chore(deps): update rust crate time to v0.3.47 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
time (source)	dependencies	patch	0.3.36 → 0.3.47

GitHub Vulnerability Alerts

CVE-2026-25727

Impact

When user-provided input is provided to any type that parses with the RFC 2822 format, a Denial of Service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario.

Patches

A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.

Workarounds

Limiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of the stack consumed would be at most a factor of the length of the input.

---

Release Notes

time-rs/time (time)

v0.3.47

Compare Source

Security

• The possibility of a stack exhaustion denial of service attack when parsing RFC 2822 has been
  eliminated. Previously, it was possible to craft input that would cause unbounded recursion. Now,
  the depth of the recursion is tracked, causing an error to be returned if it exceeds a reasonable
  limit.

  This attack vector requires parsing user-provided input, with any type, using the RFC 2822 format.

Compatibility

• Attempting to format a value with a well-known format (i.e. RFC 3339, RFC 2822, or ISO 8601) will
  error at compile time if the type being formatted does not provide sufficient information. This
  would previously fail at runtime. Similarly, attempting to format a value with ISO 8601 that is
  only configured for parsing (i.e. Iso8601::PARSING) will error at compile time.

Added

• Builder methods for format description modifiers, eliminating the need for verbose initialization
  when done manually.
• date!(2026-W01-2) is now supported. Previously, a space was required between W and 01.
• [end] now has a trailing_input modifier which can either be prohibit (the default) or
  discard. When it is discard, all remaining input is ignored. Note that if there are components
  after [end], they will still attempt to be parsed, likely resulting in an error.

Changed

• More performance gains when parsing.

Fixed

• If manually formatting a value, the number of bytes written was one short for some components.
  This has been fixed such that the number of bytes written is always correct.
• The possibility of integer overflow when parsing an owned format description has been effectively
  eliminated. This would previously wrap when overflow checks were disabled. Instead of storing the
  depth as u8, it is stored as u32. This would require multiple gigabytes of nested input to
  overflow, at which point we've got other problems and trivial mitigations are available by
  downstream users.

v0.3.46

Compare Source

Added

• All possible panics are now documented for the relevant methods.

• The need to use #[serde(default)] when using custom serde formats is documented. This applies
  only when deserializing an Option<T>.

• Duration::nanoseconds_i128 has been made public, mirroring
  std::time::Duration::from_nanos_u128.

• Various methods for truncating components have been added, avoiding the need to call the fallible
  replace methods multiple times.

  For PrimitiveDateTime, UtcDateTime, and OffsetDateTime:

  • truncate_to_day

  For Time, PrimitiveDateTime, UtcDateTime, and OffsetDateTime:

  • truncate_to_hour
  • truncate_to_minute
  • truncate_to_second
  • truncate_to_millisecond
  • truncate_to_microsecond

Changed

• The minimum supported Rust version is now 1.88.0.
• Significant performance gains in numerous locations. No public APIs were changed or removed as
  part of this.
• The size of error::ComponentRange, along with types that contain it, has been significantly
  reduced.

Fixed

• The PartialOrd and Ord implementations of UtcOffset now return the expected result.

v0.3.45

Compare Source

Added

• time::format_description::StaticFormatDescription type alias for &'static [BorrowedFormatItem<'static>]. This is the type returned by the
  time::macros::format_description! macro.

Changed

• The minimum supported Rust version is now 1.83.0.
• All floating point methods on Duration are now const fn.
• All setters on Parsed are now const fn.
• The serde dependency has been replaced with serde_core, This reduces compile times by not
  including unused parts of serde.
• Date::from_julian_day uses a new algorithm, resulting in an approximately 16% performance
  improvement. This method is used internally by numerous other methods.
• util::is_leap_year uses a new algorithm, resulting in an approximately 8% performance
  improvement.

v0.3.44

Compare Source

Fixed

• Comparisons of PrimitiveDateTime, UtcDateTime, and OffsetDateTime with differing signs (i.e.
  one negative and one positive year) would return the inverse result of what was expected. This was
  introduced in v0.3.42 and has been fixed.
• Type inference would fail due to feature unification when wasm-bindgen enabled serde_json.
  This has been fixed by explicitly specifying the type in the relevant locations.

v0.3.43

Compare Source

Added

• Support for rand 0.9

Fixed

• In the convert module, any use of per with types that were not the same (such as
  Nanosecond::per(Second)) would not compile due to a bug. This has been fixed.

v0.3.42

Compare Source

Added

• Time::duration_until
• Time::duration_since
• per_t method for all types in time::convert. This is similar to the existing per method, but
  can return any of the primitive numeric types that can represent the result. This will cut down on
  as casts while ensuring correctness. Type inference isn't perfect, so you may need to provide a
  type annotation in some situations.
• impl PartialOrd for Month and impl Ord for Month; this assumes the months are in the same year
• SystemTimeExt trait, adding methods for checked arithmetic with time::Duration and obtaining
  the difference between two SystemTimes as a time::Duration
• Permit using UtcDateTime with rand (this was inadvertently omitted previously)
• impl core::error::Error for all error types (now available when the std feature is disabled)
• MacOS can now obtain the local UTC offset in multi-threaded programs as the system APIs are
  thread-safe.
• #[track_caller] has been added to all relevant methods.

Changed

• The minimum supported Rust version is now 1.81.0.
• The dependency on itoa has been removed, as the standard library now has similar functionality
  by default.
• Formatting a component that involves a floating point number is now guaranteed to be
  deterministic, avoiding any subtle differences between platforms or compiler versions.

Fixed

• Serializing timestamps with nanosecond precision should always emit the correct value.
  Previously, it could be off by one nanosecond due to floating point imprecision.
• A previously unknown bug in OffsetDateTime::to_offset and UtcDateTime::to_offset has been
  fixed. The bug could result in a value that was invalid. It was unlikely to ever occur in
  real-world code, as it involved passing a UTC offset that has never been used in any location.

Miscellaneous

• The amount of code generated by macros has been massively reduced, on the order of 65-70% for
  typical use cases of format_description!.
• Significant performance gains for comparisons of Time, PrimitiveDateTime, UtcDateTime, and
  OffsetDateTime. The first three have gains of approximately 85% (i.e. 6× faster).
• Nearly all methods are #[inline].

v0.3.41

Compare Source

Fixed

• Compatibility with the latest release of deranged. This fix is permanent and covers future
  similar changes upstream.

v0.3.40

Compare Source

Added

• Visibility modifiers may now be added to the mod generated by time::sere::format_description!.

v0.3.39

Compare Source

Fixed

• Doc tests run successfully with the default feature set.
• wasm builds work again.

Both of these were regressions in v0.3.38 and are now checked in CI.

v0.3.38

Compare Source

Added

• The [year] component (in format descriptions) now supports a range modifier, which can be
  either standard or extended. The default is extended for backwards compatibility. This is
  intended as a manner to opt out of the extended range when the large-dates feature is enabled.
  When the large-dates feature is not enabled, the modifier has no effect.

• UtcDateTime, which is semantically equivalent to an OffsetDateTime with UTC as its offset. The
  advantage is that it is the same size as a PrimitiveDateTime and has improved operability with
  well-known formats.

  As part of this, there were some other additions:

  • utc_datetime! macro, which is similar to the datetime! macro but constructs a UtcDateTime.
  • PrimitiveDateTime::as_utc
  • OffsetDateTime::to_utc
  • OffsetDateTime::checked_to_utc

• time::serde::timestamp::milliseconds_i64, which is a module to serialize/deserialize timestamps
  as the Unix timestamp. The pre-existing module does this as an i128 where an i64 would
  suffice. This new module should be preferred.

Changed

• error::Format has had its source() implementation changed to no longer return a boxed value
  from the ComponentRange variant. If you were explicitly expecting this, you will need to update
  your code. The method API remains unchanged.
• [year repr:century] supports single-digit values.
• All format_into methods accept ?Sized references.

Miscellaneous

• Some non-exhaustive enum variants that are no longer used have been modified to be statically
  proven as uninhabited. The relevant fields are doc-hidden and not semver-guaranteed to remain as
  such, though it is unlikely to change.
• An unnecessary check when parsing RFC 2822 has been removed.
• Various methods have had their implementations changed, resulting in significant performance
  gains. Among the methods changed are
  • util::is_leap_year
  • util::weeks_in_year
  • Month::length
  • Date::to_calendar_date
  • Date::month
  • Date::day
  • Date::from_julian_day
  • Date::to_julian_day
  • other methods that call into these methods

v0.3.37

Compare Source

Added

• Time::MAX, equivalent to time!(23:59:59.999999999)
• [year repr:century] is now supported in format descriptions. When used in conjunction with
  [year repr:last_two], there is sufficient information to parse a date. Note that with the
  large-date feature enabled, there is an ambiguity when parsing the two back-to-back.
• Parsing of strftime-style format descriptions, located at
  time::format_description::parse_strftime_borrowed and
  time::format_description::parse_strftime_owned
• time::util::refresh_tz and time::util::refresh_tz_unchecked, which updates information
  obtained via the TZ environment variable. This is equivalent to the tzset syscall on Unix-like
  systems, with and without built-in soundness checks, respectively.
• Month::length and util::days_in_month, replacing util::days_in_year_month.
• Expressions are permitted in time::serde::format_description! rather than only paths. This also
  drastically improves diagnostics when an invalid value is provided.

Changed

• Obtaining the system UTC offset on Unix-like systems should now succeed when multi-threaded.
  However, if the TZ environment variable is altered, the program will not be aware of this until
  time::util::refresh_tz or time::util::refresh_tz_unchecked is called. refresh_tz has the
  same soundness requirements as obtaining the system UTC offset previously did, with the
  requirements still being automatically enforced. refresh_tz_unchecked does not enforce these
  requirements at the expense of being unsafe. Most programs should not need to call either
  function.

  Due to this change, the time::util::local_offset module has been deprecated in its entirety. The
  get_soundness and set_soundness functions are now no-ops.

  Note that while calls should succeed, success is not guaranteed in any situation. Downstream
  users should always be prepared to handle the error case.

Fixed

• Floating point values are truncated, not rounded, when formatting.
• RFC3339 allows arbitrary separators between the date and time components.
• Serialization of negative Durations less than one second is now correct. It previously omitted
  the negative sign.
• From<js_sys::Date> for OffsetDateTime now ensures sub-millisecond values are not erroneously
  returned.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.