Skip to content

dependabot: bump evtx from 0.8.5 to 0.11.0#448

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/cargo/evtx-0.11.0
Open

dependabot: bump evtx from 0.8.5 to 0.11.0#448
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/cargo/evtx-0.11.0

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Jan 12, 2026
edited
Loading

Bumps evtx from 0.8.5 to 0.11.0.

Release notes

Sourced from evtx's releases.

v0.11.0

What's Changed

Full Changelog: omerbenamram/evtx@v0.10.0...v0.11.0

v0.10.0

[0.10.0 - 2025-12-31]

Highlights

  • ~3× faster JSON/XML rendering compared to 0.9.0, powered by the new IR + streaming renderers.
    • On samples/security.evtx (single-threaded): JSONL 45.4ms → 16.5ms (~2.76×), XML 33.2ms → 11.3ms (~2.95×).
  • WEVT_TEMPLATE support (optional wevt_templates feature): extract templates from provider binaries and use an offline cache as a fallback when EVTX embedded templates are missing/corrupt.
  • EVTX Web: a WebAssembly-powered viewer (see PR #252).

Breaking changes (API + behavior)

  • Removed the token-tree output API:
    • BinXmlOutput, XmlOutput, JsonOutput, and EvtxRecord::into_output(..) were removed.
    • Use EvtxRecord::into_xml(), EvtxRecord::into_json(), or EvtxRecord::into_json_value() instead.
    • If you need structured access, use the new IR types under evtx::model::ir.
  • EvtxRecord is now IR-based:
    • EvtxRecord::tokens (and evtx::model::{deserialized, raw, xml}) were removed/replaced.
    • Records now carry tree: evtx::model::ir::IrTree (plus binxml_offset/binxml_size).
  • EvtxRecordHeader::record_data_size() now returns Result<u32> and can error on corrupted data_size values.
  • EvtxChunk no longer exposes the old TemplateCache (template_table); chunk parsing/rendering is now driven by the IR + template instantiation cache.
  • Timestamps switched from chrono::DateTime<Utc> to jiff::Timestamp in EvtxRecord, EvtxRecordHeader, and SerializedEvtxRecord.
  • Error type changes (affects match statements):
    • EvtxError::FailedToParseChunk now carries Box<ChunkError>.
    • DeserializationError IO variants were renamed (UnexpectedIoErrorIoWithContext, RemoveMeIo) and new WEVT/IO truncation errors were added.
    • ChunkError::FailedToBuildTemplateCache was removed.
  • JSON indentation behavior changed:
    • ParserSettings::indent(..) is still used for XML, but JSON output is now always compact in the streaming renderer. If you need pretty JSON, reformat the returned value/string yourself.

Added

  • Streaming JSON renderer + new parsing architecture (PR #267).
  • New intermediate representation (IR) for BinXML (PR #278).
  • WEVT_TEMPLATE extraction + offline cache + rendering helpers (PR #274).
  • evtx_dump: support reading EVTX from stdin (PR #271).
  • Re-export RecordId from crate root (PR #272).
  • Fix parsing when chunk header offsets are too large (PR #273).
  • Web-based viewer (WASM) (PR #252).

Fixed

  • When validate_checksums is disabled, fix multiple infinite-loop cases on malformed EVTX files (PR #263, #264).

Performance

  • IR tree replaces the old token vector (Vec<...>) in the hot path, dramatically reducing allocations and improving cache locality.
  • Streaming renderers write JSON/XML directly to a sink (no serde_json::Value construction on the default path).

... (truncated)

Changelog

Sourced from evtx's changelog.

[0.11.0 - 2026-01-03]

Breaking changes (WEVT_TEMPLATE cache)

  • The offline WEVT template cache is now a single .wevtcache file (directory + index.jsonl is no longer supported).
    • evtx_dump extract-wevt-templates --input <provider.{dll,exe,sys}> --output /tmp/wevt_cache.wevtcache --overwrite
    • evtx_dump --wevt-cache /tmp/wevt_cache.wevtcache <log.evtx>
  • WevtCache is now pure in-memory (no internal filesystem I/O). Load cache blobs at your boundary and pass an Arc<WevtCache> into ParserSettings.
  • CLI flag renames:
    • --wevt-cache-index--wevt-cache
    • apply-wevt-cache --cache-indexapply-wevt-cache --cache

Fixed

  • Fix MAPS parsing for providers whose MAPS offsets are not monotonic (e.g. wevtsvc.dll).
    • Parse maps deterministically (implied first map + offsets array order).
    • Use each VMAP’s declared size field (no “next offset” boundary guessing / sorting).

Added

  • Git-LFS tracked DLL/EXE fixtures under samples/dlls/ + insta snapshot tests for canonical WEVT_TEMPLATE extraction stats (validated against libfwevt via pyfwevt).

Full Changelog: v0.10.0...v0.11.0

[0.10.0 - 2025-12-31]

Highlights

  • ~3× faster JSON/XML rendering compared to 0.9.0, powered by the new IR + streaming renderers.
    • On samples/security.evtx (single-threaded): JSONL 45.4ms → 16.5ms (~2.76×), XML 33.2ms → 11.3ms (~2.95×).
  • WEVT_TEMPLATE support (optional wevt_templates feature): extract templates from provider binaries and use an offline cache as a fallback when EVTX embedded templates are missing/corrupt.
  • EVTX Web: a WebAssembly-powered viewer (see PR #252).

Breaking changes (API + behavior)

  • Removed the token-tree output API:
    • BinXmlOutput, XmlOutput, JsonOutput, and EvtxRecord::into_output(..) were removed.
    • Use EvtxRecord::into_xml(), EvtxRecord::into_json(), or EvtxRecord::into_json_value() instead.
    • If you need structured access, use the new IR types under evtx::model::ir.
  • EvtxRecord is now IR-based:
    • EvtxRecord::tokens (and evtx::model::{deserialized, raw, xml}) were removed/replaced.
    • Records now carry tree: evtx::model::ir::IrTree (plus binxml_offset/binxml_size).
  • EvtxRecordHeader::record_data_size() now returns Result<u32> and can error on corrupted data_size values.
  • EvtxChunk no longer exposes the old TemplateCache (template_table); chunk parsing/rendering is now driven by the IR + template instantiation cache.
  • Timestamps switched from chrono::DateTime<Utc> to jiff::Timestamp in EvtxRecord, EvtxRecordHeader, and SerializedEvtxRecord.
  • Error type changes (affects match statements):
    • EvtxError::FailedToParseChunk now carries Box<ChunkError>.
    • DeserializationError IO variants were renamed (UnexpectedIoErrorIoWithContext, RemoveMeIo) and new WEVT/IO truncation errors were added.
    • ChunkError::FailedToBuildTemplateCache was removed.
  • JSON indentation behavior changed:
    • ParserSettings::indent(..) is still used for XML, but JSON output is now always compact in the streaming renderer. If you need pretty JSON, reformat the returned value/string yourself.

Added

  • Streaming JSON renderer + new parsing architecture (PR #267).
  • New intermediate representation (IR) for BinXML (PR #278).

... (truncated)

Commits
  • fb8842c chore(release): 0.11.0
  • 1a05bb0 ci: fetch LFS files in test workflow
  • ca232dd test(wevt_templates): add DLL fixtures with insta snapshot tests
  • 0793e27 fix(wevt_templates): parse MAPS deterministically using each map's size field
  • f095aad cursorignore
  • cf7dc8f revert
  • e70d3a1 wevt_templates: switch cache to single .wevtcache file
  • bc01924 ci: use shogo82148/actions-upload-release-asset with overwrite
  • 4a87e34 ci: update ubuntu-20.04 to ubuntu-22.04 (deprecated)
  • b4e6751 newer macos
  • Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request
Dependency Name Ignore Conditions
evtx [>= 0.8.3.a, < 0.8.4]

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Jan 12, 2026
@dependabot
dependabot: bump evtx from 0.8.5 to 0.11.0
b585dd6 
Bumps [evtx](https://github.com/omerbenamram/EVTX) from 0.8.5 to 0.11.0.
- [Release notes](https://github.com/omerbenamram/EVTX/releases)
- [Changelog](https://github.com/omerbenamram/evtx/blob/master/CHANGELOG.md)
- [Commits](omerbenamram/evtx@v0.8.5...v0.11.0)

---
updated-dependencies:
- dependency-name: evtx
  dependency-version: 0.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/cargo/evtx-0.11.0 branch from d27f723 to b585dd6 Compare January 14, 2026 08:23
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants