Bump the security group across 1 directory with 4 updates

[dependabot]

Bumps the security group with 4 updates in the / directory: git2, actix-http, gix-date and rustls-webpki.

Updates git2 from 0.20.2 to 0.21.0

Changelog

Sourced from git2's changelog.

0.21.0 - 2026-05-18

0.20.4...main

Added

• Added experimental SHA256 repository support behind the new unstable-sha256 Cargo feature, along with *_ext API variants that accept an ObjectFormat. #1206
• Added opts::set_cache_max_size() and opts::get_cached_memory(). #1188
• Added Repository::object_format() and a new ObjectFormat enum. #1204
• Added Repository::set_config(). #1208
• Added merge_file() along with MergeFileInput. #1210
• Added Repository::refdb_compress() for packing loose refs. #1221
• Added public Refdb type, along with Repository::refdb() and Repository::set_refdb(). Repository::refdb_compress() now delegates to Refdb::compress(). #1228
• Added Revspec::into_objects(). #1230
• Added BlameHunk::final_committer(), BlameHunk::orig_committer(), BlameHunk::summary(), and BlameHunk::summary_bytes(). #1231
• Implemented Clone for Reference. #1233
• Added Repository::author_from_env() and Repository::committer_from_env(). #1237
• Added impl From<Utf8Error> for Error. #1239

Changed

• ❗ The ssh, https, and cred Cargo features are no longer enabled by default. Previously default = ["ssh", "https"]; now default = []. Enable them explicitly if you rely on credential helpers or transport support. #1168
• ❗ CredentialHelper and the url dependency are now gated behind the new cred Cargo feature. Enabling ssh or https transitively enables cred. #1168
• ❗ Updated to the 2021 edition. #1173
• ❗ Many string accessors that previously returned Option<&str> now return Result<&str, Error> or Result<Option<&str>, Error>, so callers can distinguish a missing value from a non-UTF-8 one. #1241
• ❗ BlameHunk::final_signature, BlameHunk::final_committer, BlameHunk::orig_signature, and BlameHunk::orig_committer now return Option to avoid segfaults when signature information is missing. #1254
• Bumped requirement to libgit2-sys 0.18.4, which updates libgit2 to 1.9.3.

... (truncated)

Commits

• dffaf27 Merge pull request #1256 from weihanglo/changelog
• 84b9c76 docs: changelog for git2@0.21
• 8c6dc4a Merge pull request #1206 from weihanglo/sha256-git2
• 7bd145e fix: import ObjectFormat in one place
• fc8af6a test(oid): split _ext to test each format separately
• b9bde87 test: oid length sanity check
• 57a68e0 feat(oid): impl Display for ObjectFormat
• 7acee09 chore(ci): test git2 sha256 support
• bdf5b7b fix: init example with --object-format option
• 9fb4e6a refactor(util): drop unsafe from zeroed_raw_oid
• Additional commits viewable in compare view

Updates actix-http from 3.11.1 to 3.13.1

Release notes

Sourced from actix-http's releases.

actix-http: v3.13.1

3.13.1

• Fix HTTP/1 WebSocket upgrade responses being overwritten with Connection: close when the upgraded request payload remains open. #4115

#4115: actix/actix-web#4115

actix-http: v3.13.0

3.13.0

• When configured, gracefully close HTTP/1 connections after early responses to unread request bodies. #3967
• Wake HTTP/1 payload receivers with an incomplete-payload error when the sender is dropped before EOF. #3100
• Update foldhash dependency to 0.2.

#3967: actix/actix-web#3967 #3100: actix/actix-web#3100

actix-http: v3.12.1

Notice: This release contains a security fix. Users are encouraged to update to this version ASAP.

• SECURITY: Reject HTTP/1 requests with ambiguous request framing from Content-Length and Transfer-Encoding headers to prevent request smuggling.
• Encode the HTTP/1 Connection: Upgrade header in Camel-Case when camel-case header formatting is enabled.#3953
• Fix HeaderMap iterators' len() and size_hint() implementations for multi-value headers.
• Update rand dependency to 0.10.
• Update sha1 dependency to 0.11.

#3953: actix/actix-web#3953

actix-http: v3.12.0

• Minimum supported Rust version (MSRV) is now 1.88.
• Increase default HTTP/2 flow control window sizes. #3638
• Expose configuration methods to improve upload throughput. #3638
• Fix truncated body ending without error when connection closed abnormally. #3067
• Add config/method for TCP_NODELAY. #3918
• Do not compress 206 Partial Content responses. #3191
• Fix lingering sockets and client stalls when responding early to dropped chunked request payloads. #2972

#3638: actix/actix-web#3638 #3067: actix/actix-web#3067 #3918: actix/actix-web#3918 #3191: actix/actix-web#3191 #2972: actix/actix-web#2972

actix-http: v3.11.2

• Properly wake Payload receivers when feeding errors or EOF.
• Add ServiceConfigBuilder type to facilitate future configuration extensions.
• Add a configuration option to allow/disallow half closed connections in HTTP/1. This defaults to allow, reverting the change made in 3.11.1.
• Shutdown connections when HTTP Responses are written without reading full Requests.

Commits

• a945e09 fix(http): fix sending responses for upgraded ones on WS (#4117)
• a928601 chore: update rcgen to 0.14 (#4113)
• 696b1fe chore(web): prepare 4.14.0 release (#4114)
• 6c65c46 chore(http): prepare 3.13.0 release (#4112)
• afd2df2 test(multipart,derive): move trybuild tests (#4028)
• 7ded7ee build(deps): bump memchr from 2.8.1 to 2.8.2 (#4107)
• 55cf2e0 build(deps): bump bytesize from 2.3.1 to 2.4.0 (#4104)
• 565b179 build(deps): bump smallvec from 1.15.1 to 1.15.2 (#4106)
• 1605dd0 build(deps): bump taiki-e/install-action from 2.81.7 to 2.81.10 (#4105)
• 5c79f55 build(deps): bump regex from 1.12.3 to 1.12.4 (#4103)
• Additional commits viewable in compare view

Updates gix-date from 0.11.0 to 0.11.1

Changelog

Sourced from gix-date's changelog.

Changelog

All notable changes to this project will be documented in this file.

The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.

0.55.0 (2026-06-22)

0.54.0 (2026-05-26)

New Features

• gix dirwalk as a way to run gix-dir directly This is mostly for testing walks specifically, without needing them as part of gix clean or gix status.
• add gix merge tree --message '' to allow creating commits This is useful for controlling cherry-picks precisely.

Commit Statistics

• 7 commits contributed to the release over the course of 26 calendar days.
• 28 days passed between releases.
• 2 commits were understood as conventional.
• 0 issues like '(#ID)' were seen in commit messages

Commit Details

• Uncategorized
  • Merge pull request #2584 from GitoxideLabs/improvements (1322a36)
  • gix dirwalk as a way to run gix-dir directly (add4cf4)
  • Merge pull request #2568 from GitoxideLabs/dependabot/cargo/cargo-56d6b174d8 (ab2fee1)
  • Update crates to Rust 2024 edition (2cb17b2)
  • Remove rust_2018_idioms lint declarations (e10d5f6)
  • Merge pull request #2557 from GitoxideLabs/cherry-pick (0771cb2)
  • Add gix merge tree --message '' to allow creating commits (6ab327e)

0.53.0 (2026-04-28)

0.52.1 (2026-04-24)

New Features

... (truncated)

Commits

• 21fecdf Release gix-date v0.11.1, gix-actor v0.36.1, gix-trace v0.1.16, gix-features ...
• b1616eb Add report for December 25
• 3cf78c3 Merge pull request #2272 from GitoxideLabs/copilot/add-gix-date-baseline-tests
• fad8219 refactor
• 7dfb2da feat: Add comprehensive data parsing support
• 25099c8 Merge pull request #2294 from GitoxideLabs/copilot/replace-zip-crate-with-rawzip
• fb6386b Address copilot review
• 8c9b4d6 refactor
• 60290f1 Replace zip crate with rawzip in gix-archive
• b77744f Merge pull request #2298 from GitoxideLabs/copilot/replace-libz-rs-sys-with-z...
• Additional commits viewable in compare view

Updates rustls-webpki from 0.103.8 to 0.103.13

Release notes

Sourced from rustls-webpki's releases.

0.103.13

• Fix reachable panic in parsing a CRL. This was reported to us as GHSA-82j2-j2ch-gfr8. Users who don't use CRLs are not affected.
• For name constraints on URI names, we incorrectly processed excluded subtrees in a way which inverted the desired meaning. See rustls/webpki#471. This was a case missing in the fix for GHSA-965h-392x-2mh5.

What's Changed

• Actually fail closed for URI matching against excluded subtrees by @​djc in rustls/webpki#473
• Prepare 0.103.13 by @​ctz in rustls/webpki#474

Full Changelog: rustls/webpki@v/0.103.12...v/0.103.13

0.103.12

This release fixes two bugs in name constraint enforcement:

• GHSA-965h-392x-2mh5: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.
• GHSA-xgp8-3hg3-c2mh: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of accept.example.com, *.example.com could feasibly allow a name of reject.example.com which is outside the constraint. This is very similar to CVE-2025-61727.

Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.

What's Changed

• Prepare 0.103.12 by @​djc in rustls/webpki#470

Full Changelog: rustls/webpki@v/0.103.11...v/0.103.12

0.103.11

In response to #464, we've slightly relaxed requirements for anchor_from_trust_cert() to ignore unknown extensions even if they're marked as critical. This only affects parsing a TrustAnchor from DER, for which most extensions are ignored anyway.

What's Changed

• Backport parsing trust anchors with unknown critical extensions to 0.103 by @​djc in rustls/webpki#466

0.103.10

Correct selection of candidate CRLs by Distribution Point and Issuing Distribution Point. If a certificate had more than one distributionPoint, then only the first distributionPoint would be considered against each CRL's IssuingDistributionPoint distributionPoint, and then the certificate's subsequent distributionPoints would be ignored.

The impact was that correctly provided CRLs would not be consulted to check revocation. With UnknownStatusPolicy::Deny (the default) this would lead to incorrect but safe Error::UnknownRevocationStatus. With UnknownStatusPolicy::Allow this would lead to inappropriate acceptance of revoked certificates.

This vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)

More likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.

This vulnerability is identified by GHSA-pwjx-qhcg-rvj4. Thank you to @​1seal for the report.

What's Changed

• Freshen up rel-0.103 by @​ctz in rustls/webpki#455
• Prepare 0.103.10 by @​ctz in rustls/webpki#458

Full Changelog: rustls/webpki@v/0.103.9...v/0.103.10

... (truncated)

Commits

• 2879b2c Prepare 0.103.13
• 2c49773 Improve tests for padding of BitStringFlags
• 4e3c0b3 Correct validation of BIT STRING constraints
• 39c91d2 Actually fail closed for URI matching against excluded subtrees
• 27131d4 Bump version to 0.103.12
• 6ecb876 Clean up stuttery enum variant names
• 318b3e6 Ignore wildcard labels when matching name constraints
• 1219622 Rewrite constraint matching to avoid permissive catch-all branch
• 57bc62c Bump version to 0.103.11
• d0fa01e Allow parsing trust anchors with unknown criticial extensions
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
gitarena	Ready	Preview, Comment	Jun 27, 2026 10:13pm