Update Rust Dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
async-trait	dependencies	patch	0.1.88 -> 0.1.89
serde_json	dependencies	patch	1.0.141 -> 1.0.145
thiserror	dependencies	patch	2.0.12 -> 2.0.17
tokio (source)	dependencies	minor	1.47.1 -> 1.48.0
tracing-subscriber (source)	dependencies	patch	0.3.19 -> 0.3.20
uniffi (source)	dependencies	minor	0.29.4 -> 0.30.0
webrtc (source)	dependencies	minor	0.13.0 -> 0.14.0
webrtc-media (source)	dependencies	minor	0.10.0 -> 0.11.0

---

Release Notes

dtolnay/async-trait (async-trait)

v0.1.89

Compare Source

• Improve IDE functionality (#​293, thanks @​Veykril)

serde-rs/json (serde_json)

v1.0.145

Compare Source

• Raise serde version requirement to >=1.0.220

v1.0.144

Compare Source

• Switch serde dependency to serde_core (#​1285)

v1.0.143

Compare Source

• Implement Clone and Debug for serde_json::Map iterators (#​1264, thanks @​xlambein)
• Implement Default for CompactFormatter (#​1268, thanks @​SOF3)
• Implement FromStr for serde_json::Map (#​1271, thanks @​mickvangelderen)

v1.0.142

Compare Source

• impl Default for &Value (#​1265, thanks @​aatifsyed)

dtolnay/thiserror (thiserror)

v2.0.17

Compare Source

• Use differently named __private module per patch release (#​434)

v2.0.16

Compare Source

• Add to "no-std" crates.io category (#​429)

v2.0.15

Compare Source

• Prevent Error::provide API becoming unavailable from a future new compiler lint (#​427)

v2.0.14

Compare Source

• Allow build-script cleanup failure with NFSv3 output directory to be non-fatal (#​426)

v2.0.13

Compare Source

• Documentation improvements

tokio-rs/tokio (tokio)

v1.48.0: Tokio v1.48.0

Compare Source

1.48.0 (October 14th, 2025)

The MSRV is increased to 1.71.

Added

• fs: add File::max_buf_size (#​7594)
• io: export Chain of AsyncReadExt::chain (#​7599)
• net: add SocketAddr::as_abstract_name (#​7491)
• net: add TcpStream::quickack and TcpStream::set_quickack (#​7490)
• net: implement AsRef<Self> for TcpStream and UnixStream (#​7573)
• task: add LocalKey::try_get (#​7666)
• task: implement Ord for task::Id (#​7530)

Changed

• deps: bump windows-sys to version 0.61 (#​7645)
• fs: preserve max_buf_size when cloning a File (#​7593)
• macros: suppress clippy::unwrap_in_result in #[tokio::main] (#​7651)
• net: remove PollEvented noise from Debug formats (#​7675)
• process: upgrade Command::spawn_with to use FnOnce (#​7511)
• sync: remove inner mutex in SetOnce (#​7554)
• sync: use UnsafeCell::get_mut in Mutex::get_mut and RwLock::get_mut (#​7569)
• time: reduce the generated code size of Timeout<T>::poll (#​7535)

Fixed

• macros: fix hygiene issue in join! and try_join! (#​7638)
• net: fix copy/paste errors in udp peek methods (#​7604)
• process: fix error when runtime is shut down on nightly-2025-10-12 (#​7672)
• runtime: use release ordering in wake_by_ref() even if already woken (#​7622)
• sync: close the broadcast::Sender in broadcast::Sender::new() (#​7629)
• sync: fix implementation of unused RwLock::try_* methods (#​7587)

Unstable

• tokio: use cargo features instead of --cfg flags for taskdump and io_uring (#​7655, #​7621)
• fs: support io_uring in fs::write (#​7567)
• fs: support io_uring with File::open() (#​7617)
• fs: support io_uring with OpenOptions (#​7321)
• macros: add local runtime flavor (#​7375, #​7597)

Documented

• io: clarify the zero capacity case of AsyncRead::poll_read (#​7580)
• io: fix typos in the docs of AsyncFd readiness guards (#​7583)
• net: clarify socket gets closed on drop (#​7526)
• net: clarify the behavior of UCred::pid() on Cygwin (#​7611)
• net: clarify the supported platform of set_reuseport() and reuseport() (#​7628)
• net: qualify that SO_REUSEADDR is only set on Unix (#​7533)
• runtime: add guide for choosing between runtime types (#​7635)
• runtime: clarify the behavior of Handle::block_on (#​7665)
• runtime: clarify the edge case of Builder::global_queue_interval() (#​7605)
• sync: clarify bounded channel panic behavior (#​7641)
• sync: clarify the behavior of tokio::sync::watch::Receiver (#​7584)
• sync: document cancel safety on SetOnce::wait (#​7506)
• sync: fix the docs of parking_lot feature flag (#​7663)
• sync: improve the docs of UnboundedSender::send (#​7661)
• sync: improve the docs of sync::watch (#​7601)
• sync: reword allocation failure paragraph in broadcast docs (#​7595)
• task: clarify the behavior of several spawn_local methods (#​7669)
• task: clarify the task ID reuse guarantees (#​7577)
• task: improve the example of poll_proceed (#​7586)

v1.47.2

Compare Source

tokio-rs/tracing (tracing-subscriber)

v0.3.20: tracing-subscriber 0.3.20

Compare Source

Security Fix: ANSI Escape Sequence Injection (CVE-TBD)

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

• Manipulate terminal title bars
• Clear screens or modify terminal display
• Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Solution

Version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Affected Versions

All versions of tracing-subscriber prior to 0.3.20 are affected by this vulnerability.

Recommendations

Immediate Action Required: We recommend upgrading to tracing-subscriber 0.3.20 immediately, especially if your application:

• Logs user-provided input (form data, HTTP headers, query parameters, etc.)
• Runs in environments where terminal output is displayed to users

Migration

This is a patch release with no breaking API changes. Simply update your Cargo.toml:

[dependencies]
tracing-subscriber = "0.3.20"

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at [email protected].

If you believe you have found a security vulnerability in any tokio-rs project, please email us at [email protected].

mozilla/uniffi-rs (uniffi)

v0.30.0

Compare Source

⚠️ Breaking Changes ⚠️

• UDL-based trait interfaces must now be wrapped with the #[uniffi::trait_interface] attribute.
• Python: Trait interface implementations must now inherit from the trait base class.
  This will look like class PyTraitName(RustTraitName):

What's new?

• All user-defined types can now be renamed with the proc-macro name = "NewName" attribute (like already supported for methods and constructors) (#​2661)
• Enums and Records support exporting uniffi traits (ie, Display, Hash, Eq etc) (#​2555)
• Support for exporting the Ord trait, allowing objects to be ordered by Rust (#​2583).
• #[uniffi(default)] literals are now optional - eg, #[uniffi(default)] and #[uniffi(default = 0)] are equivalent.
  Similarly for args; #[uniffi::export(default(arg_name))].
  When no literal is specifed, named types (objects, records, etc) can be used as long as they have suitable default values.
  (#​2543).
  Custom types too (#​2603)
• Custom enum and object types can be used as error type (#​2658)
• Objects can implement external traits (#​2430)
• Fix for external errors when error only used externally (#​2641)
• Kotlin:
  • Switch to JNA direct mapping (#​2229)
  • Support throwing external error (#​2629)
  • The NoPointer placeholder object used to create fake interface instances has been renamed to NoHandle
• Python:
  • Improved how default values are handled in function signatures etc and more canonical use of Python dataclasses, all towards making mypy happier (#​2552)
  • Methods now have typing annotations for return values (#​2625)
  • Fix relative imports (#​2657)
  • Fix shadowing param names with internal variables in Python (#​2628/#​2645)
  • Don't allow objects to be passed as arguments when traits are expected (#​2649)
• Swift:
  • All object protocol conformances are public (#​2671)
  • Initialization functions now have a stable ordering when using external types.
    This makes the generated source files deterministic.

⚠️ Breaking Changes for external bindings authors ⚠️

• uniffi_bindgen::backend has been removed.
• #[uniffi(default)] changes how defaults are represented.
• FfiType::RustArcPtr has been removed and the FFI type for objects/interfaces is now a u64.
  Bindings authors will need to update their code to reflect this:
  • Lowering/lifting now uses u64 values
  • The free function inputs a u64 handle rather than a raw pointer
  • The clone function inputs and returns a u64 handle rather than a raw pointer
• Enums and Records can have methods, so the Method now carries self_type instead of the object name.
  In the templates, for Callable.takes_self() is replaced with Callable.self_type().
• Trait / Callback interface changes
  • VTable fields are now: free, clone, followed by a field for each interface method.
    Note That free is now at the start of the vtable rather than the end.
  • Trait interface changes:
    • Foreign handles must always have the lowest bit set
    • Both Rust and foreign handles can now be passed across the FFI.
      When Lifting/lowering trait interface handles, check if the handle was generated from Rust or the foreign side.
  • See https://github.com/mozilla/uniffi-rs/pulls/2586 examples of how the builtin bindings here changed.

All changes in v0.30.0.

webrtc-rs/webrtc (webrtc)

v0.14.0

Compare Source

What's Changed

• Fix handling of AUD NAL units with size 2 by @​Kleptine in #​670
• fix panics when parsing rtcp packets with invalid block sizes by @​TimeToogo in #​678
• Implement ChaCha20_Poly1305 cipher suite by @​wdouglass in #​675
• Make SRTP AES_256_GCM actually work by @​TimeToogo in #​677
• Fix deadlock in data-channels-flow-control example. by @​recap in #​679
• Handle replay after wrapping in replaydetector by @​anders-avos in #​681
• Revert "Fix deadlock in data-channels-flow-control example. " by @​rainliu in #​682
• stun: simplify MappedAddress Display implement by @​cppcoffee in #​683
• stun: simplify stop_with_error by @​cppcoffee in #​684
• stun: simplify UnknownAttributes Display by @​cppcoffee in #​685
• turn: client binding direct use Option value by @​cppcoffee in #​686
• turn: use ok_or() to simplify get_allocation() call by @​cppcoffee in #​687
• turn: use ok_or() to simplify command_tx by @​cppcoffee in #​689
• turn: introduced DEFAULT_MAX_RETRIES by @​cppcoffee in #​692
• mdns: simplify resource pack function by @​cppcoffee in #​693
• turn: simplify result_ch_rx by @​cppcoffee in #​691
• dtls: refactor cipher suite error handling with ok_or() by @​cppcoffee in #​694
• style: add blank lines between methods in DTLSConn impl by @​cppcoffee in #​695
• refactor: remove unnecessary Cow::Borrowed wrapper in URL query parsing by @​cppcoffee in #​696
• refactor(ice): replace magic numbers with named constants for STUN/TURN ports by @​cppcoffee in #​697
• stun: use format! macro instead of string concatenation in Uri display by @​cppcoffee in #​698
• ice/examples: improve error handling and formatting in ping_pong example by @​cppcoffee in #​699
• refactor: apply clippy fixes across workspace by @​cppcoffee in #​703
• mdns: allow reuse_port on non-Unix platforms when feature is enabled by @​cppcoffee in #​702
• update dependencies rand by @​a-wing in #​707
• util: Simplify timeout error handling in Buffer by @​cppcoffee in #​708
• interceptor: Use futures::future::join_all in stats interceptor by @​cppcoffee in #​710
• dtls: Add packet length validation in CBC decryption by @​cppcoffee in #​711
• stun: simplify URI parsing logic by @​cppcoffee in #​712
• do not used fixed sctp-ports 5000, but consult the negotiated ports by @​KillingSpark in #​706
• interceptor: simplify NACK generator close_rx error handling by @​cppcoffee in #​714
• sctp: Make most chunk handling errors non-fatal by @​anders-avos in #​716
• Add function to export key data from DTLS connection by @​TimeToogo in #​718
• [ice] Fix unhandled overflow panic in listen_udp_in_port_range by @​lucamuscat in #​719
• fmtp: add Unicode case-folding support for parameter compariso by @​cppcoffee in #​721
• Make use of the max-message-size SDP attribute in datachannels by @​lucamuscat in #​722
• stun: simplify XorMappedAddress Display implementation by @​cppcoffee in #​725
• Updated logo background by @​mvel96 in #​730
• stun: simplify connection retrieval by @​cppcoffee in #​731
• Require rand version 0.9.1 or greater, as rand::distr::Alphabetic does not exist in 0.9.0, which is currently allowed by @​lucamuscat in #​732
• Remove unused dependencies by @​lucamuscat in #​733
• sample_builder: fix panic on timestamp wrap by @​ArtemMartus in #​735

New Contributors

• @​Kleptine made their first contribution in #​670
• @​TimeToogo made their first contribution in #​678
• @​wdouglass made their first contribution in #​675
• @​cppcoffee made their first contribution in #​683
• @​lucamuscat made their first contribution in #​719
• @​ArtemMartus made their first contribution in #​735

Full Changelog: webrtc-rs/webrtc@v0.13.0...v0.14.0

webrtc-rs/webrtc (webrtc-media)

v0.11.0

Compare Source

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At 12:00 AM through 04:59 AM and 10:00 PM through 11:59 PM, Monday through Friday ( * 0-4,22-23 * * 1-5 ), Only on Sunday and Saturday ( * * * * 0,6 ) (UTC).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Ship it!

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}