chore(deps): update lockfile deps (hold back rattler)

[jdx]

Summary

• Updates all lockfile dependencies to latest compatible versions
• Holds back rattler crates due to rattler_virtual_packages 2.3.12+ requiring rattler_conda_types 0.44 while other rattler crates still pin 0.43.4
• Eliminates zip 7 and lzma-rust2 0.15.x from the dep tree, resolving the crc version conflict in chore(deps): lock file maintenance #8416

Test plan

• cargo check passes locally
• All pre-commit lints pass
• CI passes

🤖 Generated with Claude Code

---

Note

Medium Risk
Large dependency refresh affecting networking/crypto/tooling crates (e.g. hyper, rustls, tokio, gix, zip) could introduce subtle runtime or build regressions across platforms. No application logic changes, but the breadth of transitive updates raises compatibility risk.

Overview
Updates Cargo.lock to newer compatible versions across the dependency tree, including notable bumps to core runtime and networking/crypto libraries (e.g. tokio, hyper, rustls, AWS Smithy crates, and gix) and introduces/removes several transitive crates as a result.

Adjusts cargo-deny policy in deny.toml by removing an advisory ignore entry and tightening license configuration (drops OpenSSL from the allowlist and removes the custom ring license clarification).

^{Reviewed by Cursor Bugbot for commit 79691a4. Bugbot is set up for automated code reviews on this repo. Configure here.}

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	cargo/​chrono@​0.4.43 ⏵ 0.4.44
	cargo/​clap@​4.5.56 ⏵ 4.6.0
	cargo/​console@​0.16.2 ⏵ 0.16.3

View full report

[greptile-apps]

Greptile Summary

Refreshes Cargo.lock to pick up latest compatible crate releases while pinning rattler_virtual_packages at 2.3.10 and rattler_conda_types at 0.43.4 to avoid an upstream cross-crate version incompatibility (2.3.12+ requires rattler_conda_types 0.44 while other rattler crates still pin 0.43.4). The deny.toml removes two now-obsolete suppressions: the RUSTSEC-2026-0049 advisory ignore (the advisory was likely retracted or amended in the RustSec DB — confirmed safe since cargo deny check runs against a fresh advisory DB in CI and passes) and the ring license clarification (ring 0.17.14 no longer requires manual [[licenses.clarify]] intervention with current cargo-deny). Note that rustls 0.21.12 and rustls-webpki 0.101.7 remain in the graph as a transitive dependency of aws-smithy-http-client 1.1.9, but this is an upstream constraint that cannot be resolved at the mise level.

Confidence Score: 5/5

Safe to merge — lockfile-only update with well-reasoned hold-backs and CI-verified deny.toml cleanup.

All deny.toml changes are justified cleanup of obsolete suppressions (verified by CI running cargo deny check against a fresh advisory DB). The rattler hold-backs are correctly documented and prevent a known cross-crate version conflict. No direct code changes introduce new risk.

No files require special attention; reviewers may want to re-evaluate the rattler pin when rattler_conda_types 0.44 is broadly adopted across the rattler ecosystem.

Important Files Changed

Filename	Overview
Cargo.lock	Lockfile refreshed to latest compatible versions; zip 7 eliminated, lzma-rust2 bumped 0.15.x → 0.16.2, rattler crates pinned at compatible versions (rattler_virtual_packages 2.3.10, rattler_conda_types 0.43.4)
deny.toml	Removes obsolete RUSTSEC-2026-0049 advisory ignore and ring license clarification/OpenSSL allowance — both are safe cleanup given CI passes with a fresh advisory DB pull

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[Cargo.lock update] --> B{rattler ecosystem}
    A --> C{zip / lzma-rust2}
    A --> D{TLS / crypto stack}
    B --> E[rattler_virtual_packages\nHeld back at 2.3.10]
    B --> F[rattler_conda_types\nHeld at 0.43.4]
    B --> G[Other rattler crates\nUpdated to latest]
    E -- incompatible with --> H[rattler_conda_types 0.44\nnot yet adopted]
    C --> I[zip 7 eliminated\nlzma-rust2 0.15.x eliminated]
    I --> J[Resolves crc version conflict\nfrom issue 8416]
    D --> K[ring 0.17.14 remains\nLicense clarification removed]
    D --> L[rustls 0.21.12 + rustls-webpki 0.101.7\nStill present via aws-smithy-http-client]
    L -- RUSTSEC-2026-0049 ignore --> M[Removed from deny.toml\nAdvisory retracted in RustSec DB]

Loading

_{Reviews (1): Last reviewed commit: "chore(deps): update lockfile deps (hold ..." | Re-trigger Greptile}

[github-actions]

Hyperfine Performance

mise x -- echo

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.4.3 x -- echo	22.1 ± 0.4	21.4	26.4	1.00
mise x -- echo	22.5 ± 0.4	21.7	24.8	1.02 ± 0.03

mise env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.4.3 env	21.5 ± 0.6	20.7	28.9	1.00
mise env	21.9 ± 0.3	21.3	23.8	1.02 ± 0.03

mise hook-env

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.4.3 hook-env	22.3 ± 0.4	21.6	24.2	1.00
mise hook-env	22.7 ± 0.4	21.9	25.5	1.02 ± 0.02

mise ls

Command	Mean [ms]	Min [ms]	Max [ms]	Relative
mise-2026.4.3 ls	19.5 ± 0.3	18.9	21.1	1.00
mise ls	20.1 ± 0.4	19.3	21.5	1.03 ± 0.03

xtasks/test/perf

Command	mise-2026.4.3	mise	Variance
install (cached)	148ms	149ms	+0%
ls (cached)	78ms	79ms	-1%
bin-paths (cached)	83ms	82ms	+1%
task-ls (cached)	796ms	799ms	+0%