Bump the major group across 1 directory with 8 updates

[dependabot]

Bumps the major group with 8 updates in the / directory:

Package	From	To
rand	0.8.5	0.9.4
ctor	0.5.0	0.10.1
sha2	0.10.9	0.11.0
itertools	0.13.0	0.14.0
darling	0.20.10	0.23.0
macro-string	0.1.4	0.2.0
thiserror	1.0.63	2.0.18
wasmparser	0.116.1	0.221.3

Updates rand from 0.8.5 to 0.9.4

Changelog

Sourced from rand's changelog.

[0.9.4] — 2026-04-13

Fixes

• Fix doc build (#1766)

#1766: rust-random/rand#1766

[0.9.3] — 2026-04-11

This release back-ports a fix from v0.10. See also #1763.

Changes

• Deprecate feature log (#1764)
• Replace usages of doc_auto_cfg (#1764)

#1763: rust-random/rand#1763

[0.9.2] — 2025-07-20

Deprecated

• Deprecate rand::rngs::mock module and StepRng generator (#1634)

Additions

• Enable WeightedIndex<usize> (de)serialization (#1646)

[0.9.1] - 2025-04-17

Security and unsafe

• Revise "not a crypto library" policy again (#1565)
• Remove zerocopy dependency from rand (#1579)

Fixes

• Fix feature simd_support for recent nightly rust (#1586)

Changes

• Allow fn rand::seq::index::sample_weighted and fn IndexedRandom::choose_multiple_weighted to return fewer than amount results (#1623), reverting an undocumented change (#1382) to the previous release.

Additions

• Add rand::distr::Alphabetic distribution. (#1587)
• Re-export rand_core (#1604)

[0.9.0] - 2025-01-27

Security and unsafe

• Policy: "rand is not a crypto library" (#1514)
• Remove fork-protection from ReseedingRng and ThreadRng. Instead, it is recommended to call ThreadRng::reseed on fork. (#1379)
• Use zerocopy to replace some unsafe code (#1349, #1393, #1446, #1502)

Dependencies

• Bump the MSRV to 1.63.0 (#1207, #1246, #1269, #1341, #1416, #1536); note that 1.60.0 may work for dependents when using --ignore-rust-version
• Update to rand_core v0.9.0 (#1558)

Features

• Support std feature without getrandom or rand_chacha (#1354)
• Enable feature small_rng by default (#1455)

... (truncated)

Commits

• ba4c4c6 Prepare v0.9.4: fix doc build (#1766)
• 4b8b686 Document new error-handling behaviour for ReseedingRng
• 6c25c6d Prepare v0.9.4: fix doc build
• 1aeee9f Prepare v0.9.3: deprecate feature log (#1764)
• 98473ee Prepare rand 0.9.2 (#1648)
• 031a1f5 examples/print-next.rs (#1647)
• 6cb75ee Make UniformUsize serializable (#1646)
• 0c955c5 Add some tests for BlockRng, BlockRng64 and Xoshiro RNGs (#1639)
• 204084a Fix: Remove accidental editor swap file (#1636)
• 86262ac Deprecate rand::rngs::mock module and StepRng (#1634)
• Additional commits viewable in compare view

Updates ctor from 0.5.0 to 0.10.1

Changelog

Sourced from ctor's changelog.

ctor [0.10.1] - 2026-04-22

dtor [0.8.1] - 2026-04-22

link-section [0.2.1] - 2026-04-22

Added

• Included licenses in all files.
• Bumped proc-macro dependency versions.
• dtor crate exports native module with at_binary_exit and at_library_exit functions.

Fixed

• Fix MSRV in ctor docs.
• Various hardening fixes under Miri.
• Adding priority to ctors accidentally enabled the anonymous flag.

Changed

• link-section crate no longer offers const section pointers.
• ctor exports all dtor macros from dtor crate rather than reimplementing them.

Commits

• See full diff in compare view

Updates sha2 from 0.10.9 to 0.11.0

Commits

• ffe0939 Release sha2 0.11.0 (#806)
• 8991b65 Use the standard order of the [package] section fields (#807)
• 3d2bc57 sha2: refactor backends (#802)
• faa55fb sha3: bump keccak to v0.2 (#803)
• d3e6489 sha3 v0.11.0-rc.9 (#801)
• bbf6f51 sha2: tweak backend docs (#800)
• 155dbbf sha3: add default value for the DS generic parameter on TurboShake128/256...
• ed514f2 Use published version of keccak v0.2 (#799)
• 702bcd8 Migrate to closure-based keccak (#796)
• 827c043 sha3 v0.11.0-rc.8 (#794)
• Additional commits viewable in compare view

Updates itertools from 0.13.0 to 0.14.0

Changelog

Sourced from itertools's changelog.

0.14.0

Breaking

• Increased MSRV to 1.63.0 (#960)
• Removed generic parameter from cons_tuples (#988)

Added

• Added array_combinations (#991)
• Added k_smallest_relaxed and variants (#925)
• Added next_array and collect_array (#560)
• Implemented DoubleEndedIterator for FilterOk (#948)
• Implemented DoubleEndedIterator for FilterMapOk (#950)

Changed

• Allow Q: ?Sized in Itertools::contains (#971)
• Improved hygiene of chain! (#943)
• Improved into_group_map_by documentation (#1000)
• Improved tree_reduce documentation (#955)
• Improved discoverability of merge_join_by (#966)
• Improved discoverability of take_while_inclusive (#972)
• Improved documentation of find_or_last and find_or_first (#984)
• Prevented exponentially large type sizes in tuple_combinations (#945)
• Added track_caller attr for asser_equal (#976)

Notable Internal Changes

• Fixed clippy lints (#956, #987, #1008)
• Addressed warnings within doctests (#964)
• CI: Run most tests with miri (#961)
• CI: Speed up "cargo-semver-checks" action (#938)
• Changed an instance of default_features in Cargo.toml to default-features (#985)

Commits

• a015a68 Add next_array and collect_array
• a1213e1 Prepare v0.14.0 release
• ff0c942 fix clippy lints
• f80883b Fix into_group_map_by documentation errors
• b793238 Add track_caller for asser_equal
• 5d4056b default_features is deprecated - switch it to default-features
• a447b68 doc for added trait
• d0479b0 "nitpicks"
• 35c78ce IndexMut -> BorrowMut<slice>
• deb53ba refactored to share code
• Additional commits viewable in compare view

Updates darling from 0.20.10 to 0.23.0

Release notes

Sourced from darling's releases.

v0.23.0

• Bump MSRV to 1.88.0; there have been no code changes that caused this, but due to dependency issues CI no longer works on 1.56.0 #357
• Revert dependency version pins which caused problems #385

v0.22.0

YANKED Pinned dependencies made this version cause conflicts with other crates.

• BREAKING: Remove fnv dependency, as runtime performance gain does not justify additional dependency. This was exposed to users of darling::usage, so it may be breaking for them #373
• Add #[darling(default = || expr(val))] support, allowing a closure where a path was previously required #380
• Preserve span information for paths given to darling::util::Callable as literal strings
• Fix some documentation typos

v0.21.3

• Fix: Forward Override::<T>::from_expr to T::from_expr #371

v0.21.2

• Add #[darling(from_expr = ...)] when deriving FromMeta to support overriding the key-value form #369
• Keep parsing the body and type params even if there are errors from parsing attributes. #7
• Support #[darling(with = ...)] on the generics field when deriving FromDeriveInput.
• Return an error, rather than panicking, when doing shape validation on a union. #365

v0.21.1

• Track all alternate field names, and show them in error message if there aren't too many. #325
• Track all alternate values for enum variants, and show them in error messages if there aren't too many. #362

v0.21.0

• Potentially breaking: Emit error when an attribute path is present in both attributes and forward_attrs. #336
• Support parsing attributes which contain keywords #238
• Add SpannedValue::into_inner #342
• Add #[darling(derive_syn_parse)] to also impl syn::parse::Parse when deriving FromMeta #285
• Make impl FromMeta for syn::TypePath support both quote-wrapped and bare values #351
• Add util::PreservedStrExpr #346
• Impl UsesTypeParams and UsesLifetimes for WithOriginal #215
• Update error message emitted by <() as FromMeta>::from_list to allow use of () as a #[darling(flatten)] target #353

v0.20.11

• Support #[darling(with = ...)] on the data field when deriving FromDeriveInput. This allows the use of simpler receiver types, such as a Vec of enum variants.
• Bump version of proc-macro2 to 1.0.86.
• Accept closures for #[darling(with = ...)] on fields in FromDeriveInput, FromMeta, FromField, etc. #309
• Add darling::util::Callable to accept a path or closure as a meta-item expression
• Add #[darling(from_word = ...)] and #[darling(from_none = ...)] to control shorthand and fallback behaviors for structs and enums deriving FromMeta #320
• Add FromMeta impl for syn::ExprRange #329

Changelog

Sourced from darling's changelog.

v0.23.0 (December 3, 2025)

• Bump MSRV to 1.88.0; there have been no code changes that caused this, but due to dependency issues CI no longer works on 1.56.0 #357

v0.22.0 (December 2, 2025)

• BREAKING: Remove fnv dependency, as runtime performance gain does not justify additional dependency. This was exposed to users of darling::usage, so it may be breaking for them #373
• Add #[darling(default = || expr(val))] support, allowing a closure where a path was previously required #380
• Preserve span information for paths given to darling::util::Callable as literal strings
• Fix some documentation typos

v0.21.3 (August 22, 2025)

• Fix: Forward Override::<T>::from_expr to T::from_expr #371

v0.21.2 (August 14, 2025)

• Add #[darling(from_expr = ...)] when deriving FromMeta to support overriding the key-value form #369
• Keep parsing the body and type params even if there are errors from parsing attributes. #7
• Support #[darling(with = ...)] on the generics field when deriving FromDeriveInput.
• Return an error, rather than panicking, when doing shape validation on a union. #365

v0.21.1 (August 4, 2025)

• Track all alternate field names, and show them in error message if there aren't too many. #325
• Track all alternate values for enum variants, and show them in error messages if there aren't too many. #362

v0.21.0 (July 10, 2025)

• Potentially breaking: Emit error when an attribute path is present in both attributes and forward_attrs. #336
• Support parsing attributes which contain keywords #238
• Add SpannedValue::into_inner #342
• Add #[darling(derive_syn_parse)] to also impl syn::parse::Parse when deriving FromMeta #285
• Make impl FromMeta for syn::TypePath support both quote-wrapped and bare values #351
• Add util::PreservedStrExpr #346
• Impl UsesTypeParams and UsesLifetimes for WithOriginal #215
• Update error message emitted by <() as FromMeta>::from_list to allow use of () as a #[darling(flatten)] target #353

v0.20.11 (March 28, 2025)

• Support #[darling(with = ...)] on the data field when deriving FromDeriveInput. This allows the use of simpler receiver types, such as a Vec of enum variants.
• Bump version of proc-macro2 to 1.0.86.
• Accept closures for #[darling(with = ...)] on fields in FromDeriveInput, FromMeta, FromField, etc. #309
• Add darling::util::Callable to accept a path or closure as a meta-item expression
• Add #[darling(from_word = ...)] and #[darling(from_none = ...)] to control shorthand and fallback behaviors for structs and enums deriving FromMeta #320
• Add FromMeta impl for syn::ExprRange #329

Commits

• cfef4e5 Update compiletests to rustc 1.88.0
• 334ee48 Bump version to 0.23.0
• 858b869 Bump MSRV to 1.88.0
• dd9cb44 Bump CI tests to 1.88.0
• 4e57762 Revert "Lock quote version"
• 775a523 Revert "Lock min version of proc-macro2"
• 3947278 Bump version to 0.22.0
• cd33f9b chore: fix some minor issues in the comments
• 2ca795b docs: fix minor typo in top-level doc comment ('its' → 'it’s')
• 878b5ba Lock min version of proc-macro2
• Additional commits viewable in compare view

Updates macro-string from 0.1.4 to 0.2.0

Release notes

Sourced from macro-string's releases.

0.2.0

• Support cloning MacroString (#26)
• Split parsing and eval (#27)
• Provide method to produce correctly spanned error (#28)

Commits

• 82ed150 Release 0.2.0
• 80750cf Merge pull request #28 from dtolnay/error
• 9c09b26 Provide method to produce correctly spanned error
• 894316f Merge pull request #27 from dtolnay/eval
• 377fd57 Split parsing and eval
• f2eea0f Merge pull request #26 from dtolnay/clone
• ed20bf9 Support cloning MacroString
• ff33555 Raise required compiler to Rust 1.71
• 0426310 Update actions/upload-artifact@v5 -> v6
• 3c0b22a Update actions/upload-artifact@v4 -> v5
• Additional commits viewable in compare view

Updates thiserror from 1.0.63 to 2.0.18

Release notes

Sourced from thiserror's releases.

2.0.18

• Make compatible with project-level needless_lifetimes = "forbid" (#443, thanks @​LucaCappelletti94)

2.0.17

• Use differently named __private module per patch release (#434)

2.0.16

• Add to "no-std" crates.io category (#429)

2.0.15

• Prevent Error::provide API becoming unavailable from a future new compiler lint (#427)

2.0.14

• Allow build-script cleanup failure with NFSv3 output directory to be non-fatal (#426)

2.0.13

• Documentation improvements

2.0.12

• Prevent elidable_lifetime_names pedantic clippy lint in generated impl (#413)

2.0.11

• Add feature gate to tests that use std (#409, #410, thanks @​Maytha8)

2.0.10

• Support errors containing a generic type parameter's associated type in a field (#408)

2.0.9

• Work around missing_inline_in_public_items clippy restriction being triggered in macro-generated code (#404)

2.0.8

• Improve support for macro-generated derive(Error) call sites (#399)

2.0.7

• Work around conflict with #[deny(clippy::allow_attributes)] (#397, thanks @​zertosh)

2.0.6

• Suppress deprecation warning on generated From impls (#396)

2.0.5

• Prevent deprecation warning on generated impl for deprecated type (#394)

2.0.4

• Eliminate needless_lifetimes clippy lint in generated From impls (#391, thanks @​matt-phylum)

2.0.3

• Support the same Path field being repeated in both Debug and Display representation in error message (#383)
• Improve error message when a format trait used in error message is not implemented by some field (#384)

2.0.2

... (truncated)

Commits

• dc0f6a2 Release 2.0.18
• 0275292 Touch up PR 443
• 3c33bc6 Merge pull request #443 from LucaCappelletti94/master
• 995939c Reproduce issue 442
• 21653d1 Made clippy lifetime allows conditional
• 45e5388 Update actions/upload-artifact@v5 -> v6
• 386aac1 Update actions/upload-artifact@v4 -> v5
• ec50561 Update actions/checkout@v5 -> v6
• 247eab5 Update name of empty_enum clippy lint
• 91b181f Raise required compiler to Rust 1.68
• Additional commits viewable in compare view

Updates wasmparser from 0.116.1 to 0.221.3

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	wasmparser@​0.221.3
	thiserror@​1.0.63 ⏵ 2.0.18
	ctor@​0.10.1
	itertools@​0.14.0
	macro-string@​0.2.0
	rand@​0.9.4
	sha2@​0.11.0
	darling@​0.20.10 ⏵ 0.23.0

View full report

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml