Skip to content

chore(deps): update lz4_flex requirement from 0.13.0 to 0.14.0#577

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/lz4_flex-0.14.0
Open

chore(deps): update lz4_flex requirement from 0.13.0 to 0.14.0#577
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/lz4_flex-0.14.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 14, 2026

Copy link
Copy Markdown

Updates the requirements on lz4_flex to permit the latest version.

Changelog

Sourced from lz4_flex's changelog.

0.14.0 (2026-07-14)

Features

  • Add alloc feature to allow no_std operation without an allocator. The std feature now implies alloc. Without alloc only the _into variants of the block API are available, e.g. compress_into; the compression hash table is placed on the stack or can be provided via compress_into_with_table.
Note: Users with `default-features = false` need to additionally enable the `alloc`
feature to keep the APIs returning `Vec`, e.g. `compress` and `decompress`.

0.13.1 (2026-05-09)

Fixes

  • Fix compression with short dictionaries (less than 4 bytes), avoiding a panic/out-of-bounds read #222
Compression with dictionaries shorter than the minimum match length of 4 now falls
back to compression without a dictionary instead of panicking or reading past
the dictionary. 

This is a security fix for unsafe compression with untrusted dictionaries.
Users on 0.13.0 should upgrade to 0.13.1.

  • Fix panic in From<io::Error> implementation for frame::Error #221 (thanks @​phoerious)

0.13.0 (2026-03-15)

Features

Fixes

Invalid match offsets (offset == 0) during decompression were not properly
handled, which could lead to invalid memory reads. This is a security fix
that was also backported to 0.12.1 and 0.11.6.
  • Fix get_maximum_output_size overflow on 32-bit targets #205 (thanks @​dglittle)
Cast input_len to u64 before multiplying by 110, avoiding overflow on
32-bit targets (e.g. wasm32) where input_len * 110 overflows usize
when input_len > ~39MB.

0.12.2 (2026-05-09)

Fixes

  • Fix compression with short dictionaries (less than 4 bytes), avoiding a panic/out-of-bounds read #222
Compression with dictionaries shorter than the minimum match length of 4 now falls
back to compression without a dictionary instead of panicking or reading past
the dictionary. 
</tr></table> 

... (truncated)

Commits
  • 1bffdcb Merge pull request #229 from PSeitz/release/0.14.0-changelog
  • a5973e4 Update CHANGELOG for 0.14.0 release, bump version to 0.14.0
  • 43cdb22 Merge pull request #228 from PSeitz/0.14.x
  • 08fd47e add release skill
  • a6c6135 Merge pull request #225 from fbrozovic/alloc-feature
  • ca019ec Add alloc feature to support no_std without an allocator
  • 19194f9 Merge pull request #223 from PSeitz/0.13.x
  • 5a1962c update CHANGELOG
  • ce548ab fix: handle short compression dictionaries
  • 1756d13 Fix panic in From<io::Error> implementation for frame::Error
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Updates the requirements on [lz4_flex](https://github.com/pseitz/lz4_flex) to permit the latest version.
- [Release notes](https://github.com/pseitz/lz4_flex/releases)
- [Changelog](https://github.com/PSeitz/lz4_flex/blob/main/CHANGELOG.md)
- [Commits](PSeitz/lz4_flex@0.13.0...0.14.0)

---
updated-dependencies:
- dependency-name: lz4_flex
  dependency-version: 0.14.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Jul 14, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants