Skip to content

chore(deps)(deps): bump scraper from 0.24.0 to 0.25.0#363

Merged
AlexMikhalev merged 1 commit intomainfrom
dependabot/cargo/scraper-0.25.0
Dec 31, 2025
Merged

chore(deps)(deps): bump scraper from 0.24.0 to 0.25.0#363
AlexMikhalev merged 1 commit intomainfrom
dependabot/cargo/scraper-0.25.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Dec 8, 2025

Bumps scraper from 0.24.0 to 0.25.0.

Release notes

Sourced from scraper's releases.

v0.25.0

What's Changed

New Contributors

Full Changelog: rust-scraper/scraper@v0.24.0...v0.25.0

Commits
  • 4cb7107 Version 0.25.0
  • 382c092 Add cargo deny to test github action (#287)
  • 29b3d8f Update repo URL (#286)
  • 943ee24 Bump indexmap from 2.12.0 to 2.12.1
  • 4848e3c Avoid panic for missing or invalid selectors
  • 75b88da Avoid panic for unknown flags
  • 85e6967 Add version flag in executable
  • 381a4bd chore(Cargo.toml): bump servo to 0.36.0
  • 3fca4f1 Merge pull request #278 from rust-scraper/dependabot/cargo/indexmap-2.12.0
  • 8e56e7e Bump indexmap from 2.11.4 to 2.12.0
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps)(deps): bump scraper from 0.24.0 to 0.25.0
e220975 
Bumps [scraper](https://github.com/rust-scraper/scraper) from 0.24.0 to 0.25.0.
- [Release notes](https://github.com/rust-scraper/scraper/releases)
- [Commits](rust-scraper/scraper@v0.24.0...v0.25.0)

---
updated-dependencies:
- dependency-name: scraper
  dependency-version: 0.25.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@AlexMikhalev AlexMikhalev merged commit ccd68c7 into main Dec 31, 2025
13 of 17 checks passed
@AlexMikhalev AlexMikhalev deleted the dependabot/cargo/scraper-0.25.0 branch December 31, 2025 12:13
@AlexMikhalev AlexMikhalev mentioned this pull request Apr 6, 2026
Closed
8 tasks
AlexMikhalev added a commit that referenced this pull request Apr 7, 2026
@AlexMikhalev @claude
fix(tinyclaw): switch serenity to native_tls_backend to fix RUSTSEC-2…
09f972a 
…026-0049

The serenity dependency was using default features which include rustls_backend.
This pulled in tokio-tungstenite/rustls-tls-webpki-roots, which transitively
brought in rustls 0.22.4 and rustls-webpki 0.102.8 (vulnerable to
RUSTSEC-2026-0049: CRL Distribution Point matching bypass).

Switching to `default_native_tls` (serenity's native TLS feature alias) replaces
the rustls chain with the OS-native TLS stack via native-tls/tokio-native-tls.

Removed from dependency graph:
- rustls 0.22.4
- rustls-webpki 0.102.8 (RUSTSEC-2026-0049)
- tokio-rustls 0.25.0

All 13 terraphim_tinyclaw tests pass. cargo audit confirms vulnerability resolved.

Refs #363

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
AlexMikhalev added a commit that referenced this pull request Apr 7, 2026
@AlexMikhalev @claude
fix(security): remove serenity to eliminate RUSTSEC-2026-0049 Refs #363
62b504f 
serenity 0.12.5 transitively pulled rustls-webpki 0.102.8 via
tokio-tungstenite 0.21 -> rustls 0.22.4, triggering the CRL
revocation bypass advisory (RUSTSEC-2026-0049).

Changes:
- Remove serenity 0.12 from terraphim_tinyclaw/Cargo.toml; discord
  feature is now an empty stub pending serenity 0.13+ with rustls 0.23
- Stub DiscordChannel::start/send to return clear error messages
- Remove RUSTSEC-2026-0049 from deny.toml ignore list (no longer needed)
- Remove ineffective [patch.crates-io] overrides for tokio-tungstenite
  and rustls-webpki (semver-incompatible, never applied correctly)
- Remove workspace rustls/rustls-webpki version pins added for the patch

Verification:
- cargo audit: 0 errors, RUSTSEC-2026-0049 absent
- rustls-webpki 0.102.8 absent from Cargo.lock
- cargo clippy -p terraphim_tinyclaw: 0 warnings
- cargo test -p terraphim_tinyclaw: all tests pass

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies rust

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@AlexMikhalev