Bump the cargo group across 1 directory with 11 updates

[dependabot]

Bumps the cargo group with 10 updates in the / directory:

Package	From	To
bumpalo	3.10.0	3.19.0
h2	0.3.13	0.3.27
mio	0.8.4	0.8.11
secp256k1	0.24.0	0.24.3
shlex	1.1.0	1.3.0
snow	0.9.0	0.9.3
time	0.1.44	0.1.45
tokio	1.19.2	1.26.0
wasmtime	0.38.1	0.38.3
webpki	0.22.0	0.22.2

Updates bumpalo from 3.10.0 to 3.19.0

Changelog

Sourced from bumpalo's changelog.

3.19.0

Released 2025-06-24.

Added

• Added bumpalo::collections::Vec::retain_mut, similar to std::vec::Vec::retain_mut.

---

3.18.1

Released 2025-06-05.

Removed

• Removed the allocator-api2 version bump from 3.18.0, as it was not actually semver compatible.

---

3.18.0 (yanked)

Released 2025-06-05.

Added

• Added support for enforcing a minimum alignment on all allocations inside a Bump arena, which can provide speed ups when allocating objects whose alignment is less than or equal to that minimum.
• Added serde serialization support for bumpalo::collections::String.
• Added some missing fallible slice allocation function variants.

Changed

• Replaced extend_from_slice implementation with a formally-verified version that is also faster and more-optimizable for LLVM.
• Updated allocator-api2 support to version 0.3.*.

Fixed

• Fixed a bug where the allocated_bytes metrics helper was accidentally including the size of bumpalo's footer, rather than just reporting the user-allocated bytes.

---

3.17.0

... (truncated)

Commits

• See full diff in compare view

Updates h2 from 0.3.13 to 0.3.27

Release notes

Sourced from h2's releases.

v0.3.26

What's Changed

• Limit number of CONTINUATION frames for misbehaving connections.

See https://seanmonstar.com/blog/hyper-http2-continuation-flood/ for more info.

v0.3.25

What's Changed

• perf: optimize header list size calculations by @​Noah-Kennedy in hyperium/h2#750

Full Changelog: hyperium/h2@v0.3.24...v0.3.25

v0.3.24

Fixed

• Limit error resets for misbehaving connections.

v0.3.23

What's Changed

• cherry-pick fix: streams awaiting capacity lockout in hyperium/h2#734

v0.3.22

What's Changed

• Add header_table_size(usize) option to client and server builders.
• Improve throughput when vectored IO is not available.
• Update indexmap to 2.

New Contributors

• @​tottoto made their first contribution in hyperium/h2#714
• @​xiaoyawei made their first contribution in hyperium/h2#712
• @​Protryon made their first contribution in hyperium/h2#719
• @​4JX made their first contribution in hyperium/h2#638
• @​vuittont60 made their first contribution in hyperium/h2#724

v0.3.21

What's Changed

• Fix opening of new streams over peer's max concurrent limit.
• Fix RecvStream to return data even if it has received a CANCEL stream error.
• Update MSRV to 1.63.

New Contributors

• @​DDtKey made their first contribution in hyperium/h2#703
• @​jwilm made their first contribution in hyperium/h2#707

v0.3.20

Bug Fixes

... (truncated)

Changelog

Sourced from h2's changelog.

0.3.27 (July 11, 2025)

• Fix notifying wakers when detecting local stream errors.

0.3.26 (April 3, 2024)

• Limit number of CONTINUATION frames for misbehaving connections.

0.3.25 (March 15, 2024)

• Improve performance decoding many headers.

0.3.24 (January 17, 2024)

• Limit error resets for misbehaving connections.

0.3.23 (January 10, 2024)

• Backport fix from 0.4.1 for stream capacity assignment.

0.3.22 (November 15, 2023)

• Add header_table_size(usize) option to client and server builders.
• Improve throughput when vectored IO is not available.
• Update indexmap to 2.

0.3.21 (August 21, 2023)

• Fix opening of new streams over peer's max concurrent limit.
• Fix RecvStream to return data even if it has received a CANCEL stream error.
• Update MSRV to 1.63.

0.3.20 (June 26, 2023)

• Fix panic if a server received a request with a :status pseudo header in the 1xx range.
• Fix panic if a reset stream had pending push promises that were more than allowed.
• Fix potential flow control overflow by subtraction, instead returning a connection error.

0.3.19 (May 12, 2023)

• Fix counting reset streams when triggered by a GOAWAY.
• Send too_many_resets in opaque debug data of GOAWAY when too many resets received.

0.3.18 (April 17, 2023)

• Fix panic because of opposite check in is_remote_local().

0.3.17 (April 13, 2023)

• Add Error::is_library() method to check if the originated inside h2.

... (truncated)

Commits

• f6237ac v0.3.27
• f61332e refactor: change local reset counter to use type system more
• 3f1a8e3 style: fix anonymous lifetime syntax
• 778aa7e fix: notify_recv after send_reset() in reset_on_recv_stream_err() to ensure l...
• be10b77 ci: pin more deps for MSRV job (#817)
• c0d9feb ci: pin deps for MSRV
• 5ccd9cf lints: fix unexpected cfgs warnings
• e6e3e9c fix: return a WriteZero error if frames cannot be written (#783)
• 357127e v0.3.26
• 1a357aa fix: limit number of CONTINUATION frames allowed
• Additional commits viewable in compare view

Updates mio from 0.8.4 to 0.8.11

Changelog

Sourced from mio's changelog.

0.8.11

• Fix receiving IOCP events after deregistering a Windows named pipe (tokio-rs/mio#1760, backport pr: tokio-rs/mio#1761).

0.8.10

Added

• Solaris support (tokio-rs/mio#1724).

0.8.9

Added

• ESP-IDF framework support (tokio-rs/mio#1692).
• AIX operating system support (tokio-rs/mio#1704).
• Vita support (tokio-rs/mio#1721).
• {UnixListener,UnixStream}:bind_addr (tokio-rs/mio#1630).
• mio_unsupported_force_poll_poll and mio_unsupported_force_waker_pipe unsupported configuration flags to force a specific poll or waker implementation (tokio-rs/mio#1684, tokio-rs/mio#1685, tokio-rs/mio#1692).

Fixed

• The pipe(2) based waker (swapped file descriptors) (tokio-rs/mio#1722).
• The duplicate waker check to work correctly with cloned Registrys. (tokio-rs/mio#1706).

0.8.8

Fixed

• Fix compilation on WASI (tokio-rs/mio#1676).

0.8.7

Added

• Add/fix support for tvOS and watchOS, Mio should now build for tvOS and

... (truncated)

Commits

• 0328bde Release v0.8.11
• 7084498 Fix warnings
• 90d4fe0 named-pipes: fix receiving IOCP events after deregister
• c710a30 Add v0.8.x to the CI
• c29e21c Release v0.8.10
• f6a20da Add Solaris operating system support (#1724)
• e80c3b2 Release v0.8.9
• 862786b Fix importing of IoSourceState
• 4034872 Add support for vita target
• 8eb4010 Fix receiver and sender fd in pipe based waker
• Additional commits viewable in compare view

Updates secp256k1 from 0.24.0 to 0.24.3

Changelog

Sourced from secp256k1's changelog.

0.32.0 - 2025-10-02

Remove Secp256k1 from public API functions

This one is massive, we came up with an solution to the global context that works in both std and no-std environments. With this release you don't have to create and pass in a context object in all the APIs - BOOM!

• Introduce new global context API with rerandomization #806
• Remove context from the API #844
• Fix rerandomization seed usage #855

(Note, to help with the upgrade path we left the methods on the context in place but deprecated.)

And we also did:

• Remove the bitcoin-hashes feature (and dependency) #837
• Introduce Arbitrary crate and add PublicKey arbitrary impl #826
• Add arbitrary impl for types used in PSBTs #828
• secp256k1-sys: Fix lowmemory feature #799
• Improve RecoveryId conversion functions #800
• Explicitly set RecoveryId value #801
• Rename secret_bytes to to_secret_bytes (in Keypair and ecdh::SharedSecret) #863

Add support for MuSig2

Done as an initial PR #716 then a bunch of follow up PRs:

• #811
• #794
• #797
• #798
• #802
• #803
• #805

0.31.1 - 2025-06-23

• Update deprecation notes with since instead of TBD.

0.31.0 - 2025-04-21

• Update rand to 0.9 #788
• Create keys from owned array values instead of from references #781
• Add from_u8_masked RecoveryId constructor #778
• Update upstream to 0cdc758a56360bf58a851fe91085a327ec97685a (secp256k1-sys 0.6) #764
• Add Keypair::sign_schnorr_no_aux_rand #762
• Replace Message with Into<Message> in ECDSA signing API #755
• Deprecate ElligatorSwiftParty in favor of Party #752

... (truncated)

Commits

• a1fb038 Merge rust-bitcoin/rust-secp256k1256: backport: fix rand-std feature for old...
• 66a8c39 backport: fix rand-std feature for old cargo versions
• 959bd25 Merge rust-bitcoin/rust-secp256k1256: Backport and bump 0.24.2
• 5c6225e Bump version to 0.24.2
• 0a696b2 Add saftey docs for PreallocatedContext trait
• dd194b6 context: introduce unsafe PreallocatedContext trait
• 15a8c20 Merge rust-bitcoin/rust-secp256k1256: Fix broken serde::Deserialize and `F...
• 1f327b4 Bump version number to v0.24.1
• 53c1354 Fix broken serde::Deserialize and FromStr impl of keyPair
• 5e1e012 Merge rust-bitcoin/rust-secp256k1256: secp-sys: change symbol names to `0_6_...
• Additional commits viewable in compare view

Updates shlex from 1.1.0 to 1.3.0

Changelog

Sourced from shlex's changelog.

1.3.0

• Full fix for the high-severity security vulnerability RUSTSEC-2024-0006 a.k.a. GHSA-r7qv-8r2h-pg27:
  • Deprecates quote APIs in favor of try_ equivalents that complain about nul bytes.
  • Also adds a builder API, which allows re-enabling nul bytes without using the deprecated interface, and in the future can allow other things (as discussed in quoting_warning).
  • Adds documentation about various security risks that remain, particularly with interactive shells.
• Adds explicit MSRV of 1.46.0.

1.2.1

• Partial fix for the high-severity security vulnerability RUSTSEC-2024-0006 a.k.a. GHSA-r7qv-8r2h-pg27 without bumping MSRV:
  • The bytes { and \xa0 are now escaped by quoting functions.

1.2.0

• Adds bytes module to support operating directly on byte strings.

Commits

• 4a0724b Address security issues involving quote API
• 4c53044 Minimal fix for the high-severity issue without bumping MSRV
• fde8a71 Version bump
• f44b62e Merge pull request #15 from danielparks/bytes
• 0c786d4 Implement Shlex with bytes::Shlex.
• 879d212 Add support for operating on byte strings
• aa2d6e3 Merge pull request #14 from atouchet/badge
• 18d1dae Fix CI badge
• 6064b48 Merge pull request #11 from adetaylor/fuzz
• 6480b2c Adding fuzzers for unsafe code.
• Additional commits viewable in compare view

Updates snow from 0.9.0 to 0.9.3

Release notes

Sourced from snow's releases.

v0.9.3

This is a quick patch release to use the stable 4.0 version of curve25519-dalek.

v0.9.2

This is a patch release to address a correctness issue for compliance with the Noise specification: the nonce $2^{64} - 1$ is reserved for rekeying, and CipherState and StatelessCipherState did not check that, instead just making sure that there was no integer overflow.

Thanks to @​kjvalencik for reporting the issue and @​complexspaces for contributing the fix PR (#152).

Thanks to @​robyoder as well for fixing broken links and making sure all links were HTTPS (#151).

Full Changelog: mcginty/snow@v0.9.1...v0.9.2

v0.9.1

This is a patch release to fix build breakages due to not pinning curve25519-dalek to a specific pre-release version.

Thanks to @​Kofituo and @​thomaseizinger for bringing it to attention and @​tarcieri for the fix PR (#148).

Commits

• 59804f8 meta: v0.9.3 release
• 396805b dependency: upgrade to curve25519-dalek 4.0 (#161)
• a11d0d9 meta: v0.9.2 release
• 6c8e756 Fix nonce incrementing in stateful transport to match the specification
• 3b33f0a Update curve25519-dalek requirement from =4.0.0-rc.0 to =4.0.0-rc.1
• 386434a Use https everywhere
• 5227051 Fix bad links
• fd56e6c meta: v0.9.1 release
• bc5d783 Bump curve25519-dalek to v4.0.0-rc.0
• See full diff in compare view

Updates time from 0.1.44 to 0.1.45

Commits

• See full diff in compare view

Updates tokio from 1.19.2 to 1.26.0

Release notes

Sourced from tokio's releases.

Tokio v1.26.0

Fixed

• macros: fix empty join! and try_join! ([https://github.com/fix empty join! and try_join! tokio-rs/tokio#5504])
• sync: don't leak tracing spans in mutex guards ([https://github.com/sync: don't leak tracing spans in mutex guards tokio-rs/tokio#5469])
• sync: drop wakers after unlocking the mutex in Notify ([https://github.com/Drop wakers after unlocking the mutex in Notify tokio-rs/tokio#5471])
• sync: drop wakers outside lock in semaphore ([https://github.com/Solve deadlock in Semaphore tokio-rs/tokio#5475])

Added

• fs: add fs::try_exists ([https://github.com/Add fs::try_exists tokio-rs/tokio#4299])
• net: add types for named unix pipes ([https://github.com/net: add types for named Unix pipes tokio-rs/tokio#5351])
• sync: add MappedOwnedMutexGuard ([https://github.com/Add MappedOwnedMutexGuard tokio-rs/tokio#5474])

Changed

• chore: update windows-sys to 0.45 ([https://github.com/chore: update windows-sys to 0.45 tokio-rs/tokio#5386])
• net: use Message Read Mode for named pipes ([https://github.com/Named Pipes: Support Message Read Mode tokio-rs/tokio#5350])
• sync: mark lock guards with #[clippy::has_significant_drop] ([https://github.com/Mark MutexGuard with #[clippy::has_significant_drop] tokio-rs/tokio#5422])
• sync: reduce contention in watch channel ([https://github.com/Reduce contention in watch channel tokio-rs/tokio#5464])
• time: remove cache padding in timer entries ([https://github.com/time: remove cache padding in timer entries tokio-rs/tokio#5468])
• time: Improve Instant::now() perf with test-util ([https://github.com/time: Improve Instant::now() perf with test-util tokio-rs/tokio#5513])

Internal Changes

• io: use poll_fn in copy_bidirectional ([https://github.com/Use poll_fn in copy_bidirectional tokio-rs/tokio#5486])
• net: refactor named pipe builders to not use bitfields ([https://github.com/net: refactor named pipe builders to not use bitfields tokio-rs/tokio#5477])
• rt: remove Arc from Clock ([https://github.com/rt: remove Arc from Clock tokio-rs/tokio#5434])
• sync: make notify_waiters calls atomic ([https://github.com/sync: make notify_waiters calls atomic tokio-rs/tokio#5458])
• time: don't store deadline twice in sleep entries ([https://github.com/remove double store of deadline, saving 128 bytes tokio-rs/tokio#5410])

Unstable

• metrics: add a new metric for budget exhaustion yields ([https://github.com/metrics: add a new metric for budget exhaustion yields tokio-rs/tokio#5517])

Documented

• io: improve AsyncFd example ([https://github.com/io: improve AsyncFd example tokio-rs/tokio#5481])
• runtime: document the nature of the main future ([https://github.com/Document the nature of the main future tokio-rs/tokio#5494])
• runtime: remove extra period in docs ([https://github.com/chore: remove unnecessary dot in comment tokio-rs/tokio#5511])
• signal: updated Documentation for Signals ([https://github.com/Updated Documentation for Signals tokio-rs/tokio#5459])
• sync: add doc aliases for blocking_* methods ([https://github.com/sync: add doc aliases for blocking_* methods tokio-rs/tokio#5448])
• sync: fix docs for Send/Sync bounds in broadcast ([https://github.com/sync: fix docs for Send/Sync bounds in broadcast tokio-rs/tokio#5480])
• sync: document drop behavior for channels ([https://github.com/sync: document drop behavior for channels tokio-rs/tokio#5497])
• task: clarify what happens to spawned work during runtime shutdown ([https://github.com/clarify what happens to spawned work during runtime shutdown tokio-rs/tokio#5394])
• task: clarify process::Command docs ([https://github.com/Clarify process::Command docs (fixing #5406) tokio-rs/tokio#5413])
• task: fix wording with 'unsend' ([https://github.com/fix: fix wording with 'unsend' tokio-rs/tokio#5452])
• time: document immediate completion guarantee for timeouts ([https://github.com/time: document immediate completion guarantee for timeouts tokio-rs/tokio#5509])
• tokio: document supported platforms ([https://github.com/Document supported platforms tokio-rs/tokio#5483])

... (truncated)

Commits

• a377240 chore: prepare for Tokio v1.26.0 release (#5521)
• 52da177 metrics: add a new metric for budget exhaustion yields (#5517)
• ee1c940 time: Improve Instant::now() perf with test-util (#5513)
• 815d89a runtime: remove extra period in docs (#5511)
• 54aaf3d time: document immediate completion guarantee for timeouts (#5509)
• 5a3abe5 net: add types for named unix pipes (#5351)
• d44b1ca io: ignore SplitByUtf8BoundaryIfWindows test on miri (#5507)
• e23c6f3 signal: updated Documentation for Signals (#5459)
• 0a50cb3 net: fix test compilation failure (#5506)
• 2298679 runtime: document the nature of the main future (#5494)
• Additional commits viewable in compare view

Updates wasmtime from 0.38.1 to 0.38.3

Release notes

Sourced from wasmtime's releases.

v38.0.2: Release Wasmtime 38.0.2 (#11903)

38.0.2

Released 2025-10-21.

Changed

• This repository is attempting to start out using GitHub's "Immutable Releases" feature with this release, and this'll be the first release, assuming all goes well, that has this enabled. #11901

Fixed

• Fix compatibility with the Go runtime on Windows for exceptions. #11892

v10.0.2: Release Wasmtime 10.0.2 (#6991)

No release notes provided.

dev

No release notes provided.

Commits

• f136210 Release Wasmtime 0.38.3 (#4492)
• 3969e02 [0.38.0] Backport CI fixes (#4491)
• 486c88b Release Wasmtime 0.38.2 (#4482)
• 6b639dd Merge pull request from GHSA-7f6x-jwh5-m9r4
• 0f04e8d Merge pull request from GHSA-5fhj-g3p3-pq9g
• df193d4 Fix a possible panic with null-containing element segments (#4456)
• See full diff in compare view

Updates wasmtime-jit-debug from 0.38.1 to 0.38.3

Release notes

Sourced from wasmtime-jit-debug's releases.

v38.0.2: Release Wasmtime 38.0.2 (#11903)

38.0.2

Released 2025-10-21.

Changed

• This repository is attempting to start out using GitHub's "Immutable Releases" feature with this release, and this'll be the first release, assuming all goes well, that has this enabled. #11901

Fixed

• Fix compatibility with the Go runtime on Windows for exceptions. #11892

v10.0.2: Release Wasmtime 10.0.2 (#6991)

No release notes provided.

dev

No release notes provided.

Commits

• f136210 Release Wasmtime 0.38.3 (#4492)
• 3969e02 [0.38.0] Backport CI fixes (#4491)
• 486c88b Release Wasmtime 0.38.2 (#4482)
• 6b639dd Merge pull request from GHSA-7f6x-jwh5-m9r4
• 0f04e8d Merge pull request from GHSA-5fhj-g3p3-pq9g
• df193d4 Fix a possible panic with null-containing element segments (#4456)
• See full diff in compare view

Updates webpki from 0.22.0 to 0.22.2

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Caution

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Native binaries present: cargo curve25519-dalek Location: Package overview From: ? → cargo/[email protected] ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Native binaries present: cargo tokio Location: Package overview From: ? → cargo/[email protected] → cargo/[email protected] ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Native binaries present: cargo windows_aarch64_gnullvm Location: Package overview From: ? → cargo/[email protected] → cargo/[email protected] ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Native binaries present: cargo windows_aarch64_gnullvm Location: Package overview From: ? → cargo/[email protected] → cargo/[email protected] ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Native binaries present: cargo windows_x86_64_gnullvm Location: Package overview From: ? → cargo/[email protected] → cargo/[email protected] ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Block		Native binaries present: cargo windows_x86_64_gnullvm Location: Package overview From: ? → cargo/[email protected] → cargo/[email protected] ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Install-time scripts: cargo curve25519-dalek Install script: Package overview Source: undefined From: ? → cargo/[email protected] ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Install-time scripts: cargo tokio Install script: Package overview Source: undefined From: ? → cargo/[email protected] → cargo/[email protected] ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Install-time scripts: cargo windows_aarch64_gnullvm Install script: Package overview Source: undefined From: ? → cargo/[email protected] → cargo/[email protected] ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Install-time scripts: cargo windows_aarch64_gnullvm Install script: Package overview Source: undefined From: ? → cargo/[email protected] → cargo/[email protected] ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Install-time scripts: cargo windows_x86_64_gnullvm Install script: Package overview Source: undefined From: ? → cargo/[email protected] → cargo/[email protected] ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Install-time scripts: cargo windows_x86_64_gnullvm Install script: Package overview Source: undefined From: ? → cargo/[email protected] → cargo/[email protected] ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): cargo tokio is 100.0% likely to have a medium risk anomaly Notes: This code is not malicious but contains unsafe/misleading patterns that are likely to introduce undefined behavior and concurrency bugs. The unsync_load implementation is incorrect: it reads the inner AtomicU32 by casting its pointer to *const u32 and performing a raw read, which is representation-dependent and can produce torn reads or UB when used concurrently. The manual unsafe impl Send/Sync combined with UnsafeCell is risky if the wrapper's invariants are not strictly maintained. Recommendation: remove unsync_load or implement it using safe atomic load operations with explicit ordering, avoid assuming layout equivalence between AtomicU32 and u32, and avoid reintroducing Send/Sync unsafely unless justified with careful invariants and comments. Confidence: 1.00 Severity: 0.60 From: ? → cargo/[email protected] → cargo/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report