from_owner into vtable (#801)

Bytes v1.10.1

1.10.1 (March 5th, 2025)

Fixed

• Fix memory leak when using to_vec with Bytes::from_owner (#773)

#773: tokio-rs/bytes#773

Bytes v1.10.0

1.10.0 (February 3rd, 2025)

Added

• Add feature to support platforms without atomic CAS (#467)
• try_get_* methods for Buf trait (#753)
• Implement Buf::chunks_vectored for Take (#617)
• Implement Buf::chunks_vectored for VecDeque<u8> (#708)

Fixed

• Remove incorrect guarantee for chunks_vectored (#754)
• Ensure that tests pass under panic=abort (#749)

... (truncated)

Changelog

Sourced from bytes's changelog.

1.11.1 (February 3rd, 2026)

• Fix integer overflow in BytesMut::reserve

1.11.0 (November 14th, 2025)

• Bump MSRV to 1.57 (#788)

Fixed

• fix: BytesMut only reuse if src has remaining (#803)
• Specialize BytesMut::put::<Bytes> (#793)
• Reserve capacity in BytesMut::put (#794)
• Change BytesMut::remaining_mut to use isize::MAX instead of usize::MAX (#795)

Internal changes

• Guarantee address in slice() for empty slices. (#780)
• Rename Vtable::to_* -> Vtable::into_* (#776)
• Fix latest clippy warnings (#787)
• Ignore BytesMut::freeze doctest on wasm (#790)
• Move drop_fn of from_owner into vtable (#801)

1.10.1 (March 5th, 2025)

Fixed

• Fix memory leak when using to_vec with Bytes::from_owner (#773)

1.10.0 (February 3rd, 2025)

Added

• Add feature to support platforms without atomic CAS (#467)
• try_get_* methods for Buf trait (#753)
• Implement Buf::chunks_vectored for Take (#617)
• Implement Buf::chunks_vectored for VecDeque<u8> (#708)

Fixed

• Remove incorrect guarantee for chunks_vectored (#754)
• Ensure that tests pass under panic=abort (#749)

1.9.0 (November 27, 2024)

Added

• Add Bytes::from_owner to enable externally-allocated memory (#742)

Documented

... (truncated)

Commits

• 417dccd Release bytes v1.11.1 (#820)
• d0293b0 Merge commit from fork
• a7952fb chore: prepare bytes v1.11.0 (#804)
• 60cbb77 fix: BytesMut only reuse if src has remaining (#803)
• 7ce330f Move drop_fn of from_owner into vtable (#801)
• 4b53a29 Tweak BytesMut::remaining_mut (#795)
• 016fdbd Reserve capacity in BytesMut::put (#794)
• ef7f257 Specialize BytesMut::put::<Bytes> (#793)
• 8b4f54d Ignore BytesMut::freeze doctest on wasm (#790)
• 16132ad Fix latest clippy warnings (#787)
• Additional commits viewable in compare view

Updates tokio from 1.37.0 to 1.42.1

Release notes

Sourced from tokio's releases.

Tokio v1.42.1

This release fixes a soundness issue in the broadcast channel. The channel accepts values that are Send but !Sync. Previously, the channel called clone() on these values without synchronizing. This release fixes the channel by synchronizing calls to .clone() (Thanks Austin Bonander for finding and reporting the issue).

Fixed

• sync: synchronize clone() call in broadcast channel (#7232)

#7232: tokio-rs/tokio#7232

Tokio v1.42.0

1.42.0 (Dec 3rd, 2024)

Added

• io: add AsyncFd::{try_io, try_io_mut} (#6967)

Fixed

• io: avoid ptr->ref->ptr roundtrip in RegistrationSet (#6929)
• runtime: do not defer yield_now inside block_in_place (#6999)

Changes

• io: simplify io readiness logic (#6966)

Documented

• net: fix docs for tokio::net::unix::{pid_t, gid_t, uid_t} (#6791)
• time: fix a typo in Instant docs (#6982)

#6791: tokio-rs/tokio#6791 #6929: tokio-rs/tokio#6929 #6966: tokio-rs/tokio#6966 #6967: tokio-rs/tokio#6967 #6982: tokio-rs/tokio#6982 #6999: tokio-rs/tokio#6999

Tokio v1.41.1

1.41.1 (Nov 7th, 2024)

Fixed

• metrics: fix bug with wrong number of buckets for the histogram (#6957)
• net: display net requirement for net::UdpSocket in docs (#6938)
• net: fix typo in TcpStream internal comment (#6944)

#6957: tokio-rs/tokio#6957 #6938: tokio-rs/tokio#6938 #6944: tokio-rs/tokio#6944

... (truncated)

Commits

• f7fb0bd chore: prepare Tokio v1.42.1
• 9faea74 Merge 'tokio-1.38.x' into 'tokio.1.42.x'
• aa303bc chore: prepare Tokio v1.38.2 release
• 7b6ccb5 chore: backport CI fixes
• 4b174ce sync: fix cloning value when receiving from broadcast channel
• bb9d570 chore: prepare Tokio v1.42.0 (#7005)
• af9c683 tests: fix typo in build test instructions (#7004)
• 4bc5a1a ci: allow Unicode-3.0 license for unicode-ident (#7006)
• f8948ea runtime: do not defer yield_now inside block_in_place (#6999)
• bce9780 time: use array::from_fn instead of manually creating array (#7000)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

The following issues were found:

• ❌ 1 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ✅ 0 package(s) with unknown licenses.

See the Details below.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA f2a34cc.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

Vulnerabilities

flyteidl/Cargo.lock

Name	Version	Vulnerability	Severity
tokio	1.42.1	Tokio broadcast channel calls clone in parallel, but does not require `Sync`	low

OpenSSF Scorecard

Package	Version	Score	Details
cargo/tokio	1.42.1	🟢 6.9	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy 🟢 10 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 License 🟢 10 license file detected Fuzzing 🟢 10 project is fuzzed Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/bytes	1.11.1	🟢 5.6	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Security-Policy 🟢 9 security policy file detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Maintained 🟢 6 5 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 6 Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/hermit-abi	0.3.9	Unknown	Unknown
cargo/mio	1.0.2	🟢 6.5	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 14 commit(s) and 8 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0

Scanned Files

• flyteidl/Cargo.lock