Skip to content

chore(deps)(deps): bump thin-vec from 0.2.14 to 0.2.18#1

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/thin-vec-0.2.18
Open

chore(deps)(deps): bump thin-vec from 0.2.14 to 0.2.18#1
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/thin-vec-0.2.18

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown

Bumps thin-vec from 0.2.14 to 0.2.18.

Changelog

Sourced from thin-vec's changelog.

Versions 0.2.17 and 0.2.18 (2026-04-29)

  • Fix compiling some feature combinations in no_std mode

Version 0.2.16 (2026-04-14)

  • Fix reserve() on auto arrays in gecko-ffi mode.
  • Fix two double-drop issues with ThinVec::clear() and ThinVec::into_iter() when the Drop implementation of the item panics.

Version 0.2.15 (2026-04-08)

  • Support AutoTArrays created from Rust in Gecko FFI mode.
  • Add extract_if.
  • Add const new() support behind feature flag.
  • Fix thin_vec macro not being hygienic when recursing
  • Improve extend() performance.
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot @github

dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies, rust. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

Bumps [thin-vec](https://github.com/mozilla/thin-vec) from 0.2.14 to 0.2.18.
- [Changelog](https://github.com/mozilla/thin-vec/blob/main/RELEASES.md)
- [Commits](https://github.com/mozilla/thin-vec/commits)

---
updated-dependencies:
- dependency-name: thin-vec
  dependency-version: 0.2.18
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@bdimitrov-netzine bdimitrov-netzine force-pushed the dependabot/cargo/thin-vec-0.2.18 branch from cdd2c7b to 4ebb877 Compare July 7, 2026 11:55
@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Claude finished @bdimitrov-netzine's task in 1m 7s —— View job


PR Review: thin-vec 0.2.14 → 0.2.18

  • Gather context and read changed files
  • Review changelog for security/breaking implications
  • Assess Cargo.lock diff
  • Provide final review

Summary

This is a routine dependency bump. The change is minimal and correct: only Cargo.lock is updated with the new version and its corresponding checksum.

-version = "0.2.14"
+version = "0.2.18"
-checksum = "144f754d318415ac792f9d69fc87abbbfc043ce2ef041c60f16ad828f638717d"
+checksum = "b0f7e269b48f0a7dd0146680fa24b50cc67fc0373f086a5b2f99bd084639b482"

thin-vec is a transitive dependency — there is no direct entry for it in any Cargo.toml in this repository, so no API surface is directly affected.


Changelog Assessment

Version Changes Impact
0.2.15 extract_if, const new() flag, hygiene fix for thin_vec! macro, extend() perf improvement Low — additive
0.2.16 Fix double-drop bugs in ThinVec::clear() and ThinVec::into_iter() when an item's Drop panics; fix reserve() in gecko-ffi mode Notable — memory safety correctness fix
0.2.17/0.2.18 Fix feature-combination compilation in no_std mode Low

The double-drop fixes in 0.2.16 are the most significant change. While panic-in-Drop is an edge case in practice, it previously caused unsound behavior (double-free). Picking up this fix is a correctness improvement.


Assessment

Recommendation: safe to merge.

  • No direct usage of thin-vec in this codebase — only transitive exposure.
  • The update includes bug fixes (including a memory safety correction), no breaking API changes.
  • Checksum is updated correctly in Cargo.lock.
  • CI checks are currently in progress; confirm they pass before merging.

Note on Dependabot Labels

The Dependabot bot flagged that labels dependencies and rust don't exist in this repo. Consider creating them to keep future dependency PRs organized — this doesn't block merging.

@github-actions

github-actions Bot commented Jul 7, 2026

Copy link
Copy Markdown
Contributor

Security Scan - Code

Severity: HIGH, CRITICAL

No vulnerabilities found

View scan results

Report Summary

┌─────────────────────────────────────────────┬────────────┬─────────────────┬───────────────────┐
│                   Target                    │    Type    │ Vulnerabilities │ Misconfigurations │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ Cargo.lock                                  │   cargo    │        0        │         -         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ crates/testing/fuzz-targets/Cargo.lock      │   cargo    │        0        │         -         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ crates/testing/fuzz-targets/fuzz/Cargo.lock │   cargo    │        0        │         -         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ etc/state-sum/Cargo.lock                    │   cargo    │        0        │         -         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ etc/tps/package-lock.json                   │    npm     │        0        │         -         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ rayls-contracts/package-lock.json           │    npm     │        0        │         -         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ etc/chaos-network/Dockerfile                │ dockerfile │        -        │         0         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ etc/docker-network/Dockerfile               │ dockerfile │        -        │         0         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ etc/docker-replay/Dockerfile                │ dockerfile │        -        │         0         │
└─────────────────────────────────────────────┴────────────┴─────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants