chore(deps): bump the rust-dependencies group with 2 updates

[dependabot]

Bumps the rust-dependencies group with 2 updates: serde_json and russh.

Updates serde_json from 1.0.149 to 1.0.150

Release notes

Sourced from serde_json's releases.

v1.0.150

• Reject non-string enum object keys (#1324, thanks @​puneetdixit200)

Commits

• a1ae73a Release 1.0.150
• 1a360b0 Merge pull request #1324 from puneetdixit200/reject-non-string-enum-keys
• 2037b63 Reject non-string enum object keys
• 5d30df6 Resolve manual_assert_eq pedantic clippy lint
• dc8003a Raise required compiler for preserve_order feature to 1.85
• a42fa98 Unpin CI miri toolchain
• 684a60e Pin CI miri to nightly-2026-02-11
• 7c7da33 Raise required compiler to Rust 1.71
• acf4850 Simplify Number::is_f64
• 6b8ceab Resolve unnecessary_map_or clippy lint
• Additional commits viewable in compare view

Updates russh from 0.60.3 to 0.61.1

Release notes

Sourced from russh's releases.

v0.61.1

Security fixes

GHSA-wwx6-x28x-8259

When compression is negotiated, an attacker can craft a "ZIP bomb" style packet that would bypass the maximum packet size checks. This could allow the attacker to hit the OOM limit and either get the server process killed by the OS, or, prior to russh@0.58.0, aborted. A similar issue existed in the AgentClient as well, which could be triggered by a malformed SSH agent response.

Fixes

• keys/agent: forward full agent signature blob for sk-ecdsa/sk-ed25519 keys (#701) #701 (ztbh)
• accept empty name-list in KEXINIT (RFC 4251 §5) (#710) #710 (Bernardo Meurer)

v0.61.0

Changes

• 32fd46f: Reduce russh write-path copies with direct Bytes sends (#695) (Mika Cohen) #695

  • New APIs allow zero-copy writes into channels:
    • Channel::data_bytes
    • Channel::extended_data_bytes
    • ChannelWriteHalf::data_bytes
    • ChannelWriteHalf::extended_data_bytes

• deps: migrate to stable versions pkcs5 / pkcs8 / ed25519 and loosen prerelease pins (extends #697) (#702) #702 (escapecode)

• 72b250a: migrate to upstream ssh-key crate and update RustCrypto crates (#709) (Eugene) #709

Security fixes

Part of the hardening efforts by @​mjc

GHSA-hpv4-5h6f-wqr3

• When a client changed their username between authentication requests, russh server implementation would not correctly reset its internal state (allowed methods and "partial success" state), which could lead to incorrect responses to the client.
  • Note that you still need to handle the case where the client sends a subsequent authentication request with a different username and reset any accumulated authentication state your application might have

GHSA-g9g7-5cgw-6v28

• When a client sent a keyboard-interactive authentication request, the prompt counter was used to directly allocate memory without verifying it, which can lead to denial of service.

GHSA-76r6-x97p-67vr

• russh server did not enfore the SSH protocol header validation strictly enough, allowing a client to hold the connection open indefinitely, wasting resources.

GHSA-4r3c-5hpg-58qr

• "Name list" fields such as algorithm lists were only bounded by the packet size. While the SSH protocol does not impose a limit, in practice it could allow a client to waste resources by spamming huge KEXINIT messages via multiple connections.

Fixes

• 4186cf2: Refactor block-cipher packet-length probing to avoid unsafe state duplication (#706) (Mika Cohen) #706
• reject trailing KEX and channel-open payloads (Mika Cohen)
• reject trailing encrypted message payloads (Mika Cohen)

Commits

• a2ffd0f v0.61.1
• 2692a6f Merge commit from fork
• 93bc2c9 add ztbh as a contributor for code (#712)
• 7f585b5 fix: accept empty name-list in KEXINIT (RFC 4251 §5) (#710)
• 0e1b6fb fix(keys/agent): forward full agent signature blob for sk-ecdsa/sk-ed25519 ke...
• 264a885 Add GitArena to adopters (#698)
• 04c0acf Add Calagopus to adopters (#711)
• 1947d6b v0.61.0
• 22295fa Merge commit from fork
• 311f6cf Merge commit from fork
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[cloudflare-workers-and-pages]

Deploying with    Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status	Name	Latest Commit	Preview URL	Updated (UTC)
✅ Deployment successful! View logs	bashkit	9d17398	Commit Preview URL Branch Preview URL	May 25 2026, 03:50 PM