chore(deps): update cargo dependencies

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Type	Update	Change
chrono	dev-dependencies	patch	0.4.41 -> 0.4.42
serde (source)	dependencies	patch	1.0.219 -> 1.0.227
serde_json	dependencies	patch	1.0.143 -> 1.0.145
toml	dependencies	patch	0.9.5 -> 0.9.7
tracing-subscriber (source)	dev-dependencies	patch	0.3.19 -> 0.3.20

---

Release Notes

chronotope/chrono (chrono)

v0.4.42: 0.4.42

Compare Source

What's Changed

• Add fuzzer for DateTime::parse_from_str by @​tyler92 in #​1700
• Fix wrong amount of micro/milliseconds by @​nmlt in #​1703
• Add warning about MappedLocalTime and wasm by @​lutzky in #​1702
• Fix incorrect parsing of fixed-length second fractions by @​chris-leach in #​1705
• Fix cfgs for wasm32-linux support by @​arjunr2 in #​1707
• Fix OpenHarmony's tzdata parsing by @​ldm0 in #​1679
• Convert NaiveDate to/from days since unix epoch by @​findepi in #​1715
• Add ?Sized bound to related methods of DelayedFormat::write_to by @​Huliiiiii in #​1721
• Add from_timestamp_secs method to DateTime by @​jasonaowen in #​1719
• Migrate to core::error::Error by @​benbrittain in #​1704
• Upgrade to windows-bindgen 0.63 by @​djc in #​1730
• strftime: simplify error handling by @​djc in #​1731

serde-rs/serde (serde)

v1.0.227

Compare Source

• Documentation improvements (#​2991)

v1.0.226

Compare Source

• Deduplicate variant matching logic inside generated Deserialize impl for adjacently tagged enums (#​2935, thanks @​Mingun)

v1.0.225

Compare Source

• Avoid triggering a deprecation warning in derived Serialize and Deserialize impls for a data structure that contains its own deprecations (#​2879, thanks @​rcrisanti)

v1.0.224

Compare Source

• Remove private types being suggested in rustc diagnostics (#​2979)

v1.0.223

Compare Source

• Fix serde_core documentation links (#​2978)

v1.0.222

Compare Source

• Make serialize_with attribute produce code that works if respanned to 2024 edition (#​2950, thanks @​aytey)

v1.0.221

Compare Source

• Documentation improvements (#​2973)
• Deprecate serde_if_integer128! macro (#​2975)

v1.0.220

Compare Source

• Add a way for data formats to depend on serde traits without waiting for serde_derive compilation: https://docs.rs/serde_core (#​2608, thanks @​osiewicz)

serde-rs/json (serde_json)

v1.0.145

Compare Source

• Raise serde version requirement to >=1.0.220

v1.0.144

Compare Source

• Switch serde dependency to serde_core (#​1285)

toml-rs/toml (toml)

v0.9.7

Compare Source

v0.9.6

Compare Source

tokio-rs/tracing (tracing-subscriber)

v0.3.20: tracing-subscriber 0.3.20

Compare Source

Security Fix: ANSI Escape Sequence Injection (CVE-TBD)

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

• Manipulate terminal title bars
• Clear screens or modify terminal display
• Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Solution

Version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Affected Versions

All versions of tracing-subscriber prior to 0.3.20 are affected by this vulnerability.

Recommendations

Immediate Action Required: We recommend upgrading to tracing-subscriber 0.3.20 immediately, especially if your application:

• Logs user-provided input (form data, HTTP headers, query parameters, etc.)
• Runs in environments where terminal output is displayed to users

Migration

This is a patch release with no breaking API changes. Simply update your Cargo.toml:

[dependencies]
tracing-subscriber = "0.3.20"

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --package chrono@0.4.41 --precise 0.4.42
error: failed to acquire package cache lock

Caused by:
  failed to open: /home/ubuntu/.cargo/.package-cache

Caused by:
  failed to create directory `/home/ubuntu/.cargo`

Caused by:
  File exists (os error 17)