Skip to content

chore(deps): bump the prod-dependencies group with 9 updates#313

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/prod-dependencies-aac7dc5b01
Closed

chore(deps): bump the prod-dependencies group with 9 updates#313
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/prod-dependencies-aac7dc5b01

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 9, 2026
edited
Loading

Bumps the prod-dependencies group with 9 updates:

Package From To
normpath 1.5.0 1.5.1
octocrab 0.49.9 0.50.0
opentelemetry 0.31.0 0.32.0
opentelemetry_sdk 0.31.0 0.32.0
opentelemetry-otlp 0.31.1 0.32.0
tokio 1.52.1 1.52.3
tonic 0.14.5 0.14.6
nix 0.29.0 0.31.2
wait-timeout 0.2.0 0.2.1

Updates normpath from 1.5.0 to 1.5.1

Release notes

Sourced from normpath's releases.

1.5.1

  • Bumped dependency versions
Commits

Updates octocrab from 0.49.9 to 0.50.0

Release notes

Sourced from octocrab's releases.

v0.50.0

Added

  • add create_comment to PullRequestHandler (#880)
  • Add support for exchanging oauth code for access token (#780)
  • add get_app (#757)
  • Add ability to update an existing label (#786)
  • Added converted_from_draft to Event (#859)

Fixed

  • Use PUT not PATCH for pull request reviews (#879)
  • cargo fmt, cargo test, Set MSRV to 1.85.0 (#878)
  • deser generate repo as respository (#812)
  • use new search model on search function
  • revert commit back to correct structure

Other

  • [breaking] remove the either dependency (#883)
  • added issue_field_added to Event enum (#882)
  • update MSRV to 1.95.0
  • don't include unconditional backtrace in Display impl (#824)
  • add a simple test for compare commits
  • remove duplicated GitUser
  • create search models submodule
  • move repository model from commits module
  • move maybe_empty to models module
  • remove Option<> for some fields of PullRequest (#873)
Changelog

Sourced from octocrab's changelog.

0.50.0 - 2026-05-05

Added

  • add create_comment to PullRequestHandler (#880)
  • Add support for exchanging oauth code for access token (#780)
  • add get_app (#757)
  • Add ability to update an existing label (#786)
  • Added converted_from_draft to Event (#859)

Fixed

  • Use PUT not PATCH for pull request reviews (#879)
  • cargo fmt, cargo test, Set MSRV to 1.85.0 (#878)
  • deser generate repo as respository (#812)
  • use new search model on search function
  • revert commit back to correct structure

Other

  • [breaking] remove the either dependency (#883)
  • added issue_field_added to Event enum (#882)
  • update MSRV to 1.95.0
  • don't include unconditional backtrace in Display impl (#824)
  • add a simple test for compare commits
  • remove duplicated GitUser
  • create search models submodule
  • move repository model from commits module
  • move maybe_empty to models module
  • remove Option<> for some fields of PullRequest (#873)
Commits

Updates opentelemetry from 0.31.0 to 0.32.0

Release notes

Sourced from opentelemetry's releases.

opentelemetry-otlp 0.31.1

What's Changed

Full Changelog: open-telemetry/opentelemetry-rust@v0.31.0...opentelemetry-otlp-0.31.1

Changelog

Sourced from opentelemetry's changelog.

Release Notes 0.32

OpenTelemetry Rust 0.32 continues to drive the Logs, Metrics, and Distributed Tracing components forward. The Logs and Metrics API and SDK remain stable, with no breaking changes in this release. The OTLP Exporters and the Distributed Tracing API/SDK remain in pre-stable states (Release-Candidate and Beta respectively), and this release introduces a small number of intentional breaking changes in those areas to prepare them for stabilization.

For detailed changelogs of individual crates, please refer to their respective changelog files. This document serves as a summary of the main changes.

Key Changes

Metrics SDK

  1. Bound instruments (experimental): Added Counter::bind() and Histogram::bind() returning pre-bound measurement handles (BoundCounter<T>, BoundHistogram<T>). Bound instruments resolve the attribute-to-aggregator mapping once at bind time and cache the result, eliminating per-call HashMap lookups on the hot path. Benchmarks show ~28x speedup for counter operations and ~9x for histograms. Gated behind the experimental_metrics_bound_instruments feature flag.

  2. Delta collection efficiency: Delta metrics collection now uses in-place eviction instead of draining the HashMap on every collect cycle. Stale attribute sets that received no measurements since the last collection are evicted.

  3. Stable Aggregation API: Aggregation and StreamBuilder::with_aggregation() are now stable and no longer require the spec_unstable_metrics_views feature flag.

Logs

  1. Tracing-span attribute enrichment (experimental): The opentelemetry-appender-tracing crate can now copy attributes from active tracing spans onto each emitted log record. ("Span" here refers to tracing::span!, not an opentelemetry::trace::Span.) Enrichment is disabled by default with zero per-span overhead, and is gated behind the new experimental_span_attributes cargo feature.

  2. spec_unstable_logs_enabled removed: The capability (and the backing specification) is now stable and is enabled by default. The feature flag has been removed.

Distributed Tracing (Beta)

The Distributed Tracing API and SDK remain in beta. This release contains intentional breaking changes to clean up the public surface ahead of

... (truncated)

Commits
  • ec289cb chore: Prepare for release v0.32.0 (#3508)
  • 3ddb386 fix(metrics): reject usize::MAX as cardinality limit (#3506)
  • bad0a1b feat(appender-tracing): re-gate span attribute enrichment behind experimental...
  • f744509 docs: update README status table and remove deprecated crates (#3502)
  • 81d5a06 chore(prometheus): restore crate to workspace (#3500)
  • 5a07ce1 ci: close stale pull requests (#3499)
  • cc87dd9 feat(appender-tracing): stabilize span attribute propagation (#3482)
  • f290595 docs(metrics): document experimental bound instruments (#3495)
  • a79eb76 fix(sdk): suppress telemetry in SimpleSpanProcessor during export (#3494)
  • aa3bda3 chore(zipkin): deprecate opentelemetry-zipkin crate (#3492)
  • Additional commits viewable in compare view

Updates opentelemetry_sdk from 0.31.0 to 0.32.0

Changelog

Sourced from opentelemetry_sdk's changelog.

Release Notes 0.32

OpenTelemetry Rust 0.32 continues to drive the Logs, Metrics, and Distributed Tracing components forward. The Logs and Metrics API and SDK remain stable, with no breaking changes in this release. The OTLP Exporters and the Distributed Tracing API/SDK remain in pre-stable states (Release-Candidate and Beta respectively), and this release introduces a small number of intentional breaking changes in those areas to prepare them for stabilization.

For detailed changelogs of individual crates, please refer to their respective changelog files. This document serves as a summary of the main changes.

Key Changes

Metrics SDK

  1. Bound instruments (experimental): Added Counter::bind() and Histogram::bind() returning pre-bound measurement handles (BoundCounter<T>, BoundHistogram<T>). Bound instruments resolve the attribute-to-aggregator mapping once at bind time and cache the result, eliminating per-call HashMap lookups on the hot path. Benchmarks show ~28x speedup for counter operations and ~9x for histograms. Gated behind the experimental_metrics_bound_instruments feature flag.

  2. Delta collection efficiency: Delta metrics collection now uses in-place eviction instead of draining the HashMap on every collect cycle. Stale attribute sets that received no measurements since the last collection are evicted.

  3. Stable Aggregation API: Aggregation and StreamBuilder::with_aggregation() are now stable and no longer require the spec_unstable_metrics_views feature flag.

Logs

  1. Tracing-span attribute enrichment (experimental): The opentelemetry-appender-tracing crate can now copy attributes from active tracing spans onto each emitted log record. ("Span" here refers to tracing::span!, not an opentelemetry::trace::Span.) Enrichment is disabled by default with zero per-span overhead, and is gated behind the new experimental_span_attributes cargo feature.

  2. spec_unstable_logs_enabled removed: The capability (and the backing specification) is now stable and is enabled by default. The feature flag has been removed.

Distributed Tracing (Beta)

The Distributed Tracing API and SDK remain in beta. This release contains intentional breaking changes to clean up the public surface ahead of

... (truncated)

Commits
  • ec289cb chore: Prepare for release v0.32.0 (#3508)
  • 3ddb386 fix(metrics): reject usize::MAX as cardinality limit (#3506)
  • bad0a1b feat(appender-tracing): re-gate span attribute enrichment behind experimental...
  • f744509 docs: update README status table and remove deprecated crates (#3502)
  • 81d5a06 chore(prometheus): restore crate to workspace (#3500)
  • 5a07ce1 ci: close stale pull requests (#3499)
  • cc87dd9 feat(appender-tracing): stabilize span attribute propagation (#3482)
  • f290595 docs(metrics): document experimental bound instruments (#3495)
  • a79eb76 fix(sdk): suppress telemetry in SimpleSpanProcessor during export (#3494)
  • aa3bda3 chore(zipkin): deprecate opentelemetry-zipkin crate (#3492)
  • Additional commits viewable in compare view

Updates opentelemetry-otlp from 0.31.1 to 0.32.0

Changelog

Sourced from opentelemetry-otlp's changelog.

Release Notes 0.32

OpenTelemetry Rust 0.32 continues to drive the Logs, Metrics, and Distributed Tracing components forward. The Logs and Metrics API and SDK remain stable, with no breaking changes in this release. The OTLP Exporters and the Distributed Tracing API/SDK remain in pre-stable states (Release-Candidate and Beta respectively), and this release introduces a small number of intentional breaking changes in those areas to prepare them for stabilization.

For detailed changelogs of individual crates, please refer to their respective changelog files. This document serves as a summary of the main changes.

Key Changes

Metrics SDK

  1. Bound instruments (experimental): Added Counter::bind() and Histogram::bind() returning pre-bound measurement handles (BoundCounter<T>, BoundHistogram<T>). Bound instruments resolve the attribute-to-aggregator mapping once at bind time and cache the result, eliminating per-call HashMap lookups on the hot path. Benchmarks show ~28x speedup for counter operations and ~9x for histograms. Gated behind the experimental_metrics_bound_instruments feature flag.

  2. Delta collection efficiency: Delta metrics collection now uses in-place eviction instead of draining the HashMap on every collect cycle. Stale attribute sets that received no measurements since the last collection are evicted.

  3. Stable Aggregation API: Aggregation and StreamBuilder::with_aggregation() are now stable and no longer require the spec_unstable_metrics_views feature flag.

Logs

  1. Tracing-span attribute enrichment (experimental): The opentelemetry-appender-tracing crate can now copy attributes from active tracing spans onto each emitted log record. ("Span" here refers to tracing::span!, not an opentelemetry::trace::Span.) Enrichment is disabled by default with zero per-span overhead, and is gated behind the new experimental_span_attributes cargo feature.

  2. spec_unstable_logs_enabled removed: The capability (and the backing specification) is now stable and is enabled by default. The feature flag has been removed.

Distributed Tracing (Beta)

The Distributed Tracing API and SDK remain in beta. This release contains intentional breaking changes to clean up the public surface ahead of

... (truncated)

Commits
  • ec289cb chore: Prepare for release v0.32.0 (#3508)
  • 3ddb386 fix(metrics): reject usize::MAX as cardinality limit (#3506)
  • bad0a1b feat(appender-tracing): re-gate span attribute enrichment behind experimental...
  • f744509 docs: update README status table and remove deprecated crates (#3502)
  • 81d5a06 chore(prometheus): restore crate to workspace (#3500)
  • 5a07ce1 ci: close stale pull requests (#3499)
  • cc87dd9 feat(appender-tracing): stabilize span attribute propagation (#3482)
  • f290595 docs(metrics): document experimental bound instruments (#3495)
  • a79eb76 fix(sdk): suppress telemetry in SimpleSpanProcessor during export (#3494)
  • aa3bda3 chore(zipkin): deprecate opentelemetry-zipkin crate (#3492)
  • Additional commits viewable in compare view

Updates tokio from 1.52.1 to 1.52.3

Release notes

Sourced from tokio's releases.

Tokio v1.52.3

1.52.3 (May 8th, 2026)

Fixed

  • sync: fix underflow in mpsc channel len() (#8062)
  • sync: notify receivers in mpsc OwnedPermit::release() method (#8075)
  • sync: require that an RwLock has max_readers != 0 (#8076)
  • sync: return Empty from try_recv() when mpsc is closed with outstanding permits (#8074)

#8062: tokio-rs/tokio#8062 #8074: tokio-rs/tokio#8074 #8075: tokio-rs/tokio#8075 #8076: tokio-rs/tokio#8076

Tokio v1.52.2

1.52.2 (May 4th, 2026)

This release reverts the LIFO slot stealing change introduced in 1.51.0 (#7431), due to [its performance impact]#8065. (#8100)

#7431: tokio-rs/tokio#7431 #8065: tokio-rs/tokio#8065 #8100: tokio-rs/tokio#8100

Commits

Updates tonic from 0.14.5 to 0.14.6

Release notes

Sourced from tonic's releases.

tonic-build-v0.14.6

Other

  • update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-health-v0.14.6

Other

  • update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-prost-build-v0.14.6

Other

  • Support well known types resolved by prost to their rust counterparts (#2544)
  • update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-prost-v0.14.6

Other

  • update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-reflection-v0.14.6

Other

  • fix panic when client drops connection early (#2596)
  • update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-types-v0.14.6

Other

  • update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-v0.14.6

Added

  • (transport/channel) expose ServerCertVerifier API (#2612)

Fixed

  • map no trailers ok status to unknown (#2543)

Other

  • add max_frame_size to client Endpoint (#2592)
  • Allow setting the HTTP/2 client header table size (#2582)
  • update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-web-v0.14.6

Other

... (truncated)

Commits
  • 6cb6056 chore: release v0.14.6 (#2624)
  • efde924 grpc: change helloworld example to pass request as a view (#2632)
  • d47b001 transport: add max_frame_size to client Endpoint (#2592)
  • 02c01c7 Allow setting the HTTP/2 client header table size (#2582)
  • 3185354 examples: add grpc version of helloworld (#2630)
  • f585303 fix(grpc): Fix grpc-google build (#2628)
  • ff7bcbb feat(grpc): Google call credentials (#2610)
  • f93037b feat(tonic-xds): make XdsChannelGrpc Sync (#2627)
  • d834beb grpc: Update Status to be a Result<> and make StatusErr which holds non-OK co...
  • 2392224 grpc: add route_guide example and make minor tweaks to the generated code API...
  • Additional commits viewable in compare view

Updates nix from 0.29.0 to 0.31.2

Changelog

Sourced from nix's changelog.

[0.31.2] - 2026-02-28

Added

  • Add WatchDescriptor::as_raw, to get libc id of WatchDescriptor. (#2718)
  • Added process::pthread_getthreadid_np() on FreeBSD. (#2725)
  • Added timerfd support on FreeBSD (#2728)

Fixed

  • The libc requirement is now 0.2.181, rather than pinned to 0.2.180. (#2744)

[0.31.1] - 2026-01-23

Added

  • termios: Add definition for IUCLC to supported platforms (#2702)
  • termios: Add definition for XCASE for supported platforms (#2703)

[0.31.0] - 2026-01-22

Added

  • Added the UDP GSO/GRO socket options and CMsgs on Android. This includes the following types:

    • UdpGsoSegment
    • UdpGroSegment
    • ControlMessage::UdpGsoSegments
    • ControlMessageOwned::UdpGroSegments

    (#2666)

  • Define errno EWOULDBLOCK as an alias of EAGAIN to match the AIX libc definition. (#2692)

  • Enable module ifaddrs on GNU Hurd (#2697)

  • Add termios OutputFlags::OFILL for Linux, Android, Aix, Cygwin, Fuchsia, Haiku, GNU/Hurd, Nto, Redox, Illumos, Solaris and Apple OSes. (#2701)

  • add sync() for cygwin (#2708)

Changed

... (truncated)

Commits

Updates wait-timeout from 0.2.0 to 0.2.1

Commits
  • bda62e3 Bump to 0.2.1
  • eaf4be7 Merge pull request #37 from davidlattimore/fix-init-race
  • c45efd7 Initialize STATE before registering signal handler
  • 2a4f0f2 Merge pull request #28 from Minoru/feature/move-from-travis-to-gha
  • 6fa63fb Drop AppVeyor config and badge
  • 0ef2884 Make the "test" CI job actually run "cargo test"
  • a3616a0 Run cargo fmt
  • 7d93f3e Add simple CI configuration for GitHub Actions
  • 6cc412a Merge pull request #26 from Minoru/bugfix/remove-incorrect-cleanup-commit
  • 5e20b24 Revert "Do not manually remove the child from the map"
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the prod-dependencies group with 9 updates
18613df 
Bumps the prod-dependencies group with 9 updates:

| Package | From | To |
| --- | --- | --- |
| [normpath](https://github.com/dylni/normpath) | `1.5.0` | `1.5.1` |
| [octocrab](https://github.com/XAMPPRocky/octocrab) | `0.49.9` | `0.50.0` |
| [opentelemetry](https://github.com/open-telemetry/opentelemetry-rust) | `0.31.0` | `0.32.0` |
| [opentelemetry_sdk](https://github.com/open-telemetry/opentelemetry-rust) | `0.31.0` | `0.32.0` |
| [opentelemetry-otlp](https://github.com/open-telemetry/opentelemetry-rust) | `0.31.1` | `0.32.0` |
| [tokio](https://github.com/tokio-rs/tokio) | `1.52.1` | `1.52.3` |
| [tonic](https://github.com/hyperium/tonic) | `0.14.5` | `0.14.6` |
| [nix](https://github.com/nix-rust/nix) | `0.29.0` | `0.31.2` |
| [wait-timeout](https://github.com/alexcrichton/wait-timeout) | `0.2.0` | `0.2.1` |


Updates `normpath` from 1.5.0 to 1.5.1
- [Release notes](https://github.com/dylni/normpath/releases)
- [Commits](dylni/normpath@1.5.0...1.5.1)

Updates `octocrab` from 0.49.9 to 0.50.0
- [Release notes](https://github.com/XAMPPRocky/octocrab/releases)
- [Changelog](https://github.com/XAMPPRocky/octocrab/blob/main/CHANGELOG.md)
- [Commits](XAMPPRocky/octocrab@v0.49.9...v0.50.0)

Updates `opentelemetry` from 0.31.0 to 0.32.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-rust/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-rust/blob/main/docs/release_0.32.md)
- [Commits](open-telemetry/opentelemetry-rust@opentelemetry-prometheus-0.31.0...opentelemetry-0.32.0)

Updates `opentelemetry_sdk` from 0.31.0 to 0.32.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-rust/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-rust/blob/main/docs/release_0.32.md)
- [Commits](open-telemetry/opentelemetry-rust@v0.31.0...opentelemetry_sdk-0.32.0)

Updates `opentelemetry-otlp` from 0.31.1 to 0.32.0
- [Release notes](https://github.com/open-telemetry/opentelemetry-rust/releases)
- [Changelog](https://github.com/open-telemetry/opentelemetry-rust/blob/main/docs/release_0.32.md)
- [Commits](open-telemetry/opentelemetry-rust@opentelemetry-otlp-0.31.1...opentelemetry-otlp-0.32.0)

Updates `tokio` from 1.52.1 to 1.52.3
- [Release notes](https://github.com/tokio-rs/tokio/releases)
- [Commits](tokio-rs/tokio@tokio-1.52.1...tokio-1.52.3)

Updates `tonic` from 0.14.5 to 0.14.6
- [Release notes](https://github.com/hyperium/tonic/releases)
- [Changelog](https://github.com/hyperium/tonic/blob/master/CHANGELOG.md)
- [Commits](grpc/grpc-rust@v0.14.5...tonic-v0.14.6)

Updates `nix` from 0.29.0 to 0.31.2
- [Changelog](https://github.com/nix-rust/nix/blob/master/CHANGELOG.md)
- [Commits](nix-rust/nix@v0.29.0...v0.31.2)

Updates `wait-timeout` from 0.2.0 to 0.2.1
- [Commits](alexcrichton/wait-timeout@0.2.0...0.2.1)

---
updated-dependencies:
- dependency-name: normpath
  dependency-version: 1.5.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-dependencies
- dependency-name: octocrab
  dependency-version: 0.50.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: opentelemetry
  dependency-version: 0.32.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: opentelemetry_sdk
  dependency-version: 0.32.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: opentelemetry-otlp
  dependency-version: 0.32.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: tokio
  dependency-version: 1.52.3
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-dependencies
- dependency-name: tonic
  dependency-version: 0.14.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-dependencies
- dependency-name: nix
  dependency-version: 0.31.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-dependencies
- dependency-name: wait-timeout
  dependency-version: 0.2.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels May 9, 2026
@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 9, 2026

Caution

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. For more information please check in at #security-help. For License Policy Violations please also tag @Aoife in #security-help.

Action Severity Alert  (click "▶" to expand/collapse)
Block High
License policy violation: cargo nix under GPL-2.0+

License: GPL-2.0+ - The applicable license policy does not permit this license (5) (nix-0.31.2/test/test_kmod/hello_mod/hello.c)

From: Cargo.lockcargo/nix@0.31.2

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/nix@0.31.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Block High
License policy violation: cargo webpki-root-certs under CDLA-Permissive-2.0

License: CDLA-Permissive-2.0 - The applicable license policy does not permit this license (5) (webpki-root-certs-1.0.7/Cargo.toml)

License: CDLA-Permissive-2.0 - The applicable license policy does not permit this license (5) (webpki-root-certs-1.0.7/LICENSE)

From: ?cargo/opentelemetry-otlp@0.32.0cargo/webpki-root-certs@1.0.7

ℹ Read more on: This package | This alert | What is a license policy violation?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Find a package that does not violate your license policy or adjust your policy to allow this package's license.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/webpki-root-certs@1.0.7. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 16, 2026

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot Bot closed this May 16, 2026
@dependabot dependabot Bot deleted the dependabot/cargo/prod-dependencies-aac7dc5b01 branch May 16, 2026 07:06
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants