Skip to content

chore(deps): bump the cargo group across 2 directories with 4 updates#41

Merged
rodrigooler merged 1 commit into
mainfrom
dependabot/cargo/proofs/cargo-2c5d6cbc71
Jun 29, 2026
Merged

chore(deps): bump the cargo group across 2 directories with 4 updates#41
rodrigooler merged 1 commit into
mainfrom
dependabot/cargo/proofs/cargo-2c5d6cbc71

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps the cargo group with 3 updates in the /proofs directory: quinn-proto, rand and rustls-webpki.
Bumps the cargo group with 1 update in the /proofs/risc0-host/risc0-guest directory: rand.

Updates quinn-proto from 0.11.13 to 0.11.15

Release notes

Sourced from quinn-proto's releases.

quinn-proto 0.11.14

@​jxs reported a denial of service issue in quinn-proto 5 days ago:

We coordinated with them to release this version to patch the issue. Unfortunately the maintainers missed these issues during code review and we did not have enough fuzzing coverage -- we regret the oversight and have added an additional fuzzing target.

Organizations that want to participate in coordinated disclosure can contact us privately to discuss terms.

What's Changed

Commits
  • a7499b8 Bump versions for release
  • 7c1970f proto: yield error on too many gaps in assembler
  • fe5ac49 congestion: avoid double-reducing CUBIC fast convergence
  • c1e903b fix(quinn): handle overdue timers without polling the async timer
  • b3b20e1 quinn-udp: allow to use windows-sys 0.61
  • 6f03ca3 quinn-proto: drop Initials silently when saturated
  • 41c8527 quinn: fix ref count logic for ConnectionRef and EndpointRef
  • 73ea1dd Remove RecvStreams from blocked_readers on stop
  • cf16bfd Early return in RecvStream::drop()
  • af2e4e5 Fix the (pre-existing) rightward drift by inverting conditions
  • Additional commits viewable in compare view

Updates rand from 0.8.5 to 0.8.6

Changelog

Sourced from rand's changelog.

[0.8.6] - 2026-04-14

This release back-ports a fix from v0.10. See also #1763.

Changes

  • Deprecate feature log (#1772)

#1763: rust-random/rand#1763 #1772: rust-random/rand#1772

  • Drop the experimental simd_support feature.
Commits
  • 5309f25 0.8.6 (#1772): update for recent nightly rustc and backport #1764
  • 1126d03 When testing rustc 1.36, use compatible dependencies.
  • 143b602 Add Cargo.lock.msrv.
  • 9be86f2 Fix cross build test.
  • 5e0d50d Drop simd_support.
  • 8ff02f0 Upgrade cache action.
  • 4ad0cc3 Don't test for unsupported target architecture.
  • 258e6d0 Address warning.
  • 9f0e676 Mark some internal traits as potentially unused.
  • 6f123c1 Workaround never constructed and never used warning.
  • Additional commits viewable in compare view

Updates risc0-zkvm-platform from 1.2.6 to 2.2.2

Release notes

Sourced from risc0-zkvm-platform's releases.

v2.2.0

Fixes GHSA-f6rc-24x4-ppxp

v2.1.0

Fixes GHSA-g3qg-6746-3mg9

v2.0.2

This release provides several hotfixes for 2.0.X

  • Fix issue with creating segments where the RSA BigInt precompile could cause splitting to fail with self.segment_cycles() < segment_limit
  • Fix issue where we weren't escaping rustc CLI arguments when building guests with docker
  • Fix issue where sys_read would write past the end of the given buffer resulting in heap data-structure corruption causing a StoreAddressMisaligned error later.
  • Add support for getrandom 0.3 for guests
  • Return an error instead of silently ignore if sha-256 is used for the hashfn option in ProverOpts. This became unsupported with 2.0.0.
  • Don't error in the profiler if it gets confused about the guest stack. This previously caused execution to fail with attempted to follow a return with an empty call stack if profiling is enabled

v2.0.1

Contains the following fixes:

  • risc0-build: support for Rust 1.85
  • risc0-build: make docker container tag configurable
  • risc0-circuit-rv32im: Account for missing ControlDone cycle in executor
  • risc0-circuit-keccak: Statically link in liblzma
  • Bump various version numbers to allow yanking of certain 1.4.X crates which are causing 1.2.X compilation issues

v2.0.0

v2.0.0 (2025-03-25)

Security

  • Updated verifier contract to allow segment size of PO2=22. For details on security impacts see risc0/risc0#2849.

🔥 Performance Improvements

  • New v2 circuit with reduced paging costs and other performance improvements
  • prover: enabling segment size of PO2=22 to improve hardware utilization.
  • keccak: drop accumulation of input keccak states in the guest.
  • bigint: replace num-bigint with better-performing ibig for bibc evaluator
  • Implement union predicate to allow parallel keccak proving.
  • Implement precompiles for bn254 arithmetic using the subtrate-bn crate.
  • Implement precompiles for bls12-381 arithmetic using the zkcrypto/bls12-381 crate.
  • Replace numb-bigint and crypto-bigint with malachite on the host.
  • ZKVM-1122: implement dev-mode for union/keccak proofs

Fixes

  • Emulator: validate address range before allocating to_guest vector to avoid unnecessary allocations.
  • Emulator: require addresses used by ecall_sha, ecall_bigint, and ecall_bigint2 to be aligned to ensure that proving and emulation will both fail.
  • stark2snark: fix snarkjs public signals length.
  • ffi: add arguments length checks to generate better error messages.

... (truncated)

Commits

Updates rustls-webpki from 0.103.9 to 0.103.13

Release notes

Sourced from rustls-webpki's releases.

0.103.13

  • Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gfr8. Users who don't use CRLs are not affected.
  • For name constraints on URI names, we incorrectly processed excluded subtrees in a way which inverted the desired meaning. See rustls/webpki#471. This was a case missing in the fix for GHSA-965h-392x-2mh5.

What's Changed

Full Changelog: rustls/webpki@v/0.103.12...v/0.103.13

0.103.12

This release fixes two bugs in name constraint enforcement:

  • GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.
  • GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

0.103.10

Correct selection of candidate CRLs by Distribution Point and Issuing Distribution Point. If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored.

The impact was that correctly provided CRLs would not be consulted to check revocation. With UnknownStatusPolicy::Deny (the default) this would lead to incorrect but safe Error::UnknownRevocationStatus. With UnknownStatusPolicy::Allow this would lead to inappropriate acceptance of revoked certificates.

This vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)

More likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.

This vulnerability is identified by GHSA-pwjx-qhcg-rvj4. Thank you to @​1seal for the report.

What's Changed

Full Changelog: rustls/webpki@v/0.103.9...v/0.103.10

Commits
  • 2879b2c Prepare 0.103.13
  • 2c49773 Improve tests for padding of BitStringFlags
  • 4e3c0b3 Correct validation of BIT STRING constraints
  • 39c91d2 Actually fail closed for URI matching against excluded subtrees
  • 27131d4 Bump version to 0.103.12
  • 6ecb876 Clean up stuttery enum variant names
  • 318b3e6 Ignore wildcard labels when matching name constraints
  • 1219622 Rewrite constraint matching to avoid permissive catch-all branch
  • 57bc62c Bump version to 0.103.11
  • d0fa01e Allow parsing trust anchors with unknown criticial extensions
  • Additional commits viewable in compare view

Updates rand from 0.8.5 to 0.8.6

Changelog

Sourced from rand's changelog.

[0.8.6] - 2026-04-14

This release back-ports a fix from v0.10. See also #1763.

Changes

  • Deprecate feature log (#1772)

#1763: rust-random/rand#1763 #1772: rust-random/rand#1772

  • Drop the experimental simd_support feature.
Commits
  • 5309f25 0.8.6 (#1772): update for recent nightly rustc and backport #1764
  • 1126d03 When testing rustc 1.36, use compatible dependencies.
  • 143b602 Add Cargo.lock.msrv.
  • 9be86f2 Fix cross build test.
  • 5e0d50d Drop simd_support.
  • 8ff02f0 Upgrade cache action.
  • 4ad0cc3 Don't test for unsupported target architecture.
  • 258e6d0 Address warning.
  • 9f0e676 Mark some internal traits as potentially unused.
  • 6f123c1 Workaround never constructed and never used warning.
  • Additional commits viewable in compare view

Updates risc0-zkvm-platform from 1.2.6 to 2.2.2

Release notes

Sourced from risc0-zkvm-platform's releases.

v2.2.0

Fixes GHSA-f6rc-24x4-ppxp

v2.1.0

Fixes GHSA-g3qg-6746-3mg9

v2.0.2

This release provides several hotfixes for 2.0.X

  • Fix issue with creating segments where the RSA BigInt precompile could cause splitting to fail with self.segment_cycles() < segment_limit
  • Fix issue where we weren't escaping rustc CLI arguments when building guests with docker
  • Fix issue where sys_read would write past the end of the given buffer resulting in heap data-structure corruption causing a StoreAddressMisaligned error later.
  • Add support for getrandom 0.3 for guests
  • Return an error instead of silently ignore if sha-256 is used for the hashfn option in ProverOpts. This became unsupported with 2.0.0.
  • Don't error in the profiler if it gets confused about the guest stack. This previously caused execution to fail with attempted to follow a return with an empty call stack if profiling is enabled

v2.0.1

Contains the following fixes:

  • risc0-build: support for Rust 1.85
  • risc0-build: make docker container tag configurable
  • risc0-circuit-rv32im: Account for missing ControlDone cycle in executor
  • risc0-circuit-keccak: Statically link in liblzma
  • Bump various version numbers to allow yanking of certain 1.4.X crates which are causing 1.2.X compilation issues

v2.0.0

v2.0.0 (2025-03-25)

Security

  • Updated verifier contract to allow segment size of PO2=22. For details on security impacts see risc0/risc0#2849.

🔥 Performance Improvements

  • New v2 circuit with reduced paging costs and other performance improvements
  • prover: enabling segment size of PO2=22 to improve hardware utilization.
  • keccak: drop accumulation of input keccak states in the guest.
  • bigint: replace num-bigint with better-performing ibig for bibc evaluator
  • Implement union predicate to allow parallel keccak proving.
  • Implement precompiles for bn254 arithmetic using the subtrate-bn crate.
  • Implement precompiles for bls12-381 arithmetic using the zkcrypto/bls12-381 crate.
  • Replace numb-bigint and crypto-bigint with malachite on the host.
  • ZKVM-1122: implement dev-mode for union/keccak proofs

Fixes

  • Emulator: validate address range before allocating to_guest vector to avoid unnecessary allocations.
  • Emulator: require addresses used by ecall_sha, ecall_bigint, and ecall_bigint2 to be aligned to ensure that proving and emulation will both fail.
  • stark2snark: fix snarkjs public signals length.
  • ffi: add arguments length checks to generate better error messages.

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps the cargo group with 3 updates in the /proofs directory: [quinn-proto](https://github.com/quinn-rs/quinn), [rand](https://github.com/rust-random/rand) and [rustls-webpki](https://github.com/rustls/webpki).
Bumps the cargo group with 1 update in the /proofs/risc0-host/risc0-guest directory: [rand](https://github.com/rust-random/rand).


Updates `quinn-proto` from 0.11.13 to 0.11.15
- [Release notes](https://github.com/quinn-rs/quinn/releases)
- [Commits](quinn-rs/quinn@quinn-proto-0.11.13...quinn-proto-0.11.15)

Updates `rand` from 0.8.5 to 0.8.6
- [Release notes](https://github.com/rust-random/rand/releases)
- [Changelog](https://github.com/rust-random/rand/blob/0.8.6/CHANGELOG.md)
- [Commits](rust-random/rand@0.8.5...0.8.6)

Updates `risc0-zkvm-platform` from 1.2.6 to 2.2.2
- [Release notes](https://github.com/risc0/risc0/releases)
- [Changelog](https://github.com/risc0/risc0/blob/main/CHANGELOG.md)
- [Commits](https://github.com/risc0/risc0/commits)

Updates `rustls-webpki` from 0.103.9 to 0.103.13
- [Release notes](https://github.com/rustls/webpki/releases)
- [Commits](rustls/webpki@v/0.103.9...v/0.103.13)

Updates `rand` from 0.8.5 to 0.8.6
- [Release notes](https://github.com/rust-random/rand/releases)
- [Changelog](https://github.com/rust-random/rand/blob/0.8.6/CHANGELOG.md)
- [Commits](rust-random/rand@0.8.5...0.8.6)

Updates `risc0-zkvm-platform` from 1.2.6 to 2.2.2
- [Release notes](https://github.com/risc0/risc0/releases)
- [Changelog](https://github.com/risc0/risc0/blob/main/CHANGELOG.md)
- [Commits](https://github.com/risc0/risc0/commits)

---
updated-dependencies:
- dependency-name: quinn-proto
  dependency-version: 0.11.15
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rand
  dependency-version: 0.8.6
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: risc0-zkvm-platform
  dependency-version: 2.2.2
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rustls-webpki
  dependency-version: 0.103.13
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: rand
  dependency-version: 0.8.6
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: risc0-zkvm-platform
  dependency-version: 2.2.2
  dependency-type: indirect
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust rust labels Jun 29, 2026
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jun 29, 2026

Copy link
Copy Markdown

Deploying raxion with  Cloudflare Pages  Cloudflare Pages

Latest commit: d5e30bd
Status:🚫  Build failed.

View logs

@rodrigooler rodrigooler merged commit 3dc9f11 into main Jun 29, 2026
5 of 6 checks passed
@dependabot dependabot Bot deleted the dependabot/cargo/proofs/cargo-2c5d6cbc71 branch June 29, 2026 04:40
@sonarqubecloud

Copy link
Copy Markdown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file rust rust

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant