Skip to content

Bump the cargo group across 1 directory with 3 updates#74

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/cargo-26dcf048c5
Open

Bump the cargo group across 1 directory with 3 updates#74
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/cargo-26dcf048c5

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Jun 4, 2026

Bumps the cargo group with 3 updates in the / directory: serde_yml, tar and rmcp.

Updates serde_yml from 0.0.12 to 0.0.13

Release notes

Sourced from serde_yml's releases.

v0.0.13 — Final release (deprecation shim, RUSTSEC-2025-0068 fixed)

⚠️ Final release — serde_yml is deprecated

This is the final maintenance release of serde_yml. The crate is no longer under active development. 0.0.13 is a thin compatibility shim that lets existing call sites keep compiling while you migrate to one of the maintained alternatives listed below.

If you are reading this because cargo audit flagged your build, upgrading to 0.0.13 resolves RUSTSEC-2025-0068 structurally — see Security below.

TL;DR

  # Cargo.toml
- serde_yml = "0.0"
+ serde_yml = "0.0.13"

Your existing call sites compile unchanged. The compiler now emits a #[deprecated] warning at every use serde_yml::* import pointing at the migration guide. The C-FFI libyml parser is no longer in your dependency graph.

When you're ready to fully migrate, see the migration guide.

Security: RUSTSEC-2025-0068 fixed

RUSTSEC-2025-0068 (also GHSA-hhw4-xg65-fp2x) flagged every serde_yml ≤ 0.0.12 as unsound — the serde_yml::ser::Serializer.emitter field could cause a segmentation fault via the C-FFI libyaml parser.

0.0.13 removes the vulnerable surface entirely:

  • The C-FFI libyml dependency is gone from the graph.
  • serde_yml::ser::Serializer is now a re-export of a pure-Rust unit struct (pub struct Serializer;) with no emitter field — code that referenced .emitter no longer compiles, which is the desired outcome.
  • The backend (noyalib) enforces #![forbid(unsafe_code)] workspace-wide.

Verification:

cargo update -p serde_yml --precise 0.0.13
cargo tree -p serde_yml | grep libyml   # → no output

The RustSec advisory database PR adding patched = ["^0.0.13"] is pending review at rustsec/advisory-db#2915. Until it merges, cargo audit may still warn against 0.0.13 — the 0.0.13 release itself ships .cargo/audit.toml + deny.toml ignore entries so the self-referential warning doesn't block your own CI.

Maintained alternatives

Three crates are realistic destinations. Pick the one that fits.

Crate Migration shape Best fit

... (truncated)

Commits
  • 2bdacd5 ci: commit Cargo.lock for reproducible audits
  • 57983ac ci: ignore RUSTSEC-2025-0068 in cargo-audit / cargo-deny
  • c236ddd style: apply rustfmt (max_width=72)
  • 795e112 ci: include master in push triggers (default branch is master)
  • 5497552 Deprecate serde_yml — 0.0.13 shim forwarding to noyalib (#52)
  • ab3c49e Merge pull request #34 from horacimacias/master
  • c7ba7ac Merge pull request #35 from lucasvr/lucas/anchors
  • 140d00b Merge pull request #38 from nc7s/fix-cstr-pointer-type
  • a19e5c2 Merge pull request #18 from Mingun/remove-duplicated-clone
  • 6ffe205 fix: hard coded CStr pointer type, use ffi::c_char
  • Additional commits viewable in compare view

Updates tar from 0.4.45 to 0.4.46

Release notes

Sourced from tar's releases.

0.4.46

Security

See also GHSA-3cv2-h65g-fgmm

Other changes

New Contributors

Full Changelog: composefs/tar-rs@0.4.45...0.4.46

Commits

Updates rmcp from 0.12.0 to 1.4.0

Release notes

Sourced from rmcp's releases.

rmcp-macros-v1.4.0

Added

  • (macros) auto-generate get_info and default router (#785)

rmcp-v1.4.0

Added

  • add Default and constructors to ServerSseMessage (#794)
  • add meta to elicitation results (#792)
  • (macros) auto-generate get_info and default router (#785)
  • (transport) add which_command for cross-platform executable resolution (#774)
  • (auth) add StoredCredentials::new() constructor (#778)

Fixed

  • (server) remove initialized notification gate to support Streamable HTTP (#788)
  • default session keep_alive to 5 minutes (#780)
  • (http) add host check (#764)
  • exclude local feature from docs.rs build (#782)

Other

  • update Rust toolchain to 1.92 (#797)
  • unify IntoCallToolResult Result impls (#787)

rmcp-macros-v1.3.0

Added

  • add local feature for !Send tool handler support (#740)

Other

  • fix all clippy warnings across workspace (#746)

rmcp-v1.3.0

Added

  • (transport) add Unix domain socket client for streamable HTTP (#749)
  • (auth) implement SEP-2207 OIDC-flavored refresh token guidance (#676)
  • add configuration for transparent session re-init (#760)
  • add local feature for !Send tool handler support (#740)

Fixed

  • prevent CallToolResult and GetTaskPayloadResult from shadowing CustomResult in untagged enums (#771)
  • drain in-flight responses on stdin EOF (#759)
  • remove default type param from StreamableHttpService (#758)
  • use cfg-gated Send+Sync supertraits to avoid semver break (#757)
  • (rmcp) surface JSON-RPC error bodies on HTTP 4xx responses (#748)

... (truncated)

Commits
  • 4628720 chore: release v1.4.0 (#779)
  • 65d2b29 fix(server): remove initialized notification gate to support Streamable HTTP ...
  • a7b5700 fix: pass GIT_TOKEN to release-plz CLI (#798)
  • 8a8c036 chore: update Rust toolchain to 1.92 (#797)
  • 34d0bc6 fix: upgrade rustc in actions (#796)
  • 45a4cc5 feat: add Default and constructors to ServerSseMessage (#794)
  • 5f43283 feat: add meta to elicitation results (#792)
  • be321a4 feat(macros): auto-generate get_info and default router (#785)
  • 5891b45 refactor: unify IntoCallToolResult Result impls (#787)
  • d98248a ci: add --locked to release-plz install (#786)
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the cargo group across 1 directory with 3 updates
f05f8f5 
Bumps the cargo group with 3 updates in the / directory: [serde_yml](https://github.com/sebastienrousseau/serde_yml), [tar](https://github.com/composefs/tar-rs) and [rmcp](https://github.com/modelcontextprotocol/rust-sdk).


Updates `serde_yml` from 0.0.12 to 0.0.13
- [Release notes](https://github.com/sebastienrousseau/serde_yml/releases)
- [Commits](sebastienrousseau/serde_yml@v0.0.12...v0.0.13)

Updates `tar` from 0.4.45 to 0.4.46
- [Release notes](https://github.com/composefs/tar-rs/releases)
- [Commits](composefs/tar-rs@0.4.45...0.4.46)

Updates `rmcp` from 0.12.0 to 1.4.0
- [Release notes](https://github.com/modelcontextprotocol/rust-sdk/releases)
- [Changelog](https://github.com/modelcontextprotocol/rust-sdk/blob/main/release-plz.toml)
- [Commits](modelcontextprotocol/rust-sdk@rmcp-v0.12.0...rmcp-v1.4.0)

---
updated-dependencies:
- dependency-name: serde_yml
  dependency-version: 0.0.13
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: tar
  dependency-version: 0.4.46
  dependency-type: direct:production
  dependency-group: cargo
- dependency-name: rmcp
  dependency-version: 1.4.0
  dependency-type: direct:production
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Jun 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants