security: Update time to 0.3.47 and reqwest to 0.13.2 (Dependabot fixes)#745
security: Update time to 0.3.47 and reqwest to 0.13.2 (Dependabot fixes)#745
Conversation
- Update time from 0.3.37 to 0.3.47 - Fixes stack exhaustion DoS vulnerability in RFC 2822 parsing (CVE-2026-XXXX) - Adds recursion depth tracking to prevent unbounded recursion - Update reqwest from 0.12.15 to 0.13.2 - Switch TLS backend from native-tls to rustls with aws-lc crypto provider - Improves TLS security and platform compatibility - Add 'query' feature to maintain URL query parameter functionality - Update related dependencies: - time-core 0.1.2 -> 0.1.8 - time-macros 0.2.19 -> 0.2.27 - deranged 0.3.11 -> 0.5.5 - num-conv 0.1.0 -> 0.2.0 - hyper 1.5.2 -> 1.8.1 - hyper-util 0.1.10 -> 0.1.19 - rustls 0.23.20 -> 0.23.36 Resolves Dependabot PRs #743 and #733 Tested: cargo check and cargo check --release pass successfully
There was a problem hiding this comment.
Pull request overview
Updates Rust dependencies to address Dependabot-reported security issues, primarily by moving onto newer time and reqwest releases and updating the resolved dependency graph in the lockfile.
Changes:
- Bump
reqwestto the0.13.xline and explicitly enable thequeryfeature (now optional in 0.13). - Update
Cargo.lockto resolve patched versions (includingtime 0.3.47) and associated transitive upgrades.
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| Cargo.toml | Updates reqwest dependency version/features to match reqwest 0.13 feature gating. |
| Cargo.lock | Resolves updated dependency versions for reqwest, time, and transitive crates. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| rand_chacha = "0.3" | ||
| rayon = "1.10.0" | ||
| reqwest = { version = "0.12.15", features = ["blocking", "json"] } | ||
| reqwest = { version = "0.13.1", features = ["blocking", "json", "query"] } |
There was a problem hiding this comment.
PR metadata says reqwest is being updated to 0.13.2, but Cargo.toml specifies 0.13.1. Since Cargo.lock currently resolves reqwest 0.13.2, consider bumping the Cargo.toml version requirement to 0.13.2 (or update the PR title/description) to keep the declared requirement consistent with what’s actually being built.
|
⏱️ Benchmark run finished in 0m 32s 📈 Compared against baseline: 30s 🟢 Generation time is unchanged. 📅 Last benchmark: 2026-02-09 13:07:30 UTC You can retrigger the benchmark by commenting |
Security Updates
This PR addresses two security vulnerabilities identified by Dependabot:
🔒 Fixed Vulnerabilities
1. time crate (CVE-2026-XXXX) - DoS via RFC 2822 parsing
Updated:
time0.3.37 → 0.3.472. reqwest TLS Backend Security Improvement
Updated:
reqwest0.12.15 → 0.13.2native-tlstorustlswithaws-lccrypto providerqueryfeature to maintain URL query parameter functionality📦 Related Dependency Updates
The following dependencies were updated as part of the security fixes:
time-core0.1.2 → 0.1.8time-macros0.2.19 → 0.2.27deranged0.3.11 → 0.5.5num-conv0.1.0 → 0.2.0hyper1.5.2 → 1.8.1hyper-util0.1.10 → 0.1.19rustls0.23.20 → 0.23.36✅ Testing
cargo checkpassescargo check --releasepasses🔗 References
📝 Notes
The
queryfeature was added to thereqwestdependency configuration inCargo.tomlas it became an optional feature in reqwest 0.13. This ensures URL query parameter functionality remains available for OSM API calls.