chore(deps): bump the cargo group across 2 directories with 26 updates

[dependabot]

Bumps the cargo group with 11 updates in the /rust directory:

Package	From	To
bumpalo	3.7.0	3.20.2
h2	0.3.4	0.3.27
keccak	0.1.0	0.1.6
mio	0.7.13	0.7.14
num-bigint	0.4.1	0.4.3
openssl	0.10.36	0.10.76
regex	1.5.4	1.5.5
tar	0.4.37	0.4.45
time	0.1.44	0.1.45
tokio	1.10.1	1.16.1
zeroize_derive	1.1.0	1.4.3

Bumps the cargo group with 6 updates in the /rust/auction/program directory:

Package	From	To
borsh	0.8.2	0.9.3
bumpalo	3.6.1	3.20.2
idna	0.2.2	0.2.3
time	0.1.44	0.1.45
zeroize_derive	1.0.1	1.4.3
thread_local	1.1.3	1.1.9

Updates bumpalo from 3.7.0 to 3.20.2

Changelog

Sourced from bumpalo's changelog.

3.20.2

Released 2026-02-19.

Fixed

• Restored Send and Sync implementations for Box<T> for T: ?Sized types as well.

---

3.20.1

Released 2026-02-18.

Fixed

• Restored Send and Sync implementations for Box<T> when T: Send and T: Sync respectively.

---

3.20.0

Released 2026-02-18.

Added

• Added the bumpalo::collections::Vec::pop_if method.

Fixed

• Fixed a bug in the bumpalo::collections::String::retain method in the face of panics.
• Made bumpalo::collections::Box<T> covariant with T (just like std::boxed::Box<T>).

---

3.19.1

Released 2025-12-16.

Changed

• Annotated bumpalo::collections::String::from_str_in as #[inline].

Fixed

• Fixed compilation failures with the latest nightly Rust when enabling the

... (truncated)

Commits

• 1aad072 Bump to version 3.20.2 (#312)
• 2fb1d6a Add more tests for send and sync behavior, support unsized types (#311)
• 7c8d1f3 Bump to 3.20.1 (#310)
• e06b36b Restore Send and Sync for Box (#309)
• cb7f033 Bump to 3.20.0 (#307)
• d97d31c Make box covariant (#304)
• f9256f7 Pin quickcheck (#306)
• a006efb Fix String::retain panic safety yielding invalid UTF-8 (#302)
• 96ba386 Add pop_if() to Vec (#301)
• 8c2172a Bump to version 3.19.1 (#300)
• Additional commits viewable in compare view

Updates h2 from 0.3.4 to 0.3.27

Release notes

Sourced from h2's releases.

v0.3.26

What's Changed

• Limit number of CONTINUATION frames for misbehaving connections.

See https://seanmonstar.com/blog/hyper-http2-continuation-flood/ for more info.

v0.3.25

What's Changed

• perf: optimize header list size calculations by @​Noah-Kennedy in hyperium/h2#750

Full Changelog: hyperium/h2@v0.3.24...v0.3.25

v0.3.24

Fixed

• Limit error resets for misbehaving connections.

v0.3.23

What's Changed

• cherry-pick fix: streams awaiting capacity lockout in hyperium/h2#734

v0.3.22

What's Changed

• Add header_table_size(usize) option to client and server builders.
• Improve throughput when vectored IO is not available.
• Update indexmap to 2.

New Contributors

• @​tottoto made their first contribution in hyperium/h2#714
• @​xiaoyawei made their first contribution in hyperium/h2#712
• @​Protryon made their first contribution in hyperium/h2#719
• @​4JX made their first contribution in hyperium/h2#638
• @​vuittont60 made their first contribution in hyperium/h2#724

v0.3.21

What's Changed

• Fix opening of new streams over peer's max concurrent limit.
• Fix RecvStream to return data even if it has received a CANCEL stream error.
• Update MSRV to 1.63.

New Contributors

• @​DDtKey made their first contribution in hyperium/h2#703
• @​jwilm made their first contribution in hyperium/h2#707

v0.3.20

Bug Fixes

... (truncated)

Changelog

Sourced from h2's changelog.

0.3.27 (July 11, 2025)

• Fix notifying wakers when detecting local stream errors.

0.3.26 (April 3, 2024)

• Limit number of CONTINUATION frames for misbehaving connections.

0.3.25 (March 15, 2024)

• Improve performance decoding many headers.

0.3.24 (January 17, 2024)

• Limit error resets for misbehaving connections.

0.3.23 (January 10, 2024)

• Backport fix from 0.4.1 for stream capacity assignment.

0.3.22 (November 15, 2023)

• Add header_table_size(usize) option to client and server builders.
• Improve throughput when vectored IO is not available.
• Update indexmap to 2.

0.3.21 (August 21, 2023)

• Fix opening of new streams over peer's max concurrent limit.
• Fix RecvStream to return data even if it has received a CANCEL stream error.
• Update MSRV to 1.63.

0.3.20 (June 26, 2023)

• Fix panic if a server received a request with a :status pseudo header in the 1xx range.
• Fix panic if a reset stream had pending push promises that were more than allowed.
• Fix potential flow control overflow by subtraction, instead returning a connection error.

0.3.19 (May 12, 2023)

• Fix counting reset streams when triggered by a GOAWAY.
• Send too_many_resets in opaque debug data of GOAWAY when too many resets received.

0.3.18 (April 17, 2023)

• Fix panic because of opposite check in is_remote_local().

0.3.17 (April 13, 2023)

• Add Error::is_library() method to check if the originated inside h2.

... (truncated)

Commits

• f6237ac v0.3.27
• f61332e refactor: change local reset counter to use type system more
• 3f1a8e3 style: fix anonymous lifetime syntax
• 778aa7e fix: notify_recv after send_reset() in reset_on_recv_stream_err() to ensure l...
• be10b77 ci: pin more deps for MSRV job (#817)
• c0d9feb ci: pin deps for MSRV
• 5ccd9cf lints: fix unexpected cfgs warnings
• e6e3e9c fix: return a WriteZero error if frames cannot be written (#783)
• 357127e v0.3.26
• 1a357aa fix: limit number of CONTINUATION frames allowed
• Additional commits viewable in compare view

Updates keccak from 0.1.0 to 0.1.6

Commits

• a8936d9 keccak v0.1.6
• 40c50c1 keccak v0.1.5 (#69)
• 2dc13bf keccak: enable asm backend for p1600 (#68)
• a3a4e01 Revert "Update Cargo.lock" (#67)
• 3a9a29e Update Cargo.lock
• 9e4f6bc keccak: don't test simd feature in minimal-versions workflow (#66)
• 329d4cd Replace cross tests with MIRI (#63)
• 48cc4ac build(deps): bump actions/checkout from 3 to 4 (#61)
• 651a34e keccak: replace CI tests on MIPS with PPC32 (#62)
• 4730c6f benches: remove criterion deps workaround (#60)
• Additional commits viewable in compare view

Updates mio from 0.7.13 to 0.7.14

Changelog

Sourced from mio's changelog.

0.7.14

Fixes

• Remove use unsound internal macro (#1519).

Added

• sys::unix::SocketAddr::as_abstract_namespace() (#1520).

Commits

• 064af84 Release v0.7.14
• 9507bdf Update outdated comment
• 7a17b67 Avoid cast pointers to usize in windows::NamedPipe
• 53288fb Replace offset constants with methods in Windows NamedPipe
• 5224c00 Reorder NamedPipe fields
• b01ecbd Remove unsound offset_of macro
• 1e1b06f Add sys::unix::SocketAddr::as_abstract_namespace()
• See full diff in compare view

Updates num-bigint from 0.4.1 to 0.4.3

Changelog

Sourced from num-bigint's changelog.

Release 0.4.3 (2021-11-02)

• GHSA-v935-pqmr-g8v9: Fix unexpected panics in multiplication.

Contributors: @​arvidn, @​cuviper, @​guidovranken

Release 0.4.2 (2021-09-03)

• Use explicit Integer::div_ceil to avoid the new unstable method.

Contributors: @​catenacyber, @​cuviper

Commits

• e77ffac Merge #228
• 056e0d4 Release 0.4.3
• 8008707 Fix an undersized buffer panic in multiplication
• 0940e50 Fix a mac3 panic when an operand is all-zero
• 1fc2537 Add 0.3.3 release notes
• 8ee0b9a Merge #219
• 1469ed6 Fix div_ceil with rand and serde too
• 22940ca Release 0.4.2
• de57106 Adjust shadowed names around div_ceil
• a8fc78c rust: use explicitily Integer::div_ceil
• See full diff in compare view

Updates openssl from 0.10.36 to 0.10.76

Release notes

Sourced from openssl's releases.

openssl-v0.10.76

What's Changed

• feat: New methods EVP_PKEY_new_raw_*_key_ex and EVP_PKEY_is_a by @​FinnRG in rust-openssl/rust-openssl#2521
• Fix invalid value parsing of OCSP revocation reason by @​danpashin in rust-openssl/rust-openssl#2523
• Bump actions/checkout from 5 to 6 by @​dependabot[bot] in rust-openssl/rust-openssl#2524
• Bump aws-lc-sys from 0.27 to 0.34 by @​goffrie in rust-openssl/rust-openssl#2526
• Expose X509_NAME_dup on all versions of OpenSSL by @​alex in rust-openssl/rust-openssl#2529
• Unconditionally expose some *_dup() functions by @​botovq in rust-openssl/rust-openssl#2530
• reintroduce dir_name support for subject_alt_names by @​mqqz in rust-openssl/rust-openssl#2528
• Fix cipher comparison with NID instead of pointers by @​lwestlund in rust-openssl/rust-openssl#2531
• Remove ASN1_STRING_data for LibreSSL 4.3.0 by @​botovq in rust-openssl/rust-openssl#2534
• drop openssl 1.0.2 by @​alex in rust-openssl/rust-openssl#2545
• Bump actions/cache from 4 to 5 by @​dependabot[bot] in rust-openssl/rust-openssl#2542
• Add Debug implementation for EcdsaSig{,Ref} by @​buytenh in rust-openssl/rust-openssl#2540
• Add HKDF support by @​Zenkibou in rust-openssl/rust-openssl#2543
• Enhance Debug implementation for Nid by @​buytenh in rust-openssl/rust-openssl#2547
• Remove X509_VERIFY_PARAM_ID for LibreSSL 4.3.0 by @​botovq in rust-openssl/rust-openssl#2549
• Add UpperHex implementation for BigNum{,Ref} by @​buytenh in rust-openssl/rust-openssl#2550
• Add Debug implementation for EcGroup{,Ref} by @​buytenh in rust-openssl/rust-openssl#2548
• test against openssl 3.6.0 in ci by @​alex in rust-openssl/rust-openssl#2546
• Remove more OpenSSL 1.0.2 complications by @​botovq in rust-openssl/rust-openssl#2559
• Still more OpenSSL 1.0.2 complications by @​botovq in rust-openssl/rust-openssl#2560
• Remove more dead config branches by @​botovq in rust-openssl/rust-openssl#2561
• Let AWS-LC use the BoringSSL path for BIO_METHOD by @​botovq in rust-openssl/rust-openssl#2562
• Two small LibreSSL tweaks by @​botovq in rust-openssl/rust-openssl#2563
• Upgrade ctest to 0.5 by @​alex in rust-openssl/rust-openssl#2569
• add more brainpool curve NID constants by @​butteronarchbtw in rust-openssl/rust-openssl#2567
• fix min-version CI by @​alex in rust-openssl/rust-openssl#2573
• Fix use-after-free of error strings on BoringSSL/aws-lc by @​alex in rust-openssl/rust-openssl#2572
• Pin quote to 1.0.44 for min-version CI by @​alex in rust-openssl/rust-openssl#2579
• Constify from_raw by @​DarkaMaul in rust-openssl/rust-openssl#2580
• Support pregenerated Rust bindings from AWS-LC installations by @​justsmth in rust-openssl/rust-openssl#2578
• Bump aws-lc-sys to 0.38 by @​goffrie in rust-openssl/rust-openssl#2581
• Release openssl v0.10.76 and openssl-sys v0.9.112 by @​weihanglo in rust-openssl/rust-openssl#2582

New Contributors

• @​FinnRG made their first contribution in rust-openssl/rust-openssl#2521
• @​danpashin made their first contribution in rust-openssl/rust-openssl#2523
• @​mqqz made their first contribution in rust-openssl/rust-openssl#2528
• @​lwestlund made their first contribution in rust-openssl/rust-openssl#2531
• @​buytenh made their first contribution in rust-openssl/rust-openssl#2540
• @​Zenkibou made their first contribution in rust-openssl/rust-openssl#2543
• @​butteronarchbtw made their first contribution in rust-openssl/rust-openssl#2567
• @​DarkaMaul made their first contribution in rust-openssl/rust-openssl#2580
• @​weihanglo made their first contribution in rust-openssl/rust-openssl#2582

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.75...openssl-v0.10.76

openssl-v0.10.75

What's Changed

... (truncated)

Commits

• 6b94124 Release openssl v0.10.76 and openssl-sys v0.9.112 (#2582)
• 30c3f2d Bump aws-lc-sys to 0.38 (#2581)
• efc55bf Support pregenerated Rust bindings from AWS-LC installations (#2578)
• 80cd420 Constify from_raw (#2580)
• e64c352 Pin quote to 1.0.44 for min-version CI (#2579)
• c38b028 Fix use-after-free of error strings on BoringSSL/aws-lc (#2572)
• 9cd9a14 fix min-version CI (#2573)
• 87bf0e2 Merge pull request #2567 from butteronarchbtw/brainpool-nid-constants
• 61906a9 add libressl variants
• e922826 add corresponding rust constants
• Additional commits viewable in compare view

Updates regex from 1.5.4 to 1.5.5

Changelog

Sourced from regex's changelog.

1.5.5 (2022-03-08)

This releases fixes a security bug in the regex compiler. This bug permits a vector for a denial-of-service attack in cases where the regex being compiled is untrusted. There are no known problems where the regex is itself trusted, including in cases of untrusted haystacks.

• SECURITY #GHSA-m5pq-gvj9-9vr8: Fixes a bug in the regex compiler where empty sub-expressions subverted the existing mitigations in place to enforce a size limit on compiled regexes. The Rust Security Response WG published an advisory about this: https://groups.google.com/g/rustlang-security-announcements/c/NcNNL1Jq7Yw

Commits

• d130381 1.5.5
• ae70b41 security: fix denial-of-service bug in compiler
• b92ffd5 cargo: use SPDX license format
• f6e52da syntax: fix 'unused' warnings
• 5197f21 fuzz: do not use inherits in Cargo.toml
• 3662851 doc: fix typo
• 63ee669 syntax/doc: fix 'their' typo
• d6bc7a4 readme: remove broken badge
• bd74660 fuzz: try to fix build issue
• bd0a142 readme: fix badges
• Additional commits viewable in compare view

Updates tar from 0.4.37 to 0.4.45

Commits

• 096e3d1 Bump to 0.4.45 (#443)
• 17b1fd8 archive: Prevent symlink-directory collision chmod attack (#442)
• de1a587 archive: Unconditionally honor PAX size (#441)
• 6071cbe ci: Consolidate workflows (#439)
• ad1fde9 build-sys: Promote unused_code to an error
• c8cb250 tests: Squash a warning
• 638c495 ci: Add xtask infra + reverse dependency testing (#435)
• 32a9bbb tests: Add RandomReader to exercise partial-read resilience (#436)
• 9c5df0b Fix GNU long-name extension stream corruption on validation error (#434)
• 88b1e3b Fix docs typo in header.rs (#431)
• Additional commits viewable in compare view

Updates time from 0.1.44 to 0.1.45

Commits

• See full diff in compare view

Updates tokio from 1.10.1 to 1.16.1

Release notes

Sourced from tokio's releases.

Tokio v1.16.1

1.16.1 (January 28, 2022)

This release fixes a bug in #4428 with the change #4437.

#4428: tokio-rs/tokio#4428 #4437: tokio-rs/tokio#4437

Tokio v1.16.0

Fixes a soundness bug in io::Take (#4428). The unsoundness is exposed when leaking memory in the given AsyncRead implementation and then overwriting the supplied buffer:

impl AsyncRead for Buggy {
    fn poll_read(
        self: Pin<&mut Self>,
        cx: &mut Context<'_>,
        buf: &mut ReadBuf<'_>
    ) -> Poll<Result<()>> {
      let new_buf = vec![0; 5].leak();
      *buf = ReadBuf::new(new_buf);
      buf.put_slice(b"hello");
      Poll::Ready(Ok(()))
    }
}

Also, this release includes improvements to the multi-threaded scheduler that can increase throughput by up to 20% in some cases (#4383).

Fixed

• io: soundness don't expose uninitialized memory when using io::Take in edge case (#4428)
• fs: ensure File::write results in a write syscall when the runtime shuts down (#4316)
• process: drop pipe after child exits in wait_with_output (#4315)
• rt: improve error message when spawning a thread fails (#4398)
• rt: reduce false-positive thread wakups in the multi-threaded scheduler (#4383)
• sync: don't inherit Send from parking_lot::*Guard (#4359)

Added

• net: TcpSocket::linger() and set_linger() (#4324)
• net: impl UnwindSafe for socket types (#4384)
• rt: impl UnwindSafe for JoinHandle (#4418)
• sync: watch::Receiver::has_changed() (#4342)
• sync: oneshot::Receiver::blocking_recv() (#4334)
• sync: RwLock blocking operations (#4425)

Unstable

... (truncated)

Commits

• 91b9850 chore: prepare Tokio v1.16.1 release (#4438)
• 3c46705 io: fix take pointer check (#4437)
• afd2189 chore: prepare Tokio v1.16 release (#4431)
• 986b88b chore: update year in LICENSE files (#4429)
• 257053e util: add spawn_pinned (#3370)
• 5af9e0d sync: add blocking lock methods to RwLock (#4425)
• 8f77ee8 net: add generic trait to combine UnixListener and TcpListener (#4385)
• 2747043 tests: enable running wasm32-unknown-unknown tests (#4421)
• 2a5071f feat: implement Framed::map_codec (#4427)
• 621790e io: fix take when using evil reader (#4428)
• Additional commits viewable in compare view

Updates zeroize_derive from 1.1.0 to 1.4.3

Changelog

Sourced from zeroize_derive's changelog.

1.4.3 (2021-11-04)

Added

• Implement Zeroize for NonZeroX

Changed

• Moved to RustCrypto/utils repository

1.4.2 (2021-09-21)

Added

• Derive Default on Zeroizing

1.4.1 (2021-07-20)

Added

• Implement Zeroize for [MaybeUninit<Z>]

1.4.0 (2021-07-18)

NOTE: This release includes an MSRV bump to Rust 1.51. Please use zeroize = "1.3.0" if you would like to support older Rust versions.

Added

• Use const generics to impl Zeroize for [Z; N]; MSRV 1.51
• Zeroizing::clone_from now zeroizes the destination before cloning

1.3.0 (2021-04-19)

Added

• impl Zeroize for Box<[Z]>
• Clear residual space within Option

Changed

• Ensure Option is None when zeroized
• Bump MSRV to 1.47

1.2.0 (2020-12-09)

Added

• Zeroize support for x86(-64) SIMD registers

Changed

• Simplify String::zeroize
• MSRV 1.44+

1.1.1 (2020-09-15)

• Add doc_cfg
• zeroize entire capacity of String
• zeroize entire capacity of Vec

Commits

• 8a65644 zeroize_derive v1.4.3
• 4b06984 zeroize_derive: Inject where clauses; skip unused (#882)
• e3af7c3 zeroize_derive v1.4.1 (#880)
• 74770c8 Do not automatically inject bounds (#879)
• 54d5f70 zeroize v1.6.0 (#876)
• e03bf4e zeroize_derive v1.4.0 (#875)
• 30b2c55 fiat-constify/zeroize_derive: bump syn to v2 (#858)
• 569eb92 zeroize: 2021 edition upgrade; MSRV 1.56 (#869)
• d7b383d zeroize: impl Zeroize for str and Box\<str> (#842)
• 91c2c21 doc: remove extraneous words (#838)
• Additional commits viewable in compare view

Updates borsh from 0.8.2 to 0.9.3

Changelog

Sourced from borsh's changelog.

[0.9.3] - 2022-02-03

• Fix no_std compatibility.
• Reduce code bloat in derived BorshSerialize impl for enums.

[0.9.2] - 2022-01-25

• Upgrade hashbrown from 0.9 to 0.11. This can breakage in the rare case that you use borsh schema together with no-std support and rely on a specific version hashbrown of SchemaContainer. This is considered to be obscure enough to not warrant a semver bump.

[0.9.1] - 2021-07-14

• Eliminated unsafe code from both ser and de of u8 (#26)
• Implemented ser/de for reference count types (#27)
• Added serialization helpers to improve api ergonomics (#34)
• Implemented schema for arrays and fix box bounds (#36)
• Implemented (de)ser for PhantomData (#37)
• Implemented const-generics under feature (#38)
• Added an example of direct BorshSerialize::serialize usage with vector and slice buffers (#29)

[0.9.0] - 2021-03-18

• BREAKING CHANGE: is_u8 optimization helper is now unsafe since it may cause undefined behavior if it returns true for the type that is not safe to Copy (#21)
• Extended the schema impls to support longer arrays to match the de/serialization impls (#22)

Commits

• eeb969c ci: publish macros crates even without changes (#80)
• 5ff9c6f fix no_std compatability (#79)
• f341871 Tweak enum serialization to generate better LLVM IR and more compact code (#77)
• 36e63e7 conditionally push and create release only if a tag is created (#74)
• 5c89866 fix(infra): checkout: set fetch-depth to pull tags (#72)
• c88de8b escape git_tag_message body (#73)
• 5c10694 ensure to contain git body in git_tag_message (#70)
• d1edc1e fix(infra): env variables (#69)
• 41ca49e add git author name (#68)
• ef2cf84 feat(infra): introduce automated publishing (#67)
• Additional commits viewable in compare view

Updates bumpalo from 3.6.1 to 3.20.2

Changelog

Sourced from bumpalo's changelog.

3.20.2

Released 2026-02-19.

Fixed

• Restored Send and Sync implementations for Box<T> for T: ?Sized types as well.

---

3.20.1

Released 2026-02-18.

Fixed

• Restored Send and Sync implementations for Box<T> when T: Send and T: Sync respectively.

---

3.20.0

Released 2026-02-18.

Added

• Added the bumpalo::collections::Vec::pop_if method.

Fixed

• Fixed a bug in the bumpalo::collections::String::retain method in the face of panics.
• Made bumpalo::collections::Box<T> covariant with T (just like std::boxed::Box<T>).

---

3.19.1

Released 2025-12-16.

Changed

• Annotated bumpalo::collections::String::from_str_in as #[inline].

Fixed

• Fixed compilation failures with the latest nightly Rust when enabling the

... (truncated)

Commits

• 1aad072 Bump to version 3.20.2 (#312)
• 2fb1d6a Add more tests for send and sync behavior, support unsized types (#311)
• 7c8d1f3 Bump to 3.20.1 (#310)
• e06b36b Restore Send and Sync for Box (#309)
• cb7f033 Bump to 3.20.0 (#307)
• d97d31c Make box covariant (#304)
• f9256f7 Pin quickcheck (#306)
• a006efb Fix String::retain panic safety yielding invalid UTF-8 (#302)
• 96ba386 Add pop_if() to Vec (#301)
• 8c2172a Bump to version 3.19.1 (#300)
• Additional commits viewable in compare view

Updates bzip2 from 0.3.3 to 0.4.4

Release notes

Sourced from bzip2's releases.

Version 0.5.2 (and 0.1.13 for bzip2-sys)

Some minor fixes this time

• better wasm support (and we test wasm on CI)
• make bz_internal_error an extern fn by @​folkertdev in trifectatechfoundation/bzip2-rs#135 fixes a soundness issue. This is technically a semver-breaking change, but major versions for -sys crates create a lot of churn. We don't expect users to run into this

What's Changed

• fix: libc wasm types by @​baszalmstra in trifectatechfoundation/bzip2-rs#131
• update LICENSE-MIT by @​rootdiae in trifectatechfoundation/bzip2-rs#130
• run CI for wasm32-wasip2 by @​folkertdev in trifectatechfoundation/bzip2-rs#132
• remove libc dependency of bzip2-sys by @​folkertdev in trifectatechfoundation/bzip2-rs#133
• make bz_internal_error an extern fn by @​folkertdev in trifectatechfoundation/bzip2-rs#135

New Contributors

• @​baszalmstra made their first contribution in trifectatechfoundation/bzip2-rs#131
• @​rootdiae made their first contribution in trifectatechfoundation/bzip2-rs#130

Full Changelog: trifectatechfoundation/bzip2-rs@v0.5.1...v0.5.2

Version 0.5.1 (and 0.1.12 for bzip2-sys)

Highlights

Most changes relate to libbz2-rs-sys: we no longer enable the static feature, and now including different versions, that use either the C or the rust -sys crate, all work together in the same build.

What's Changed

• write::BzDecoder: Fix infinite loop on drop when no data is read or written by @​chenxiaolong in trifectatechfoundation/bzip2-rs#118
• don't enable the static feature when using libbz2-rs-sys by @​folkertdev in trifectatechfoundation/bzip2-rs#122
• update libbz2-rs-sys version that we use by @​folkertdev in trifectatechfoundation/bzip2-rs#123
• use core::ffi::{c_int, c_uint} in favor of libc by @​folkertdev in trifectatechfoundation/bzip2-rs#126
• Add finisher drop implementation to BzEncoder by @​jonasbb in trifectatechfoundation/bzip2-rs#121
• Update rand requirement from 0.8 to 0.9 by @​dependabot in trifectatechfoundation/bzip2-rs#127
• Disable bzip2-sys build script if rust backend is enabled by @​NobodyXu in trifectatechfoundation/bzip2-rs#125
• deprecate Compression::new by @​folkertdev in trifectatechfoundation/bzip2-rs#124
• build the docs on CI by @​folkertdev in trifectatechfoundation/bzip2-rs#128
• bump version to 0.5.1 and 0.1.12 by @​folkertdev in trifectatechfoundation/bzip2-rs#129

New Contributors

• @​chenxiaolong made their first contribution in trifectatechfoundation/bzip2-rs#118
• @​jonasbb made their first contribution in trifectatechfoundation/bzip2-rs#121
• @​dependabot made their first contribution in trifectatechfoundation/bzip2-rs#127
• @​NobodyXu made their first contribution in trifectatechfoundation/bzip2-rs#125

Full Changelog: trifectatechfoundation/bzip2-rs@v0.5.0...v0.5.1

Commits

• 3032f37 Bump to 0.4.4
• 90c9c18 Patched an infinite loop bug in src/mem.rs, impl Decompress::decompress() (#86)
• 016e181 Bump versions
• 2158f5a *: introduce static features (

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	cargo/​thiserror@​1.0.24 ⏵ 1.0.69	-19
	cargo/​solana-sdk@​1.6.4 ⏵ 1.13.7	+3		+8
	cargo/​solana-program@​1.6.4 ⏵ 1.13.7	+7		+8
	cargo/​borsh@​0.8.2 ⏵ 0.9.3			-3
	cargo/​spl-token@​3.5.0
	cargo/​solana-program-test@​1.6.4 ⏵ 1.13.7

View full report

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		High CVE: Quinn affected by unauthenticated remote DoS via panic in QUIC transport parameter parsing in cargo quinn-proto CVE: GHSA-6xvm-j4wr-6v98 Quinn affected by unauthenticated remote DoS via panic in QUIC transport parameter parsing (HIGH) Affected versions: < 0.11.14 Patched version: 0.11.14 From: ? → cargo/solana-program-test@1.13.7 → cargo/quinn-proto@0.8.4 ℹ Read more on: This package | This alert | What is a CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known high severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/quinn-proto@0.8.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Native binaries present: cargo ahash Location: Package overview From: ? → cargo/borsh@0.9.3 → cargo/solana-program-test@1.13.7 → cargo/ahash@0.7.8 ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/ahash@0.7.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: cargo brotli Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/brotli@3.5.0 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/brotli@3.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Native binaries present: cargo cc Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/solana-program@1.13.7 → cargo/cc@1.2.57 ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/cc@1.2.57. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: cargo deranged Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/deranged@0.5.8 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/deranged@0.5.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Native binaries present: cargo im Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/solana-sdk@1.13.7 → cargo/solana-program@1.13.7 → cargo/im@15.1.0 ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/im@15.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: cargo js-sys Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/solana-sdk@1.13.7 → cargo/solana-program@1.13.7 → cargo/js-sys@0.3.91 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/js-sys@0.3.91. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: cargo js-sys Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/solana-sdk@1.13.7 → cargo/solana-program@1.13.7 → cargo/js-sys@0.3.91 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/js-sys@0.3.91. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Native binaries present: cargo lz4-sys Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/lz4-sys@1.11.1%2Blz4-1.10.0 ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/lz4-sys@1.11.1%2Blz4-1.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: cargo lz4-sys Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/lz4-sys@1.11.1%2Blz4-1.10.0 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/lz4-sys@1.11.1%2Blz4-1.10.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: cargo nix Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/nix@0.23.2 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/nix@0.23.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Native binaries present: cargo num-complex Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/num-complex@0.2.4 ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/num-complex@0.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: cargo num-complex Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/num-complex@0.2.4 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/num-complex@0.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: cargo num-complex Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/num-complex@0.2.4 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/num-complex@0.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: cargo num-rational Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/num-rational@0.2.4 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/num-rational@0.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: cargo num-rational Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/num-rational@0.2.4 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/num-rational@0.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Native binaries present: cargo oid-registry Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/oid-registry@0.6.1 ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/oid-registry@0.6.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: cargo quinn-proto Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/quinn-proto@0.8.4 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/quinn-proto@0.8.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Native binaries present: cargo quote Location: Package overview From: ? → cargo/bincode@1.3.3 → cargo/borsh@0.9.3 → cargo/thiserror@1.0.69 → cargo/num-derive@0.3.3 → cargo/spl-token@3.5.0 → cargo/solana-program-test@1.13.7 → cargo/solana-sdk@1.13.7 → cargo/solana-program@1.13.7 → cargo/quote@1.0.45 ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/quote@1.0.45. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: cargo r-efi Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/solana-program@1.13.7 → cargo/r-efi@5.3.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/r-efi@5.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: cargo r-efi Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/solana-program@1.13.7 → cargo/r-efi@5.3.0 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/r-efi@5.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: cargo rayon Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/solana-sdk@1.13.7 → cargo/solana-program@1.13.7 → cargo/rayon@1.11.0 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/rayon@1.11.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		System shell access: cargo rayon Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/solana-sdk@1.13.7 → cargo/solana-program@1.13.7 → cargo/rayon@1.11.0 ℹ Read more on: This package | This alert | What is shell access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should avoid accessing the shell which can reduce portability, and make it easier for malicious shell access to be introduced. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/rayon@1.11.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: cargo rcgen Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/rcgen@0.9.3 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/rcgen@0.9.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Native binaries present: cargo rustix Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/rustix@1.1.4 ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/rustix@1.1.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: cargo rustls-native-certs Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/rustls-native-certs@0.6.3 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/rustls-native-certs@0.6.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Native binaries present: cargo rustls Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/rustls@0.20.9 ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/rustls@0.20.9. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Network access: cargo security-framework Location: Package overview From: ? → cargo/solana-program-test@1.13.7 → cargo/security-framework@2.11.1 ℹ Read more on: This package | This alert | What is network access? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should remove all network access that is functionally unnecessary. Consumers should audit network access to ensure legitimate use. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/security-framework@2.11.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
See 62 more rows in the dashboard

View full report