Sourced from tracing-subscriber's releases.

tracing-subscriber 0.3.20

Security Fix: ANSI Escape Sequence Injection (CVE-TBD)

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

• Manipulate terminal title bars
• Clear screens or modify terminal display
• Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Solution

Version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Affected Versions

All versions of tracing-subscriber prior to 0.3.20 are affected by this vulnerability.

Recommendations

Immediate Action Required: We recommend upgrading to tracing-subscriber 0.3.20 immediately, especially if your application:

• Logs user-provided input (form data, HTTP headers, query parameters, etc.)
• Runs in environments where terminal output is displayed to users

Migration

This is a patch release with no breaking API changes. Simply update your Cargo.toml:

[dependencies]
tracing-subscriber = "0.3.20"

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

• 4c52ca5 fmt: fix ANSI escape sequence injection vulnerability (#3368)
• f71cebe subscriber: impl Clone for EnvFilter (#3360)
• 3a1f571 Fix CI (#3361)
• e63ef57 chore: prepare tracing-attributes 0.1.30 (#3316)
• 6e59a13 attributes: fix tracing::instrument regression around shadowing (#3311)
• e4df761 tracing: update core to 0.1.34 and attributes to 0.1.29 (#3305)
• 643f392 chore: prepare tracing-attributes 0.1.29 (#3304)
• d08e7a6 chore: prepare tracing-core 0.1.34 (#3302)
• 6e70c57 tracing-subscriber: count numbers of enters in Timings (#2944)
• c01d4fd fix docs and enable CI on main branch (#3295)
• Additional commits viewable in compare view

Sourced from clap's releases.

v4.5.46

[4.5.46] - 2025-08-26

Features

• Expose StyledStr::push_str

Sourced from clap's changelog.

[4.5.46] - 2025-08-26

Features

• Expose StyledStr::push_str

• acf9abb chore: Release
• 9186a18 docs: Update changelog
• 233c316 Merge pull request #5926 from sorairolake/feature/value-parser-factory-for-sa...
• 13931a2 Merge pull request #5923 from Reverier-Xu/master
• 536e29f feat(builder): Add ValueParserFactory for Saturating\<T>
• 45ed71c chore: Avoid using gen for rust 2024 preserved keyword
• 5029bb3 chore: Avoid using gen for rust 2024 preserved keyword
• 8a1d59b chore(deps): Update Rust Stable to v1.85 (#5921)
• 9caee53 docs(changelog): Clarify 5.0.0
• cb2352f Merge pull request #5918 from epage/test
• Additional commits viewable in compare view

• See full diff in compare view

• See full diff in compare view

• See full diff in compare view

• c3a132d chore: release
• d72d812 feat(axum): optional extraction of client.address (former client_ip) from...
• cabaf01 build: switch to megalinter flavor: documentation
• 91c4c78 chore: fix yaml syntax of FUNDING
• 77bf105 chore(deps): update jdx/mise-action action to v3
• 559324f chore(deps): update dependency protoc to v32
• feb7f45 chore(deps): update actions/checkout action to v5
• c0f4fee chore(deps): update rust crate rstest to 0.26
• See full diff in compare view

• See full diff in compare view

• See full diff in compare view

• See full diff in compare view

Sourced from image's changelog.

Version 0.25.7

Features:

• Added an API for external image format implementations to register themselves as decoders for a specific format in image (#2372)
• Added CICP awarenes via moxcms to support color spaces (#2531). The support for transforming is limited for now and will be gradually expanded.
• You can now embed Exif metadata when writing JPEG, PNG and WebP images (#2537, #2539)
• Added functions to extract orientation from Exif metadata and optionally clear it in the Exif chunk (#2484)
• Serde support for more types (#2445)
• PNM encoder now supports writing 16-bit images (#2431)

API improvements:

• save, save_with_format, write_to and write_with_encoder methods on DynamicImage now automatically convert the pixel format when necessary instead of returning an error (#2501)
• Added DynamicImage::has_alpha() convenience method
• Implemented TryFrom<ExtendedColorType> for ColorType (#2444)
• Added const HAS_ALPHA to trait Pixel
• Unified the error for unsupported encoder colors (#2543)
• Added a hooks module to customize builtin behavior, register_format_detection_hook and register_decoding_hook for the determining format of a file and selecting an ImageDecoder implementation respectively. (#2372)

Performance improvements:

• Gaussian blur (#2496) and box blur (#2515) are now faster
• Improve compilation times by avoiding unnecessary instantiation of generic functions (#2468, #2470)

Bug fixes:

• Many improvements to image format decoding: TIFF, WebP, AVIF, PNG, GIF, BMP, TGA
• Fixed GifEncoder::encode() ignoring the speed parameter and always using the slowest speed (#2504)
• .pnm is now recognized as a file extension for the PNM format (#2559)

• a24556b Merge pull request #2581 from image-rs/release-0.25.7
• 9175dbc Fix readme typo (#2580)
• a3d81db Bump version to 0.25.7
• b229f3f Bump to latest tiff, add fax4 test (#2377)
• 950445e Move format support table to only be in docs (#2579)
• ca30099 Merge pull request #2555 from Shnatsel/257-changelog
• 901a75c Merge pull request #2574 from image-rs/png-0.18
• d9a09b8 Drop bitflags workaround
• 7208377 Update image URLs (#2578)
• 806f24f Update some URLs (#2577)
• Additional commits viewable in compare view

Sourced from mimalloc's releases.

Version 0.1.48

Changes

• Mimalloc v3 feature flag. (credits @​gschulze).

• a5a76fd v0.1.48
• 31607bf Merge pull request #144 from gschulze/feature/3.x
• aaa0114 Allow unused macros in generated test code
• 54d6262 Allow unused imports in generated test code
• 1f527f1 Proper feature flag propagation in binding tests
• edee487 Fix clippy lints
• 29c44c2 Add workflows for v3
• af52306 Add support for testing v3 in CI
• d84e46e Fix excludes in Cargo manifest
• 747b5b1 Introduce feature flag to switch between mimalloc major versions
• See full diff in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions