Skip to content

chore(deps): bump the cargo group across 1 directory with 4 updates#147

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/cargo/cargo-629d2f1126
Closed

chore(deps): bump the cargo group across 1 directory with 4 updates#147
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/cargo/cargo-629d2f1126

Conversation

@dependabot
Copy link
Copy Markdown

@dependabot dependabot bot commented on behalf of github Apr 14, 2026

Bumps the cargo group with 3 updates in the / directory: soroban-sdk, rand and tar.

Updates soroban-sdk from 25.1.0 to 25.3.0

Release notes

Sourced from soroban-sdk's releases.

25.3.0

What's Changed

Full Changelog: stellar/rs-soroban-sdk@v25.2.0...v25.3.0

25.2.0

What's Change

New Experimental Features

  • Spec shaking for smaller contract binaries: The SDK now supports automatic removal of unused type and event definitions from the contractspecv0 section of compiled WASM files. By embedding markers that survive dead code elimination, only types and events actually used at contract boundaries (function parameters, return values, and events) are retained. This reduces contract binary size and enables imported contract types to be automatically re-exported when used. Requires Stellar CLI v25.2.0+. Behind a feature flag experimental_spec_shaking_v2 during the v25 release. (#1672)

Improvements

  • Compile-time validation for BigInt conversions: BigInt::from<BytesN> now catches length mismatches at compile time instead of panicking at runtime, giving you earlier and clearer error messages. (#1725)

  • Remove unnecessary clones in iterators: Iterator implementations no longer perform redundant clones, reducing overhead when iterating over SDK collection types. (#1734)

Bug Fixes

  • Fix BytesN::is_empty: BytesN::is_empty previously always returned false. It now correctly returns true for BytesN<0>. (#1733)

Documentation

  • Document the alloc feature: The alloc module is now publicly documented in rustdoc, covering how the bump-pointer allocator works, that dealloc is a no-op, and how to use a custom allocator instead. (#1726)

All Changes

Full Changelog: stellar/rs-soroban-sdk@v25.1.1...v25.2.0

25.1.1

What's Changed

Bugs Fixed

All Changes

... (truncated)

Commits
  • dcbea44 Bump version to 25.3.0 (#1751)
  • 082424b Fix Fr scalar field to reduce modulo r on construction (#1750)
  • 3e529a6 Bump version to 25.2.0 (#1749)
  • 80529be Implement spec shaking using dead code elimination and data section of wasm (...
  • 78ede6a Bump deny action (#1742)
  • 914d7f6 Document alloc feature (#1726)
  • fadfa56 Add commentary to alloc module about use of static_mut_refs and light code re...
  • 070b0d6 Use compile-time assert in BigInt::from (#1725)
  • ee06e71 Fix BytesN::is_empty to check const length (#1733)
  • 87d2d43 Remove unnecessary clone in iterators (#1734)
  • Additional commits viewable in compare view

Updates rand from 0.8.5 to 0.9.3

Changelog

Sourced from rand's changelog.

[0.9.3] — 2026-02-11

This release back-ports a fix from v0.10. See also #1763.

Changes

  • Deprecate feature log (#1764)
  • Replace usages of doc_auto_cfg (#1764)

#1763: rust-random/rand#1763

[0.9.2] — 2025-07-20

Deprecated

  • Deprecate rand::rngs::mock module and StepRng generator (#1634)

Additions

  • Enable WeightedIndex<usize> (de)serialization (#1646)

[0.9.1] - 2025-04-17

Security and unsafe

  • Revise "not a crypto library" policy again (#1565)
  • Remove zerocopy dependency from rand (#1579)

Fixes

  • Fix feature simd_support for recent nightly rust (#1586)

Changes

  • Allow fn rand::seq::index::sample_weighted and fn IndexedRandom::choose_multiple_weighted to return fewer than amount results (#1623), reverting an undocumented change (#1382) to the previous release.

Additions

  • Add rand::distr::Alphabetic distribution. (#1587)
  • Re-export rand_core (#1604)

[0.9.0] - 2025-01-27

Security and unsafe

  • Policy: "rand is not a crypto library" (#1514)
  • Remove fork-protection from ReseedingRng and ThreadRng. Instead, it is recommended to call ThreadRng::reseed on fork. (#1379)
  • Use zerocopy to replace some unsafe code (#1349, #1393, #1446, #1502)

Dependencies

  • Bump the MSRV to 1.63.0 (#1207, #1246, #1269, #1341, #1416, #1536); note that 1.60.0 may work for dependents when using --ignore-rust-version
  • Update to rand_core v0.9.0 (#1558)

Features

  • Support std feature without getrandom or rand_chacha (#1354)
  • Enable feature small_rng by default (#1455)
  • Remove implicit feature rand_chacha; use std_rng instead. (#1473)
  • Rename feature serde1 to serde (#1477)
  • Rename feature getrandom to os_rng (#1537)
  • Add feature thread_rng (#1547)

API changes: rand_core traits

... (truncated)

Commits

Updates soroban-sdk-macros from 25.1.0 to 25.3.1

Release notes

Sourced from soroban-sdk-macros's releases.

25.3.1

What's Changed

New Features

  • MuxedAddress now implements ScVal conversion traits and SorobanArbitrary, allowing it to be used as a field in #[contracttype] structs. (#1782)

Improvements

  • Compiler error for reserved type names in contract types: #[contracttype] definitions whose names collide with SDK built-in type names (e.g. Address, Bytes, Symbol) now produce a clear compile-time error instead of silently mapping to the built-in type in the contract spec. (#1788)
  • Using #[contractevent(data_format = "single-value")] with more than one data field now produces a clear compile-time error. (#1794)
  • #[contractimpl] macro now correctly resolves associated types in function return values (not just inputs), and emits clear compiler errors when it cannot resolve an associated type. (#1780)
  • LedgerSnapshot::write_file now writes to a temporary file before atomically replacing the destination, preventing corrupted snapshot files if serialization fails. (#1796)
  • Replaces regular subtraction with saturating_sub when computing max_ttl to guard against potential underflow from misconfiguration. (#1792)

Bug Fixes

  • Generated try_ client methods were always calling mock_all_auths() and ignoring the allow_non_root_auth flag, causing non-root auth to silently fail. They now correctly call mock_all_auths_allowing_non_root_auth() when the flag is set. (#1761)
  • Doc comment truncation could split multi-byte UTF-8 codepoints, producing invalid UTF-8 in the contract's spec XDR. Truncation now always occurs at a valid character boundary. (#1769)
  • The build.rs target check was evaluating against the host target instead of the compilation target, so the Rust version check never fired during cross-compilation. This could silently produce Wasm binaries with unsupported features. The error message now also recommends wasm32v1-none as the preferred target. (#1771)
  • Added checks in register_contract_with_source and register_stellar_asset_contract_v2 to prevent potential auth manager overrides. (#1803)

Documentation

  • Added documentation for the ToXdr and FromXdr traits. (#1767)
  • Improved documentation for Val conversion behavior in SDK collection types. (#1774)
  • Added documentation for the SHA-256 hash verification options available in contractimport! and contractfile! macros. (#1790)
  • Documented how #[contractimpl] determines the exported function names in the contract spec. (#1809)
  • Updated the Pausable trait doc examples to include access control patterns. (#1764)
  • Expanded documentation on how to use mock auth in test scenarios. (#1798)
  • Improved documentation for Poseidon hash functions. (#1816)

All Changes

... (truncated)

Commits
  • e50d95a Bump version to 25.3.1 (#1821)
  • 3198ec0 improve poseidon, poseidon2_permutation docs (#1816)
  • 7f894f4 Skip privacy-pools in soroban-examples CI (#1811)
  • c32bb7e Document #[contractimpl] export name behaviour (#1809)
  • 857c058 Fix panic safety in register_contract_with_source and register_stellar_asset_...
  • 022d7c5 Fix misc typos and doc links (#1804)
  • b92b36b Document contractimport! and contractfile! SHA-256 verification options (...
  • a589139 Add compiler error when reserved type names are used as contract types (#1788)
  • 8503832 Write to a temp file first during snapshot write_file (#1796)
  • 02431df Expand docs for mock auth usage in tests (#1798)
  • Additional commits viewable in compare view

Updates tar from 0.4.44 to 0.4.45

Commits
  • 096e3d1 Bump to 0.4.45 (#443)
  • 17b1fd8 archive: Prevent symlink-directory collision chmod attack (#442)
  • de1a587 archive: Unconditionally honor PAX size (#441)
  • 6071cbe ci: Consolidate workflows (#439)
  • ad1fde9 build-sys: Promote unused_code to an error
  • c8cb250 tests: Squash a warning
  • 638c495 ci: Add xtask infra + reverse dependency testing (#435)
  • 32a9bbb tests: Add RandomReader to exercise partial-read resilience (#436)
  • 9c5df0b Fix GNU long-name extension stream corruption on validation error (#434)
  • 88b1e3b Fix docs typo in header.rs (#431)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump the cargo group across 1 directory with 4 updates
4fa768d 
Bumps the cargo group with 3 updates in the / directory: [soroban-sdk](https://github.com/stellar/rs-soroban-sdk), [rand](https://github.com/rust-random/rand) and [tar](https://github.com/alexcrichton/tar-rs).


Updates `soroban-sdk` from 25.1.0 to 25.3.0
- [Release notes](https://github.com/stellar/rs-soroban-sdk/releases)
- [Commits](stellar/rs-soroban-sdk@v25.1.0...v25.3.0)

Updates `rand` from 0.8.5 to 0.9.3
- [Release notes](https://github.com/rust-random/rand/releases)
- [Changelog](https://github.com/rust-random/rand/blob/0.9.3/CHANGELOG.md)
- [Commits](rust-random/rand@0.8.5...0.9.3)

Updates `soroban-sdk-macros` from 25.1.0 to 25.3.1
- [Release notes](https://github.com/stellar/rs-soroban-sdk/releases)
- [Commits](stellar/rs-soroban-sdk@v25.1.0...v25.3.1)

Updates `tar` from 0.4.44 to 0.4.45
- [Commits](alexcrichton/tar-rs@0.4.44...0.4.45)

---
updated-dependencies:
- dependency-name: soroban-sdk
  dependency-version: 25.3.0
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: rand
  dependency-version: 0.9.3
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: soroban-sdk-macros
  dependency-version: 25.3.1
  dependency-type: indirect
  dependency-group: cargo
- dependency-name: tar
  dependency-version: 0.4.45
  dependency-type: indirect
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Apr 14, 2026
@dependabot dependabot bot requested review from Fantoni0 and NiDimi as code owners April 14, 2026 04:16
@dependabot dependabot bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Apr 14, 2026
@dependabot dependabot bot mentioned this pull request Apr 14, 2026
Closed
@maksimryndin
Copy link
Copy Markdown
Contributor

maksimryndin commented Apr 16, 2026

some deps are updated due to security issue here #148

soroban - a separate task #161

@dependabot @github
Copy link
Copy Markdown
Author

dependabot bot commented on behalf of github Apr 16, 2026

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml

@dependabot dependabot bot deleted the dependabot/cargo/cargo-629d2f1126 branch April 16, 2026 23:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Fantoni0 Fantoni0 Awaiting requested review from Fantoni0 Fantoni0 is a code owner

@NiDimi NiDimi Awaiting requested review from NiDimi NiDimi is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@maksimryndin