Bump the cargo group across 1 directory with 14 updates

[dependabot]

Bumps the cargo group with 13 updates in the / directory:

Package	From	To
tracing-forest	0.1.6	0.2.0
winnow	0.7.13	0.7.14
bytesize	2.3.0	2.3.1
tracing-core	0.1.34	0.1.35
insta	1.44.1	1.44.3
zip	5.1.1	6.0.0
crc	3.3.0	3.4.0
cc	1.2.47	1.2.48
http	1.3.1	1.4.0
rustls-pki-types	1.13.0	1.13.1
tower-http	0.6.6	0.6.7
tracing-attributes	0.1.30	0.1.31
zerocopy	0.8.28	0.8.30

Updates tracing-forest from 0.1.6 to 0.2.0

Commits

• See full diff in compare view

Updates winnow from 0.7.13 to 0.7.14

Changelog

Sourced from winnow's changelog.

[0.7.14] - 2025-11-26

Features

• Add combinator::expression parser for parsing expressions with precedence (a pratt parser)

Commits

• faa6214 chore: Release
• 5b3b7a9 docs: Update changelog
• fca75c5 Merge pull request #804 from ssmendon/ssmendon-pratt-pr
• 9aef8d2 feat: Add a Pratt parser
• 716ff2e Merge pull request #846 from clint-white/fix-typos-in-docs
• 3040b97 docs(tutorial): Add missing word
• 1b50ab4 docs(ref): Fix typo: add missing period
• c56d4fb Merge pull request #841 from winnow-rs/renovate/actions-checkout-5.x
• ffb90ad chore(deps): Update actions/checkout action to v5
• de4f84b Merge pull request #842 from winnow-rs/renovate/actions-setup-python-6.x
• Additional commits viewable in compare view

Updates bytesize from 2.3.0 to 2.3.1

Release notes

Sourced from bytesize's releases.

bytesize: v2.3.1

• Fix unit truncation in error strings.

Changelog

Sourced from bytesize's changelog.

2.3.1

• Fix unit truncation in error strings.

Commits

• 0121741 chore: release v2.3.1 (#126)
• fb35f2d fix: error string when unit is too long (#125)
• See full diff in compare view

Updates tracing-core from 0.1.34 to 0.1.35

Release notes

Sourced from tracing-core's releases.

tracing-core 0.1.35

Added

• Switch to unconditional no_std (#3323)
• Improve code generation at trace points significantly (#3398)

Fixed

• Add missing dyn keyword in Visit documentation code sample (#3387)

Documented

• Add favicon for extra pretty docs (#3351)

#3323: tokio-rs/tracing#3323 #3351: tokio-rs/tracing#3351 #3387: tokio-rs/tracing#3387 #3398: tokio-rs/tracing#3398

Commits

• d92b4c0 chore: prepare tracing-core 0.1.35 (#3414)
• 9751b6e chore: run tracing-subscriber tests with all features (#3412)
• efa0169 mock: add doctests for on_register_dispatch negative cases (#3416)
• a093858 docs: fix link in FmtSpan docs (#3411)
• 976fa55 mock: add test case for layer not calling on_register_dispatch (#3415)
• 8bc008c fix(subscriber): make Layered propagate on_register_dispatch (#3379)
• adbd8a4 appender: fix max_files integer underflow when set to zero (#3348)
• 2a8b040 chore: add Hayden (@​hds) to codeowners (#3410)
• cf5c2bd subscriber: remove clone_span on enter (#3289)
• c287c84 subscriber: change registry exit to decrement local span ref only (#3331)
• Additional commits viewable in compare view

Updates insta from 1.44.1 to 1.44.3

Release notes

Sourced from insta's releases.

1.44.3

Release Notes

• Fix a regression in 1.44.2 where merge conflict detection was too aggressive, incorrectly flagging snapshot content containing ====== or similar patterns as conflicts. #832
• Fix a regression in 1.42.2 where inline snapshot updates would corrupt the file when code preceded the macro (e.g., let output = assert_snapshot!(...)). #833

Install cargo-insta 1.44.3

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/mitsuhiko/insta/releases/download/1.44.3/cargo-insta-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/mitsuhiko/insta/releases/download/1.44.3/cargo-insta-installer.ps1 | iex"

Download cargo-insta 1.44.3

File	Platform	Checksum
cargo-insta-aarch64-apple-darwin.tar.xz	Apple Silicon macOS	checksum
cargo-insta-x86_64-apple-darwin.tar.xz	Intel macOS	checksum
cargo-insta-x86_64-pc-windows-msvc.zip	x64 Windows	checksum
cargo-insta-x86_64-unknown-linux-gnu.tar.xz	x64 Linux	checksum
cargo-insta-x86_64-unknown-linux-musl.tar.xz	x64 MUSL Linux	checksum

1.44.2

Release Notes

• Fix a rare backward compatibility issue where inline snapshots using an uncommon legacy format (single-line content stored in multiline raw strings) could fail to match after 1.44.0. #830
• Handle merge conflicts in snapshot files gracefully. When a snapshot file contains git merge conflict markers, insta now detects them and treats the snapshot as missing, allowing tests to continue and create a new pending snapshot for review. #829
• Skip nextest_doctest tests when cargo-nextest is not installed. #826
• Fix functional tests failing under nextest due to inherited NEXTEST_RUN_ID environment variable. #824

Install cargo-insta 1.44.2

Install prebuilt binaries via shell script

curl --proto '=https' --tlsv1.2 -LsSf https://github.com/mitsuhiko/insta/releases/download/1.44.2/cargo-insta-installer.sh | sh

Install prebuilt binaries via powershell script

powershell -ExecutionPolicy Bypass -c "irm https://github.com/mitsuhiko/insta/releases/download/1.44.2/cargo-insta-installer.ps1 | iex"
</tr></table> 

... (truncated)

Changelog

Sourced from insta's changelog.

1.44.3

• Fix a regression in 1.44.2 where merge conflict detection was too aggressive, incorrectly flagging snapshot content containing ====== or similar patterns as conflicts. #832
• Fix a regression in 1.42.2 where inline snapshot updates would corrupt the file when code preceded the macro (e.g., let output = assert_snapshot!(...)). #833

1.44.2

• Fix a rare backward compatibility issue where inline snapshots using an uncommon legacy format (single-line content stored in multiline raw strings) could fail to match after 1.44.0. #830
• Handle merge conflicts in snapshot files gracefully. When a snapshot file contains git merge conflict markers, insta now detects them and treats the snapshot as missing, allowing tests to continue and create a new pending snapshot for review. #829
• Skip nextest_doctest tests when cargo-nextest is not installed. #826
• Fix functional tests failing under nextest due to inherited NEXTEST_RUN_ID environment variable. #824

Commits

• dcbb11f Prepare release 1.44.3 (#838)
• 3b9ec12 Refine test name & description (#837)
• ee4e1ea Handle unparsable snapshot files gracefully (#836)
• 778f733 Fix for code before macros, such as let foo = assert_snapshot! (#835)
• 6cb41af Prepare release 1.44.2 (#831)
• 8838b2f Handle merge conflicts in snapshot files gracefully (#829)
• e55ce99 Fix backward compatibility for legacy inline snapshot format (#830)
• d44dd42 Skip nextest_doctest tests when cargo-nextest is not installed (#826)
• a711baf Fix functional tests failing under nextest (#824)
• See full diff in compare view

Updates zip from 5.1.1 to 6.0.0

Release notes

Sourced from zip's releases.

v6.0.0

🐛 Bug Fixes

• panic when reading empty extended-timestamp field (#404) (#422)
• Restore original file timestamp when unzipping with chrono (#46)

⚙️ Miscellaneous Tasks

• Configure Amazon Q rules (#421)

Changelog

Sourced from zip's changelog.

6.0.0 - 2025-10-09

🚀 Features

• Add by_index_with_options(), which can be used to ignore encryption in a file's metadata (#439) and may be used for other file-specific overrides in the future.

⚙️ Miscellaneous Tasks

• [breaking] FileOptions::add_extra_data is now generic and accepts any AsRef<[u8]>. (#435)

Commits

• abfc23d feat: Upgrade [Extended]FileOptions::add_extra_data() data from Box<[u8]> to ...
• eb1b586 docs: Update zip_writer documentation example (#431)
• 26e6e08 feat: Add by_index_with_options() for ignoring encryption (#439)
• 165415d chore(deps): update nt-time requirement from 0.10.6 to 0.12.1 (#429)
• 1d5d4ed chore(deps): update lzma-rust2 requirement from 0.13 to 0.14 (#432)
• 72cce40 chore(deps): update nt-time requirement from 0.10.6 to 0.12.1 (#428)
• 2ef4d3e chore(deps): update nt-time requirement from 0.10.6 to 0.12.1 (#427)
• 9cf28cb test(ci): Fix: rename can't be skipped
• 5987cdd test(ci): Fix: need recursive rename
• 74f8a3c test(ci): Need to rename more files during fuzz runs
• Additional commits viewable in compare view

Updates crc from 3.3.0 to 3.4.0

Commits

• 2c8fd96 Prepare 3.4.0 release
• 24e8317 Fix clippy lints
• 6826e6b Update CI to MSRV 1.83
• 2cee16f Bump MSRV to 1.83 (2024-11-28)
• 71fc292 Make Digest 'update' method const
• See full diff in compare view

Updates cc from 1.2.47 to 1.2.48

Release notes

Sourced from cc's releases.

cc-v1.2.48

Other

• Regenerate target info (#1620)

Changelog

Sourced from cc's changelog.

1.2.48 - 2025-11-28

Other

• Regenerate target info (#1620)

Commits

• 324a8ea chore(cc): release v1.2.48 (#1621)
• ecf6fe9 Regenerate target info (#1620)
• 70fbb42 Add publish environment for publishing crate (#1619)
• See full diff in compare view

Updates http from 1.3.1 to 1.4.0

Release notes

Sourced from http's releases.

v1.4.0

Highlights

• Add StatusCode::EARLY_HINTS constant for 103 Early Hints.
• Make StatusCode::from_u16 now a const fn.
• Make Authority::from_static now a const fn.
• Make PathAndQuery::from_static now a const fn.
• MSRV increased to 1.57 (allows legible const fn panic messages).

What's Changed

• Updated Rand dependency to v0.9.1 by @​FarzadMohtasham in hyperium/http#763
• Fix compilation on latest nightly by @​akonradi-signal in hyperium/http#769
• Avoid unnecessary .expect()s for empty HeaderMap by @​akonradi-signal in hyperium/http#768
• feat: show types in Extensions debug output by @​crepererum in hyperium/http#773
• Docs: Clarify the HeaderMap documentaion by @​Sol-Ell in hyperium/http#774
• style: update format for tests by @​seanmonstar in hyperium/http#782
• Make StatusCode::from_u16 const by @​coolreader18 in hyperium/http#761
• docs: Fix typo 'an' to 'and' in http::status module documentation by @​zxzxovo in hyperium/http#784
• fix: Prevent panic in try_reserve/try_with_capacity on capacity overflow by @​AriajSarkar in hyperium/http#787
• fix: Add reserve() to Extend impl for (Option, T)) by @​AriajSarkar in hyperium/http#788
• chore: minor improvement for docs by @​claudecodering in hyperium/http#790
• chore: bump MSRV to 1.57 by @​seanmonstar in hyperium/http#793
• Add EARLY_HINTS status code by @​mdevino in hyperium/http#758
• refactor(header): use better panic message in const HeaderName and HeaderValue by @​seanmonstar in hyperium/http#797
• docs: remove unnecessary extern crate sentence by @​tottoto in hyperium/http#799
• chore(ci): update to actions/checkout@v5 by @​tottoto in hyperium/http#800
• feat(uri): make Authority/PathAndQuery::from_static const by @​WaterWhisperer in hyperium/http#786
• refactor(header): inline FNV hasher to reduce dependencies by @​seanmonstar in hyperium/http#796
• v1.4.0 by @​seanmonstar in hyperium/http#803

New Contributors

• @​FarzadMohtasham made their first contribution in hyperium/http#763
• @​akonradi-signal made their first contribution in hyperium/http#769
• @​crepererum made their first contribution in hyperium/http#773
• @​Sol-Ell made their first contribution in hyperium/http#774
• @​coolreader18 made their first contribution in hyperium/http#761
• @​zxzxovo made their first contribution in hyperium/http#784
• @​AriajSarkar made their first contribution in hyperium/http#787
• @​claudecodering made their first contribution in hyperium/http#790
• @​mdevino made their first contribution in hyperium/http#758
• @​WaterWhisperer made their first contribution in hyperium/http#786

Full Changelog: hyperium/http@v1.3.1...v1.4.0

Changelog

Sourced from http's changelog.

1.4.0 (November 24, 2025)

• Add StatusCode::EARLY_HINTS constant for 103 Early Hints.
• Make StatusCode::from_u16 now a const fn.
• Make Authority::from_static now a const fn.
• Make PathAndQuery::from_static now a const fn.
• MSRV increased to 1.57 (allows legible const fn panic messages).

Commits

• b9625d8 v1.4.0
• 50b009c refactor(header): inline FNV hasher to reduce dependencies (#796)
• b370d36 feat(uri): make Authority/PathAndQuery::from_static const (#786)
• 0d74251 chore(ci): update to actions/checkout@v5 (#800)
• a760767 docs: remove unnecessary extern crate sentence (#799)
• fb1d457 refactor(header): use better panic message in const HeaderName and HeaderValu...
• 20dbd6e feat(status): Add 103 EARLY_HINTS status code (#758)
• e7a7337 chore: bump MSRV to 1.57
• 1888e28 tests: downgrade rand back to 0.8 for now
• 918bbc3 chore: minor improvement for docs (#790)
• Additional commits viewable in compare view

Updates rustls-pki-types from 1.13.0 to 1.13.1

Release notes

Sourced from rustls-pki-types's releases.

1.13.1

What's Changed

• Exclude test keys from published package by @​weiznich in rustls/pki-types#92
• Fix docs.rs build by @​djc in rustls/pki-types#94

Commits

• bbffac9 Bump version to 1.13.1
• c0db55f Remove use of doc_auto_cfg
• f9faeb7 Privatize docsrs cfg flag
• 779560d Add a check if all files are included
• d46eb64 Exclude test keys from published package
• See full diff in compare view

Updates tower-http from 0.6.6 to 0.6.7

Release notes

Sourced from tower-http's releases.

tower-http-0.6.7

Added

• TimeoutLayer::with_status_code(status) to define the status code returned when timeout is reached. (#599)

Deprecated

• auth::require_authorization is too basic for real-world. (#591)
• TimeoutLayer::new() should be replaced with TimeoutLayer::with_status_code(). (Previously was StatusCode::REQUEST_TIMEOUT) (#599)

Fixed

• on_eos is now called even for successful responses. (#580)
• ServeDir: call fallback when filename is invalid (#586)
• decompression will not fail when body is empty (#618)

#580: tower-rs/tower-http#580 #586: tower-rs/tower-http#586 #591: tower-rs/tower-http#591 #599: tower-rs/tower-http#599 #618: tower-rs/tower-http#618

New Contributors

• @​mladedav made their first contribution in tower-rs/tower-http#580
• @​aryaveersr made their first contribution in tower-rs/tower-http#586
• @​soerenmeier made their first contribution in tower-rs/tower-http#588
• @​gjabell made their first contribution in tower-rs/tower-http#591
• @​FalkWoldmann made their first contribution in tower-rs/tower-http#599
• @​ducaale made their first contribution in tower-rs/tower-http#618

Full Changelog: tower-rs/tower-http@tower-http-0.6.6...tower-http-0.6.7

Commits

• 3bf1ba7 v0.6.7
• 723ca9a fix(decompression): Suppress EOF errors caused by decompressing empty body (#...
• 8ab9f82 chore(ci): use newer cargo-public-api-crates job (#619)
• 7cfdf76 doc: Replace doc_auto_cfg with doc_cfg (#609)
• 50beeaf Add support for custom status code in TimeoutLayer (#599)
• 35740de deps: Remove unnecessary dev-dependencies (#606)
• a7eefae ci: Re-enable ci on default branch (#605)
• 12a5b33 tests: Update to brotli 8 (#603)
• 0195198 ci: Update to actions/checkout v5 (#604)
• c757491 examples: Update to axum 0.8 (#602)
• Additional commits viewable in compare view

Updates tracing-attributes from 0.1.30 to 0.1.31

Release notes

Sourced from tracing-attributes's releases.

tracing-attributes 0.1.31

Added

• Support constant expressions as instrument field names (#3158)

#3158: tokio-rs/tracing#3158

Commits

• 5508623 chore: prepare tracing-attributes 0.1.31 (#3417)
• d92b4c0 chore: prepare tracing-core 0.1.35 (#3414)
• 9751b6e chore: run tracing-subscriber tests with all features (#3412)
• efa0169 mock: add doctests for on_register_dispatch negative cases (#3416)
• a093858 docs: fix link in FmtSpan docs (#3411)
• 976fa55 mock: add test case for layer not calling on_register_dispatch (#3415)
• 8bc008c fix(subscriber): make Layered propagate on_register_dispatch (#3379)
• adbd8a4 appender: fix max_files integer underflow when set to zero (#3348)
• 2a8b040 chore: add Hayden (@​hds) to codeowners (#3410)
• cf5c2bd subscriber: remove clone_span on enter (#3289)
• Additional commits viewable in compare view

Updates zerocopy from 0.8.28 to 0.8.30

Release notes

Sourced from zerocopy's releases.

v0.8.30

UPGRADING NOTE: #2804, we invert the order of --cfgs passed by our build.rs script. This will be transparent to cargo users, but if you vendor zerocopy and build it by invoking rustc directly, you will need to update your --cfgs. Assuming you're on a relatively recent toolchain, you should simply stop passing any --cfgs when building zerocopy. For more details, see #2259.

What's Changed

• Update AGENTS.md with pre-submission check instruction by @​google-labs-jules[bot] in google/zerocopy#2792
• docs: Add safety instructions to AGENTS.md by @​google-labs-jules[bot] in google/zerocopy#2794
• Fix Miri symbolic alignment check failures by @​google-labs-jules[bot] in google/zerocopy#2798
• docs: Update AGENTS.md to mandate 'yes | ./cargo.sh' by @​google-labs-jules[bot] in google/zerocopy#2799
• Add missing copyright headers and audit instructions by @​google-labs-jules[bot] in google/zerocopy#2795
• [ci] Add MSRV minimality check by @​joshlf in google/zerocopy#2812
• Suppress deprecation warnings in generated code by @​google-labs-jules[bot] in google/zerocopy#2797
• Fix safety comment citations by @​google-labs-jules[bot] in google/zerocopy#2800
• Invert build.rs version detection flags and update CI by @​joshlf in google/zerocopy#2804
• [ci] Integrate action-validator into CI and pre-push hooks by @​joshlf in google/zerocopy#2811

Full Changelog: google/zerocopy@v0.8.29...v0.8.30

v0.8.29

What's Changed

• [ci] Fix bug where PR labels are not added by @​joshlf in google/zerocopy#2782
• Add configuration files for coding agents by @​google-labs-jules[bot] in google/zerocopy#2784
• Deny clippy::multiple_unsafe_ops_per_block by @​google-labs-jules[bot] in google/zerocopy#2781
• Support x86 AVX-12 SIMD types on 1.89.0 stable by @​joshlf in google/zerocopy#2574
• [byteorder] Note that network-endian is a synonym for big-endian by @​joshlf in google/zerocopy#2785
• Add doc(cfg) to read_from_io and write_to_io by @​google-labs-jules[bot] in google/zerocopy#2786
• zerocopy-derive: Fix panic with raw identifiers by @​google-labs-jules[bot] in google/zerocopy#2788

Full Changelog: google/zerocopy@v0.8.28...v0.8.29

Commits

• aa09c4f Release 0.8.30 (#2816)
• 31a2dfa [ci] Integrate action-validator into CI and pre-push hooks (#2811)
• 738e3f2 Invert build.rs version detection flags and update CI (#2804)
• 16d065d Fix safety comment citations (#2800)
• 9483f7d Suppress deprecation warnings in generated code (#2797)
• c2e43ce [ci] Add MSRV minimality check (#2812)
• 360bb2b [ci] Roll pinned nightly toolchain (#2814)
• f65c938 Add missing copyright headers and audit instructions (#2795)
• cd0dcd0 docs: Update AGENTS.md to mandate 'yes | ./cargo.sh' (#2799)
• ddcf94c Fix Miri symbolic alignment check failures (#2798)
• Additional commits viewable in compare view

Updates zerocopy-derive from 0.8.28 to 0.8.30

Release notes

Sourced from zerocopy-derive's releases.

v0.8.30

UPGRADING NOTE: #2804, we invert the order of --cfgs passed by our build.rs script. This will be transparent to cargo users, but if you vendor zerocopy and build it by invoking rustc directly, you will need to update your --cfgs. Assuming you're on a relatively recent toolchain, you should simply stop passing any --cfgs when building zerocopy. For more details, see #2259.

What's Changed

• Update AGENTS.md with pre-submission check instruction by @​google-labs-jules[bot] in google/zerocopy#2792
• docs: Add safety instructions to AGENTS.md by @​google-labs-jules[bot] in google/zerocopy#2794
• Fix Miri symbolic alignment check failures by @​google-labs-jules[bot] in google/zerocopy#2798
• docs: Update AGENTS.md to mandate 'yes | ./cargo.sh' by @​google-labs-jules[bot] in google/zerocopy#2799
• Add missing copyright headers and audit instructions by @​google-labs-jules[bot] in google/zerocopy#2795
• [ci] Add MSRV minimality check by @​joshlf in google/zerocopy#2812
• Suppress deprecation warnings in generated code by @​google-labs-jules[bot] in google/zerocopy#2797
• Fix safety comment citations by @​google-labs-jules[bot] in google/zerocopy#2800
• Invert build.rs version detection flags and update CI by @​joshlf in google/zerocopy#2804
• [ci] Integrate action-validator into CI and pre-push hooks by @​joshlf in google/zerocopy#2811

Full Changelog: google/zerocopy@v0.8.29...v0.8.30

v0.8.29

What's Changed

• [ci] Fix bug where PR labels are not added by @​joshlf in google/zerocopy#2782
• Add configuration files for coding agents by @​google-labs-jules[bot] in google/zerocopy#2784
• Deny clippy::multiple_unsafe_ops_per_block by @​google-labs-jules[bot] in google/zerocopy#2781
• Support x86 AVX-12 SIMD types on 1.89.0 stable by @​joshlf in google/zerocopy#2574
• [byteorder] Note that network-endian is a synonym for big-endian by @​joshlf in google/zerocopy#2785
• Add doc(cfg) to read_from_io and write_to_io by @​google-labs-jules[bot] in google/zerocopy#2786
• zerocopy-derive: Fix panic with raw identifiers by @​google-labs-jules[bot] in google/zerocopy#2788

Full Changelog: google/zerocopy@v0.8.28...v0.8.29

Commits

• aa09c4f Release 0.8.30 (#2816)
• 31a2dfa [ci] Integrate action-validator into CI and pre-push hooks (#2811)
• 738e3f2 Invert build.rs version detection flags and update CI (#2804)
• 16d065d Fix safety comment citations (#2800)
• 9483f7d Suppress deprecation warnings in generated code (#2797)
• c2e43ce [ci] Add MSRV minimality check (#2812)
• 360bb2b [ci] Roll pinned nightly toolchain (#2814)
• f65c938 Add missing copyright headers and audit instructions (#2795)
• cd0dcd0 docs: Update AGENTS.md to mandate 'yes | ./cargo.sh' (#2799)
• ddcf94c Fix Miri symbolic alignment check failures (#2798)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[Eliah Kagan (EliahKagan)]

This looks fine to me. (It does have the same tracing-forest and windows-sys oddities as in #2270.)

[Eliah Kagan (EliahKagan)]

Fascinatingly, when run again, Dependabot would upgrade to some tracing-forest-related packages, though still only claims to be updating tracing-forest itself, and it also would upgrade the windows-sys packages that were downgraded before. This can be seen in the test PR EliahKagan#123.

• Ordinarily I don't "top off" Dependabot updates with more updates.
• But in this case it seems like a clear improvement on what we already have.
• But I think Dependabot will automatically open a PR at the beginning of December, which is very near.

So my inclination is to do as usual and not manually trigger it here to get the extra updates at this time. However, I'd be pleased to do so if preferred.

[Sebastian Thiel (Byron)]

I just trust your judgement there, and am glad you are on top of all this.
In a way, I see my fears of this bot confirmed as even once you figure out the configuration, there is still cases where it acts strangely, and then it might take more time than it's worth.

Maybe it's something to rethink, especially in the current environment. Would it be possible to rely on cargo deny to be informed about security related updates, and do all other updates with delay and at certain times? I could do the dep updates once per month as I prepare the report, for example.

[Eliah Kagan (EliahKagan)]

Maybe it's something to rethink, especially in the current environment.

Yes, my original rationale for returning to using Dependabot version updates for our cargo dependencies (#1948) is less persuasive, in the face of the various difficulties we've encountered.

However, there is a newly emerged rationale that I think justifies its continued use--and even expanded use, such as in prodash--at least so long as it can be configured suitably and the rate of problems does not too much further increase. This is the cooldown feature, which I've enabled in #2337. As noted there, I think this is already a good thing to have but I expect its benefit to increase once rust-lang/cargo#15973 is completed.

There's actually a further small benefit of Dependabot over most ways of manually updating dependencies--which I am inclined to think makes it worthwhile even separately from cooldown. Although Dependabot uses branches in the target repository (by default named with a dependabot/ prefix), Dependabot PRs are treated mostly as though they come from forks: their CI jobs don't have write access to the taget repository, and they cannot access the target repository's non-Dependabot secrets. (It is possible to configure Dependabot-specific secrets.) Even for repositories that don't use GitHub Actions secrets, the former benefit is real: it adds some amount of buffer--between when dependency updates are proposed and tested, and when they are adopted--during which a supply chain attack is less harmful.

Renovatebot can be used via Forking Renovate, which confers analogous protections by actually operating from a fork. So this is not a reason to prefer Dependabot over Renovatebot (so long as one would use the Forking Renovate integration rather than the Renovate integration for Renovatebot). But I see it as a small reason to prefer Dependabot over local operations, for routine dependency upgrades. This is only a small benefit, because it doesn't inherently prevent a malicious dependency from merged in. But it offers some protection as proposed dependencies are tested and as they are being reviewed.

Would it be possible to rely on cargo deny to be informed about security related updates

Regardless of what else we do, we should continue to use cargo deny, because it is possible for vulnerabilities--and other conditions we want to know about, such as informational advisories about soundness and maintenance--to have RUSTSEC advisories in the absence of any GHSA advisory. Most RUSTSEC advisories are eventually imported into GHSA, but it's best not to have to wait for that.

I don't recommend that we rely solely on cargo deny for this, because the opposite problem exists: often advisories exist in GHSA before they make it into RUSTSEC.

But this is independent of Dependabot version updates. So long as we keep both Dependabot alerts and Dependabot security updates, we'll have the full advantage as far as it relates to responding to the availability of new versions that fix bugs for which an advisory exists.

Thus it is instead for the above reasons that I recommend we continue to use Dependabot version updates, and that if this becomes more difficult or frustrating then we look at Reovatebot (via the Forking Renovate integration) as an alternative, rather than immediately falling back to manual updating. Like Dependabot, Renovatebot supports cooldown periods, configured via its MinimumReleaseAge key. I've been experimenting with Renovatebot in my pfdirs repository, with the view that it may someday be useful for us to use it in one or more of the repositories in GitoxideLabs.

[Sebastian Thiel (Byron)]

Thanks a lot, let's keep using dependabot for its features, and overall, positive balance.

However, there is a newly emerged rationale that I think justifies its continued use--and even expanded use, such as in prodash--at least so long as it can be configured suitably and the rate of problems does not too much further increase. This is the cooldown feature, which I've enabled in #2337. As noted there, I think this is already a good thing to have but I expect its benefit to increase once rust-lang/cargo#15973 is completed.

Yes, I agree that cooldown is a killer feature that isn't easily replaced.

In any case, I am glad that you are maintaining it, and that you keep experimenting with alternative solutions as time permits so we can keep using the best possible tool for the job.