Bump the major group across 1 directory with 8 updates

[dependabot]

Bumps the major group with 8 updates in the / directory:

Package	From	To
rand	0.8.5	0.9.2
ctor	0.5.0	0.8.0
sha2	0.10.9	0.11.0
itertools	0.13.0	0.14.0
darling	0.20.10	0.23.0
macro-string	0.1.4	0.2.0
thiserror	1.0.63	2.0.18
wasmparser	0.116.1	0.221.3

Updates rand from 0.8.5 to 0.9.2

Changelog

Sourced from rand's changelog.

[0.9.2] - 2025-07-20

Deprecated

• Deprecate rand::rngs::mock module and StepRng generator (#1634)

Additions

• Enable WeightedIndex<usize> (de)serialization (#1646)

[0.9.1] - 2025-04-17

Security and unsafe

• Revise "not a crypto library" policy again (#1565)
• Remove zerocopy dependency from rand (#1579)

Fixes

• Fix feature simd_support for recent nightly rust (#1586)

Changes

• Allow fn rand::seq::index::sample_weighted and fn IndexedRandom::choose_multiple_weighted to return fewer than amount results (#1623), reverting an undocumented change (#1382) to the previous release.

Additions

• Add rand::distr::Alphabetic distribution. (#1587)
• Re-export rand_core (#1604)

#1565: rust-random/rand#1565 #1579: rust-random/rand#1579 #1586: rust-random/rand#1586 #1587: rust-random/rand#1587 #1604: rust-random/rand#1604 #1623: rust-random/rand#1623 #1634: rust-random/rand#1634 #1646: rust-random/rand#1646

[0.9.0] - 2025-01-27

Security and unsafe

• Policy: "rand is not a crypto library" (#1514)
• Remove fork-protection from ReseedingRng and ThreadRng. Instead, it is recommended to call ThreadRng::reseed on fork. (#1379)
• Use zerocopy to replace some unsafe code (#1349, #1393, #1446, #1502)

Dependencies

• Bump the MSRV to 1.63.0 (#1207, #1246, #1269, #1341, #1416, #1536); note that 1.60.0 may work for dependents when using --ignore-rust-version
• Update to rand_core v0.9.0 (#1558)

Features

• Support std feature without getrandom or rand_chacha (#1354)
• Enable feature small_rng by default (#1455)
• Remove implicit feature rand_chacha; use std_rng instead. (#1473)
• Rename feature serde1 to serde (#1477)
• Rename feature getrandom to os_rng (#1537)

... (truncated)

Commits

• d3dd415 Prepare rand_core 0.9.2 (#1605)
• 99fabd2 Prepare rand_core 0.9.2
• c7fe1c4 rand: re-export rand_core (#1604)
• db2b1e0 rand: re-export rand_core
• ee1d96f rand_core: implement reborrow for UnwrapMut (#1595)
• e0eb2ee rand_core: implement reborrow for UnwrapMut
• 975f602 fixup clippy 1.85 warnings
• 775b05b Relax Sized requirements for blanket impls (#1593)
• ec6d5c0 Prepare rand_core v0.9.1 (#1591)
• 6a06056 rand_core: introduce an UnwrapMut wrapper (#1589)
• Additional commits viewable in compare view

Updates ctor from 0.5.0 to 0.8.0

Commits

• See full diff in compare view

Updates sha2 from 0.10.9 to 0.11.0

Commits

• ffe0939 Release sha2 0.11.0 (#806)
• 8991b65 Use the standard order of the [package] section fields (#807)
• 3d2bc57 sha2: refactor backends (#802)
• faa55fb sha3: bump keccak to v0.2 (#803)
• d3e6489 sha3 v0.11.0-rc.9 (#801)
• bbf6f51 sha2: tweak backend docs (#800)
• 155dbbf sha3: add default value for the DS generic parameter on TurboShake128/256...
• ed514f2 Use published version of keccak v0.2 (#799)
• 702bcd8 Migrate to closure-based keccak (#796)
• 827c043 sha3 v0.11.0-rc.8 (#794)
• Additional commits viewable in compare view

Updates itertools from 0.13.0 to 0.14.0

Changelog

Sourced from itertools's changelog.

0.14.0

Breaking

• Increased MSRV to 1.63.0 (#960)
• Removed generic parameter from cons_tuples (#988)

Added

• Added array_combinations (#991)
• Added k_smallest_relaxed and variants (#925)
• Added next_array and collect_array (#560)
• Implemented DoubleEndedIterator for FilterOk (#948)
• Implemented DoubleEndedIterator for FilterMapOk (#950)

Changed

• Allow Q: ?Sized in Itertools::contains (#971)
• Improved hygiene of chain! (#943)
• Improved into_group_map_by documentation (#1000)
• Improved tree_reduce documentation (#955)
• Improved discoverability of merge_join_by (#966)
• Improved discoverability of take_while_inclusive (#972)
• Improved documentation of find_or_last and find_or_first (#984)
• Prevented exponentially large type sizes in tuple_combinations (#945)
• Added track_caller attr for asser_equal (#976)

Notable Internal Changes

• Fixed clippy lints (#956, #987, #1008)
• Addressed warnings within doctests (#964)
• CI: Run most tests with miri (#961)
• CI: Speed up "cargo-semver-checks" action (#938)
• Changed an instance of default_features in Cargo.toml to default-features (#985)

Commits

• a015a68 Add next_array and collect_array
• a1213e1 Prepare v0.14.0 release
• ff0c942 fix clippy lints
• f80883b Fix into_group_map_by documentation errors
• b793238 Add track_caller for asser_equal
• 5d4056b default_features is deprecated - switch it to default-features
• a447b68 doc for added trait
• d0479b0 "nitpicks"
• 35c78ce IndexMut -> BorrowMut<slice>
• deb53ba refactored to share code
• Additional commits viewable in compare view

Updates darling from 0.20.10 to 0.23.0

Release notes

Sourced from darling's releases.

v0.23.0

• Bump MSRV to 1.88.0; there have been no code changes that caused this, but due to dependency issues CI no longer works on 1.56.0 #357
• Revert dependency version pins which caused problems #385

v0.22.0

YANKED Pinned dependencies made this version cause conflicts with other crates.

• BREAKING: Remove fnv dependency, as runtime performance gain does not justify additional dependency. This was exposed to users of darling::usage, so it may be breaking for them #373
• Add #[darling(default = || expr(val))] support, allowing a closure where a path was previously required #380
• Preserve span information for paths given to darling::util::Callable as literal strings
• Fix some documentation typos

v0.21.3

• Fix: Forward Override::<T>::from_expr to T::from_expr #371

v0.21.2

• Add #[darling(from_expr = ...)] when deriving FromMeta to support overriding the key-value form #369
• Keep parsing the body and type params even if there are errors from parsing attributes. #7
• Support #[darling(with = ...)] on the generics field when deriving FromDeriveInput.
• Return an error, rather than panicking, when doing shape validation on a union. #365

v0.21.1

• Track all alternate field names, and show them in error message if there aren't too many. #325
• Track all alternate values for enum variants, and show them in error messages if there aren't too many. #362

v0.21.0

• Potentially breaking: Emit error when an attribute path is present in both attributes and forward_attrs. #336
• Support parsing attributes which contain keywords #238
• Add SpannedValue::into_inner #342
• Add #[darling(derive_syn_parse)] to also impl syn::parse::Parse when deriving FromMeta #285
• Make impl FromMeta for syn::TypePath support both quote-wrapped and bare values #351
• Add util::PreservedStrExpr #346
• Impl UsesTypeParams and UsesLifetimes for WithOriginal #215
• Update error message emitted by <() as FromMeta>::from_list to allow use of () as a #[darling(flatten)] target #353

v0.20.11

• Support #[darling(with = ...)] on the data field when deriving FromDeriveInput. This allows the use of simpler receiver types, such as a Vec of enum variants.
• Bump version of proc-macro2 to 1.0.86.
• Accept closures for #[darling(with = ...)] on fields in FromDeriveInput, FromMeta, FromField, etc. #309
• Add darling::util::Callable to accept a path or closure as a meta-item expression
• Add #[darling(from_word = ...)] and #[darling(from_none = ...)] to control shorthand and fallback behaviors for structs and enums deriving FromMeta #320
• Add FromMeta impl for syn::ExprRange #329

Changelog

Sourced from darling's changelog.

v0.23.0 (December 3, 2025)

• Bump MSRV to 1.88.0; there have been no code changes that caused this, but due to dependency issues CI no longer works on 1.56.0 #357

v0.22.0 (December 2, 2025)

• BREAKING: Remove fnv dependency, as runtime performance gain does not justify additional dependency. This was exposed to users of darling::usage, so it may be breaking for them #373
• Add #[darling(default = || expr(val))] support, allowing a closure where a path was previously required #380
• Preserve span information for paths given to darling::util::Callable as literal strings
• Fix some documentation typos

v0.21.3 (August 22, 2025)

• Fix: Forward Override::<T>::from_expr to T::from_expr #371

v0.21.2 (August 14, 2025)

• Add #[darling(from_expr = ...)] when deriving FromMeta to support overriding the key-value form #369
• Keep parsing the body and type params even if there are errors from parsing attributes. #7
• Support #[darling(with = ...)] on the generics field when deriving FromDeriveInput.
• Return an error, rather than panicking, when doing shape validation on a union. #365

v0.21.1 (August 4, 2025)

• Track all alternate field names, and show them in error message if there aren't too many. #325
• Track all alternate values for enum variants, and show them in error messages if there aren't too many. #362

v0.21.0 (July 10, 2025)

• Potentially breaking: Emit error when an attribute path is present in both attributes and forward_attrs. #336
• Support parsing attributes which contain keywords #238
• Add SpannedValue::into_inner #342
• Add #[darling(derive_syn_parse)] to also impl syn::parse::Parse when deriving FromMeta #285
• Make impl FromMeta for syn::TypePath support both quote-wrapped and bare values #351
• Add util::PreservedStrExpr #346
• Impl UsesTypeParams and UsesLifetimes for WithOriginal #215
• Update error message emitted by <() as FromMeta>::from_list to allow use of () as a #[darling(flatten)] target #353

v0.20.11 (March 28, 2025)

• Support #[darling(with = ...)] on the data field when deriving FromDeriveInput. This allows the use of simpler receiver types, such as a Vec of enum variants.
• Bump version of proc-macro2 to 1.0.86.
• Accept closures for #[darling(with = ...)] on fields in FromDeriveInput, FromMeta, FromField, etc. #309
• Add darling::util::Callable to accept a path or closure as a meta-item expression
• Add #[darling(from_word = ...)] and #[darling(from_none = ...)] to control shorthand and fallback behaviors for structs and enums deriving FromMeta #320
• Add FromMeta impl for syn::ExprRange #329

Commits

• cfef4e5 Update compiletests to rustc 1.88.0
• 334ee48 Bump version to 0.23.0
• 858b869 Bump MSRV to 1.88.0
• dd9cb44 Bump CI tests to 1.88.0
• 4e57762 Revert "Lock quote version"
• 775a523 Revert "Lock min version of proc-macro2"
• 3947278 Bump version to 0.22.0
• cd33f9b chore: fix some minor issues in the comments
• 2ca795b docs: fix minor typo in top-level doc comment ('its' → 'it’s')
• 878b5ba Lock min version of proc-macro2
• Additional commits viewable in compare view

Updates macro-string from 0.1.4 to 0.2.0

Release notes

Sourced from macro-string's releases.

0.2.0

• Support cloning MacroString (#26)
• Split parsing and eval (#27)
• Provide method to produce correctly spanned error (#28)

Commits

• 82ed150 Release 0.2.0
• 80750cf Merge pull request #28 from dtolnay/error
• 9c09b26 Provide method to produce correctly spanned error
• 894316f Merge pull request #27 from dtolnay/eval
• 377fd57 Split parsing and eval
• f2eea0f Merge pull request #26 from dtolnay/clone
• ed20bf9 Support cloning MacroString
• ff33555 Raise required compiler to Rust 1.71
• 0426310 Update actions/upload-artifact@v5 -> v6
• 3c0b22a Update actions/upload-artifact@v4 -> v5
• Additional commits viewable in compare view

Updates thiserror from 1.0.63 to 2.0.18

Release notes

Sourced from thiserror's releases.

2.0.18

• Make compatible with project-level needless_lifetimes = "forbid" (#443, thanks @​LucaCappelletti94)

2.0.17

• Use differently named __private module per patch release (#434)

2.0.16

• Add to "no-std" crates.io category (#429)

2.0.15

• Prevent Error::provide API becoming unavailable from a future new compiler lint (#427)

2.0.14

• Allow build-script cleanup failure with NFSv3 output directory to be non-fatal (#426)

2.0.13

• Documentation improvements

2.0.12

• Prevent elidable_lifetime_names pedantic clippy lint in generated impl (#413)

2.0.11

• Add feature gate to tests that use std (#409, #410, thanks @​Maytha8)

2.0.10

• Support errors containing a generic type parameter's associated type in a field (#408)

2.0.9

• Work around missing_inline_in_public_items clippy restriction being triggered in macro-generated code (#404)

2.0.8

• Improve support for macro-generated derive(Error) call sites (#399)

2.0.7

• Work around conflict with #[deny(clippy::allow_attributes)] (#397, thanks @​zertosh)

2.0.6

• Suppress deprecation warning on generated From impls (#396)

2.0.5

• Prevent deprecation warning on generated impl for deprecated type (#394)

2.0.4

• Eliminate needless_lifetimes clippy lint in generated From impls (#391, thanks @​matt-phylum)

2.0.3

• Support the same Path field being repeated in both Debug and Display representation in error message (#383)
• Improve error message when a format trait used in error message is not implemented by some field (#384)

2.0.2

... (truncated)

Commits

• dc0f6a2 Release 2.0.18
• 0275292 Touch up PR 443
• 3c33bc6 Merge pull request #443 from LucaCappelletti94/master
• 995939c Reproduce issue 442
• 21653d1 Made clippy lifetime allows conditional
• 45e5388 Update actions/upload-artifact@v5 -> v6
• 386aac1 Update actions/upload-artifact@v4 -> v5
• ec50561 Update actions/checkout@v5 -> v6
• 247eab5 Update name of empty_enum clippy lint
• 91b181f Raise required compiler to Rust 1.68
• Additional commits viewable in compare view

Updates wasmparser from 0.116.1 to 0.221.3

Commits

• See full diff in compare view

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	thiserror@​1.0.63 ⏵ 2.0.18
	wasmparser@​0.221.3
	ctor@​0.8.0
	itertools@​0.14.0
	macro-string@​0.2.0
	rand@​0.9.2
	sha2@​0.11.0
	darling@​0.20.10 ⏵ 0.23.0

View full report