chore(deps): bump the cargo group across 1 directory with 6 updates

[dependabot]

Bumps the cargo group with 5 updates in the / directory:

Package	From	To
tokio	1.37.0	1.42.1
tracing-subscriber	0.3.18	0.3.20
crossbeam-channel	0.5.12	0.5.15
curve25519-dalek	4.1.2	4.1.3
zerovec	0.10.1	0.10.4

Updates tokio from 1.37.0 to 1.42.1

Release notes

Sourced from tokio's releases.

Tokio v1.42.1

This release fixes a soundness issue in the broadcast channel. The channel accepts values that are Send but !Sync. Previously, the channel called clone() on these values without synchronizing. This release fixes the channel by synchronizing calls to .clone() (Thanks Austin Bonander for finding and reporting the issue).

Fixed

• sync: synchronize clone() call in broadcast channel (#7232)

#7232: tokio-rs/tokio#7232

Tokio v1.42.0

1.42.0 (Dec 3rd, 2024)

Added

• io: add AsyncFd::{try_io, try_io_mut} (#6967)

Fixed

• io: avoid ptr->ref->ptr roundtrip in RegistrationSet (#6929)
• runtime: do not defer yield_now inside block_in_place (#6999)

Changes

• io: simplify io readiness logic (#6966)

Documented

• net: fix docs for tokio::net::unix::{pid_t, gid_t, uid_t} (#6791)
• time: fix a typo in Instant docs (#6982)

#6791: tokio-rs/tokio#6791 #6929: tokio-rs/tokio#6929 #6966: tokio-rs/tokio#6966 #6967: tokio-rs/tokio#6967 #6982: tokio-rs/tokio#6982 #6999: tokio-rs/tokio#6999

Tokio v1.41.1

1.41.1 (Nov 7th, 2024)

Fixed

• metrics: fix bug with wrong number of buckets for the histogram (#6957)
• net: display net requirement for net::UdpSocket in docs (#6938)
• net: fix typo in TcpStream internal comment (#6944)

#6957: tokio-rs/tokio#6957 #6938: tokio-rs/tokio#6938 #6944: tokio-rs/tokio#6944

... (truncated)

Commits

• f7fb0bd chore: prepare Tokio v1.42.1
• 9faea74 Merge 'tokio-1.38.x' into 'tokio.1.42.x'
• aa303bc chore: prepare Tokio v1.38.2 release
• 7b6ccb5 chore: backport CI fixes
• 4b174ce sync: fix cloning value when receiving from broadcast channel
• bb9d570 chore: prepare Tokio v1.42.0 (#7005)
• af9c683 tests: fix typo in build test instructions (#7004)
• 4bc5a1a ci: allow Unicode-3.0 license for unicode-ident (#7006)
• f8948ea runtime: do not defer yield_now inside block_in_place (#6999)
• bce9780 time: use array::from_fn instead of manually creating array (#7000)
• Additional commits viewable in compare view

Updates tracing-subscriber from 0.3.18 to 0.3.20

Release notes

Sourced from tracing-subscriber's releases.

tracing-subscriber 0.3.20

Security Fix: ANSI Escape Sequence Injection (CVE-TBD)

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

• Manipulate terminal title bars
• Clear screens or modify terminal display
• Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Solution

Version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Affected Versions

All versions of tracing-subscriber prior to 0.3.20 are affected by this vulnerability.

Recommendations

Immediate Action Required: We recommend upgrading to tracing-subscriber 0.3.20 immediately, especially if your application:

• Logs user-provided input (form data, HTTP headers, query parameters, etc.)
• Runs in environments where terminal output is displayed to users

Migration

This is a patch release with no breaking API changes. Simply update your Cargo.toml:

[dependencies]
tracing-subscriber = "0.3.20"

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

tracing-subscriber 0.3.19

[ [crates.io][crate-0.3.19] ] | [ [docs.rs][docs-0.3.19] ]

This release updates the tracing dependency to [v0.1.41][tracing-0.1.41] and the tracing-serde dependency to [v0.2.0][tracing-serde-0.2.0].

Added

... (truncated)

Commits

• 4c52ca5 fmt: fix ANSI escape sequence injection vulnerability (#3368)
• f71cebe subscriber: impl Clone for EnvFilter (#3360)
• 3a1f571 Fix CI (#3361)
• e63ef57 chore: prepare tracing-attributes 0.1.30 (#3316)
• 6e59a13 attributes: fix tracing::instrument regression around shadowing (#3311)
• e4df761 tracing: update core to 0.1.34 and attributes to 0.1.29 (#3305)
• 643f392 chore: prepare tracing-attributes 0.1.29 (#3304)
• d08e7a6 chore: prepare tracing-core 0.1.34 (#3302)
• 6e70c57 tracing-subscriber: count numbers of enters in Timings (#2944)
• c01d4fd fix docs and enable CI on main branch (#3295)
• Additional commits viewable in compare view

Updates crossbeam-channel from 0.5.12 to 0.5.15

Release notes

Sourced from crossbeam-channel's releases.

crossbeam-channel 0.5.15

• Fix regression introduced in 0.5.12 that can lead to a double free when dropping unbounded channel. (#1187)

crossbeam-channel 0.5.14

• Fix stack overflow when sending large value to unbounded channel. (#1146, #1147)
• Add Select::new_biased function. (#1150)
• Remove inefficient spinning. (#1154)
• Suppress buggy clippy::zero_repeat_side_effects lint in macro generated code. (#1123)

crossbeam-channel 0.5.13

• Add select_biased! macro. (#1040)

Commits

• d35ffde Prepare for the next release
• 6ec74ec crossbeam-channel: prevent double free on Drop (#1187)
• ccd83ac Prepare for the next release
• 54988eb Calculate layout in const context
• 761d0b6 Port #1146 & #1147 to deque::Injector and queue::SegQueue
• 8144fbb Remove optimistic spinning from Context::wait_until
• a92f6c4 Bump peter-evans/create-pull-request from 5 to 7 (#1153)
• 66d41a9 channel: Add new_biased constructor for biased channel selection (#1150)
• d0d0a80 CachePadded: Use 128-byte alignment on arm64ec
• f757eef Add comment about fixed rustc bug
• Additional commits viewable in compare view

Updates curve25519-dalek from 4.1.2 to 4.1.3

Commits

• 5312a03 curve: Bump version to 4.1.3 (#660)
• b4f9e4d SECURITY: fix timing variability in backend/serial/u32/scalar.rs (#661)
• 415892a SECURITY: fix timing variability in backend/serial/u64/scalar.rs (#659)
• 56bf398 Updates license field to valid SPDX format (#647)
• 9252fa5 Mitigate check-cfg until MSRV 1.77 (#652)
• 1efe6a9 Fix a minor typo in signing.rs (#649)
• cc3421a Indicate that the rand_core feature is required (#641)
• 858c4ca Address new nightly clippy unnecessary qualifications (#639)
• 31ccb67 Remove platforms in favor using CARGO_CFG_TARGET_POINTER_WIDTH (#636)
• 19c7f4a Fix new nightly redundant import lint warns (#638)
• Additional commits viewable in compare view

Updates zerovec from 0.10.1 to 0.10.4

Changelog

Sourced from zerovec's changelog.

Changelog

Unreleased

• Components
  • General
  • icu_calendar
    • Fix und-SA-u-ca-islamic (unicode-org#6736)
• Data model and providers
  • ...
• FFI
  • icu_capi
    • All C++ enums now default to a valid value; which is the Default impl where there is one, and some semi-logical value otherwise. This has changed defaults in some cases and may cause a behavioral change for people relying on C++ default constructors. (unicode-org#6692)
• Utils
  • yoke
    • Add four map_with_cart methods to yoke::Yoke, similar to Yoke::map_project but additionally providing a reference to the cart. (unicode-org#6781)
    • Add Yoke::with_mut_return, similar to Yoke::with_mut but with a callback that may return any 'static type. (unicode-org#6827)

icu4x 2.0.x

Several crates have had patch releases in the 2.0 stream:

• icu_calendar
  • (2.0.1) Fix chinese day-of-year (unicode-org#6567)
  • (2.0.2) Respect -u-fw keyword in WeekInformation (unicode-org#6615)
  • (2.0.3) Fix extended year for Roc/Ethiopic (unicode-org#6721)
  • (2.0.3) Fix treatment of None era code for Gregorian (unicode-org#6794)
  • (2.0.4) Fix a sign error in RataDie::until, add RataDie::since (unicode-org#6861)
• icu_properties, icu_properties_data
  • (2.0.1) Fix a visibility bug in compiled data (unicode-org#6580)
• icu_provider_baked
  • (2.0.1) Fix an issue where a single-locale data generation would skip fallback (unicode-org#6582)
• icu_capi
  • (2.0.1) Rename string-methods on DecomposingNormalizer to match those on ComposingNormalizer (unicode-org#6594)
  • (2.0.1) Add DataProvider constructors in JS and Dart (unicode-org#6596)
  • (2.0.1) Fix TimeZoneVariant constructor (unicode-org#6610)
  • (2.0.2) Add Locale::set_unicode_extension (unicode-org#6636)
• icu_datetime_data, icu_time_data, icu_provider_source
  • (2.0.1) Update to tzdb 2025b
• calendrical_calculations
  • (0.2.1) Fix a sign error in RataDie::until, add RataDie::since (unicode-org#6861)
  • (0.2.2) Make iso_year_from_fixed, day_before_year public (unicode-org#6871)
  • (0.2.2) Optimise some calculations for iso (unicode-org#6883)
  • (0.2.2) Add Easter holiday to iso and julian (unicode-org#6899)
• ixdtf
  • (0.6.0) Add UTF16 handling (unicode-org#6577)
  • (0.6.0) Add TimeZoneParser::parse_identifier for TimeZoneRecord (unicode-org#6584)

... (truncated)

Commits

• See full diff in compare view

Updates zerovec-derive from 0.10.1 to 0.10.3

Changelog

Sourced from zerovec-derive's changelog.

Changelog

Unreleased

• Components
  • General
  • icu_calendar
    • Fix und-SA-u-ca-islamic (unicode-org#6736)
• Data model and providers
  • ...
• FFI
  • icu_capi
    • All C++ enums now default to a valid value; which is the Default impl where there is one, and some semi-logical value otherwise. This has changed defaults in some cases and may cause a behavioral change for people relying on C++ default constructors. (unicode-org#6692)
• Utils
  • yoke
    • Add four map_with_cart methods to yoke::Yoke, similar to Yoke::map_project but additionally providing a reference to the cart. (unicode-org#6781)
    • Add Yoke::with_mut_return, similar to Yoke::with_mut but with a callback that may return any 'static type. (unicode-org#6827)

icu4x 2.0.x

Several crates have had patch releases in the 2.0 stream:

• icu_calendar
  • (2.0.1) Fix chinese day-of-year (unicode-org#6567)
  • (2.0.2) Respect -u-fw keyword in WeekInformation (unicode-org#6615)
  • (2.0.3) Fix extended year for Roc/Ethiopic (unicode-org#6721)
  • (2.0.3) Fix treatment of None era code for Gregorian (unicode-org#6794)
  • (2.0.4) Fix a sign error in RataDie::until, add RataDie::since (unicode-org#6861)
• icu_properties, icu_properties_data
  • (2.0.1) Fix a visibility bug in compiled data (unicode-org#6580)
• icu_provider_baked
  • (2.0.1) Fix an issue where a single-locale data generation would skip fallback (unicode-org#6582)
• icu_capi
  • (2.0.1) Rename string-methods on DecomposingNormalizer to match those on ComposingNormalizer (unicode-org#6594)
  • (2.0.1) Add DataProvider constructors in JS and Dart (unicode-org#6596)
  • (2.0.1) Fix TimeZoneVariant constructor (unicode-org#6610)
  • (2.0.2) Add Locale::set_unicode_extension (unicode-org#6636)
• icu_datetime_data, icu_time_data, icu_provider_source
  • (2.0.1) Update to tzdb 2025b
• calendrical_calculations
  • (0.2.1) Fix a sign error in RataDie::until, add RataDie::since (unicode-org#6861)
  • (0.2.2) Make iso_year_from_fixed, day_before_year public (unicode-org#6871)
  • (0.2.2) Optimise some calculations for iso (unicode-org#6883)
  • (0.2.2) Add Easter holiday to iso and julian (unicode-org#6899)
• ixdtf
  • (0.6.0) Add UTF16 handling (unicode-org#6577)
  • (0.6.0) Add TimeZoneParser::parse_identifier for TimeZoneRecord (unicode-org#6584)

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.