From 1ebfc9158fc8d45b3e26aed52d202471cc93e715 Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Sun, 8 Feb 2026 23:49:52 +0000 Subject: [PATCH] Update Rust crate time to v0.3.47 [SECURITY] (#48514) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [time](https://time-rs.github.io) ([source](https://redirect.github.com/time-rs/time)) | workspace.dependencies | patch | `0.3.44` → `0.3.47` | --- > [!WARNING] > Some dependencies could not be looked up. Check the Dependency Dashboard for more information. ### GitHub Vulnerability Alerts #### [CVE-2026-25727](https://redirect.github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc) ### Impact When user-provided input is provided to any type that parses with the RFC 2822 format, a Denial of Service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. ### Patches A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack. ### Workarounds Limiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of the stack consumed would be at most a factor of the length of the input. --- ### Release Notes
time-rs/time (time) ### [`v0.3.47`](https://redirect.github.com/time-rs/time/blob/HEAD/CHANGELOG.md#0347-2026-02-05) [Compare Source](https://redirect.github.com/time-rs/time/compare/v0.3.46...v0.3.47) ##### Security - The possibility of a stack exhaustion denial of service attack when parsing RFC 2822 has been eliminated. Previously, it was possible to craft input that would cause unbounded recursion. Now, the depth of the recursion is tracked, causing an error to be returned if it exceeds a reasonable limit. This attack vector requires parsing user-provided input, with any type, using the RFC 2822 format. ##### Compatibility - Attempting to format a value with a well-known format (i.e. RFC 3339, RFC 2822, or ISO 8601) will error at compile time if the type being formatted does not provide sufficient information. This would previously fail at runtime. Similarly, attempting to format a value with ISO 8601 that is only configured for parsing (i.e. `Iso8601::PARSING`) will error at compile time. ##### Added - Builder methods for format description modifiers, eliminating the need for verbose initialization when done manually. - `date!(2026-W01-2)` is now supported. Previously, a space was required between `W` and `01`. - `[end]` now has a `trailing_input` modifier which can either be `prohibit` (the default) or `discard`. When it is `discard`, all remaining input is ignored. Note that if there are components after `[end]`, they will still attempt to be parsed, likely resulting in an error. ##### Changed - More performance gains when parsing. ##### Fixed - If manually formatting a value, the number of bytes written was one short for some components. This has been fixed such that the number of bytes written is always correct. - The possibility of integer overflow when parsing an owned format description has been effectively eliminated. This would previously wrap when overflow checks were disabled. Instead of storing the depth as `u8`, it is stored as `u32`. This would require multiple gigabytes of nested input to overflow, at which point we've got other problems and trivial mitigations are available by downstream users. ### [`v0.3.46`](https://redirect.github.com/time-rs/time/blob/HEAD/CHANGELOG.md#0346-2026-01-23) [Compare Source](https://redirect.github.com/time-rs/time/compare/v0.3.45...v0.3.46) ##### Added - All possible panics are now documented for the relevant methods. - The need to use `#[serde(default)]` when using custom `serde` formats is documented. This applies only when deserializing an `Option`. - `Duration::nanoseconds_i128` has been made public, mirroring `std::time::Duration::from_nanos_u128`. - Various methods for truncating components have been added, avoiding the need to call the fallible `replace` methods multiple times. For `PrimitiveDateTime`, `UtcDateTime`, and `OffsetDateTime`: - `truncate_to_day` For `Time`, `PrimitiveDateTime`, `UtcDateTime`, and `OffsetDateTime`: - `truncate_to_hour` - `truncate_to_minute` - `truncate_to_second` - `truncate_to_millisecond` - `truncate_to_microsecond` ##### Changed - The minimum supported Rust version is now 1.88.0. - Significant performance gains in numerous locations. No public APIs were changed or removed as part of this. - The size of `error::ComponentRange`, along with types that contain it, has been significantly reduced. ##### Fixed - The `PartialOrd` and `Ord` implementations of `UtcOffset` now return the expected result. ### [`v0.3.45`](https://redirect.github.com/time-rs/time/blob/HEAD/CHANGELOG.md#0345-2026-01-13) [Compare Source](https://redirect.github.com/time-rs/time/compare/v0.3.44...v0.3.45) ##### Added - `time::format_description::StaticFormatDescription` type alias for `&'static [BorrowedFormatItem<'static>]`. This is the type returned by the `time::macros::format_description!` macro. ##### Changed - The minimum supported Rust version is now 1.83.0. - All floating point methods on `Duration` are now `const fn`. - All setters on `Parsed` are now `const fn`. - The `serde` dependency has been replaced with `serde_core`, This reduces compile times by not including unused parts of `serde`. - `Date::from_julian_day` uses a new algorithm, resulting in an approximately 16% performance improvement. This method is used internally by numerous other methods. - `util::is_leap_year` uses a new algorithm, resulting in an approximately 8% performance improvement.
--- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone America/New_York, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- Release Notes: - N/A Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- Cargo.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 8682919045556be302e4c7fc0be2848ffade85d5..c3c8af9c756c308d100d8ef3174dfe053c159aaa 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -10770,9 +10770,9 @@ dependencies = [ [[package]] name = "num-conv" -version = "0.1.0" +version = "0.2.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9" +checksum = "cf97ec579c3c42f953ef76dbf8d55ac91fb219dde70e49aa4a6b7d74e9919050" [[package]] name = "num-derive" @@ -17081,9 +17081,9 @@ dependencies = [ [[package]] name = "time" -version = "0.3.44" +version = "0.3.47" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "91e7d9e3bb61134e77bde20dd4825b97c010155709965fedf0f49bb138e52a9d" +checksum = "743bd48c283afc0388f9b8827b976905fb217ad9e647fae3a379a9283c4def2c" dependencies = [ "deranged", "itoa", @@ -17091,22 +17091,22 @@ dependencies = [ "num-conv", "num_threads", "powerfmt", - "serde", + "serde_core", "time-core", "time-macros", ] [[package]] name = "time-core" -version = "0.1.6" +version = "0.1.8" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "40868e7c1d2f0b8d73e4a8c7f0ff63af4f6d19be117e90bd73eb1d62cf831c6b" +checksum = "7694e1cfe791f8d31026952abf09c69ca6f6fa4e1a1229e18988f06a04a12dca" [[package]] name = "time-macros" -version = "0.2.24" +version = "0.2.27" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "30cfb0125f12d9c277f35663a0a33f8c30190f4e4574868a330595412d34ebf3" +checksum = "2e70e4c5a0e0a8a4823ad65dfe1a6930e4f4d756dcd9dd7939022b5e8c501215" dependencies = [ "num-conv", "time-core",