Skip to content

chore(deps): bump the prod-deps group across 1 directory with 2 updates#450

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/cargo/prod-deps-8149162e96
Closed

chore(deps): bump the prod-deps group across 1 directory with 2 updates#450
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/cargo/prod-deps-8149162e96

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Feb 6, 2026
edited
Loading

Bumps the prod-deps group with 2 updates in the / directory: calamine and anyhow.

Updates calamine from 0.32.0 to 0.33.0

Release notes

Sourced from calamine's releases.

v0.33.0 - 2026-02-04

Added

  • Added support for reading data from Pivot Tables, which involves reading data from the internal Pivot Cache. [PR #559].

    [PR #559]: tafia/calamine#559

Changed

  • Update dependencies for release 0.33.0:

    • zip: 4.2.0 -> 7.0.
    • atoi_simd: 0.16 -> 0.17

Fixed

  • Fixed potential memory exhaustion issue in ODS files that could be triggered via repeated empty rows/columns.

    The fix adds limits to prevent memory exhaustion from malicious ODS files that declare billions of repeated cells via table:number-rows-repeated and table:number-columns-repeated attributes.

    The change adds the following protection layers:

    • Add cap for columns per row at MAX_COLUMNS (16,384).
    • Add cap for total row repeats at MAX_ROWS (1,048,576).
    • Add cap for total cells at MAX_CELLS (100 million) in get_range().

    These limits match XLSX's existing row/column limits and prevent a 7KB malicious file from attempting to allocate memory for 17+ billion cells.

    When MAX_CELLS is exceeded, return OdsError::CellLimitExceeded instead of silently returning an empty range. This ensures callers are properly informed of truncation rather than receiving silent data loss.

    [Issue #594], [PR #596].

    [Issue #594]: tafia/calamine#594 [PR #596]: tafia/calamine#596

  • Fixed an issue where XLSX files with tables that had the internal insertRow attribute set returned a Dimensions object where the end row was less than the start row. This caused an assert/panic when trying to create a Range object to return the table range. [Issue #589].

    [Issue #589]: tafia/calamine#589

  • Fixed an issue with XLSX files where worksheet tables used the unusual, but

... (truncated)

Changelog

Sourced from calamine's changelog.

[0.33.0] - 2026-02-04

Added

  • Added support for reading data from Pivot Tables, which involves reading data from the internal Pivot Cache. [PR #559].

    [PR #559]: tafia/calamine#559

Changed

  • Update dependencies for release 0.33.0:

    • zip: 4.2.0 -> 7.0.
    • atoi_simd: 0.16 -> 0.17

Fixed

  • Fixed potential memory exhaustion issue in ODS files that could be triggered via repeated empty rows/columns.

    The fix adds limits to prevent memory exhaustion from malicious ODS files that declare billions of repeated cells via table:number-rows-repeated and table:number-columns-repeated attributes.

    The change adds the following protection layers:

    • Add cap for columns per row at MAX_COLUMNS (16,384).
    • Add cap for total row repeats at MAX_ROWS (1,048,576).
    • Add cap for total cells at MAX_CELLS (100 million) in get_range().

    These limits match XLSX's existing row/column limits and prevent a 7KB malicious file from attempting to allocate memory for 17+ billion cells.

    When MAX_CELLS is exceeded, return OdsError::CellLimitExceeded instead of silently returning an empty range. This ensures callers are properly informed of truncation rather than receiving silent data loss.

    [Issue #594], [PR #596].

    [Issue #594]: tafia/calamine#594 [PR #596]: tafia/calamine#596

  • Fixed an issue where XLSX files with tables that had the internal insertRow attribute set returned a Dimensions object where the end row was less than the start row. This caused an assert/panic when trying to create a Range object to return the table range. [Issue #589].

    [Issue #589]: tafia/calamine#589

... (truncated)

Commits
  • 203258c release: 0.33.0
  • 778bd8b deps: update dependencies for release 0.33.0
  • b17b040 feat: add support for reading PivotTable/PivotCache (#559)
  • a1b5768 ods: fix DoS via repeated rows/columns (issue #594) (#596)
  • 1dc58c6 xlsx: fix table issue when insertRow attribute is set
  • 9111009 xlsx: fix issue with table reference ids
  • e76bcd7 docs: prep changelog for next release
  • See full diff in compare view

Updates anyhow from 1.0.100 to 1.0.101

Release notes

Sourced from anyhow's releases.

1.0.101

Commits
  • 80bfe29 Release 1.0.101
  • dff8c43 Merge pull request #437 from Ibitier/inline-ok-helper
  • 85d9ea9 Add #[inline] to anyhow::Ok helper
  • 54036cc Update ui test suite to nightly-2026-01-21
  • cce0579 Update actions/upload-artifact@v5 -> v6
  • f2c598c Update actions/upload-artifact@v4 -> v5
  • 2c0bda4 Update to 2021 edition
  • 0d82268 Remove rustc version requirement from readme
  • 67df012 Merge pull request #436 from dtolnay/up
  • c898488 Raise required compiler to Rust 1.68
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

@dependabot
chore(deps): bump the prod-deps group across 1 directory with 2 updates
632389d 
Bumps the prod-deps group with 2 updates in the / directory: [calamine](https://github.com/tafia/calamine) and [anyhow](https://github.com/dtolnay/anyhow).


Updates `calamine` from 0.32.0 to 0.33.0
- [Release notes](https://github.com/tafia/calamine/releases)
- [Changelog](https://github.com/tafia/calamine/blob/master/Changelog.md)
- [Commits](tafia/calamine@v0.32.0...v0.33.0)

Updates `anyhow` from 1.0.100 to 1.0.101
- [Release notes](https://github.com/dtolnay/anyhow/releases)
- [Commits](dtolnay/anyhow@1.0.100...1.0.101)

---
updated-dependencies:
- dependency-name: calamine
  dependency-version: 0.33.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: prod-deps
- dependency-name: anyhow
  dependency-version: 1.0.101
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: prod-deps
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added 🦀 rust 🦀 Pull requests that edit Rust code dependencies Pull requests that update a dependency file labels Feb 6, 2026
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Feb 9, 2026

Looks like these dependencies are updatable in another way, so this is no longer needed.

@dependabot dependabot bot closed this Feb 9, 2026
@dependabot dependabot bot deleted the dependabot/cargo/prod-deps-8149162e96 branch February 9, 2026 10:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

🦀 rust 🦀 Pull requests that edit Rust code dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants