Skip to content

chore(deps)(deps): bump rpassword from 7.4.0 to 7.5.0#2

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/rpassword-7.5.0
Open

chore(deps)(deps): bump rpassword from 7.4.0 to 7.5.0#2
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/rpassword-7.5.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown

Bumps rpassword from 7.4.0 to 7.5.0.

Release notes

Sourced from rpassword's releases.

v7.5.0

This release comes with lots of stuff. It should be fully backward compatible.

New features

  • Support for masking or partially masking a password as it's being typed. Thank you, @​chipsenkbeil, for your contribution.
  • New API. The documentation has been vastly improved to support this, see https://docs.rs/rpassword/. To sum up, you can now call read_password_with_config(config) and there is a ConfigBuilder that allows you to configure how passwords should be read. This makes the library much more flexible and means new options will be added without breaking existing code.

Fixes

  • Fix for CVE-2025-64170 which affects rpassword on versions v7.4.0 and below. Thank you, @​squell and @​DevLaTron, for reporting this.
  • Better support for multibyte characters and more reliable handling of control characters and terminal escape sequences. Thank you again, @​chipsenkbeil, for your contribution.

Deprecations

  • _from_bufread functions have been deprecated. You are encouraged to migrate to _with_config functions. See UPGRADE.md as well as the documentation which has examples that you can most likely drop into your code without other changes.

Misc

  • Update of the windows-sys dependency.
  • Update Rust edition from 2018 to 2024.
  • Better cross-platform testing, through more unit tests and a CI that runs Linux, Windows and Wasm.

Feedback is very much welcome.

Commits
  • 2d9873e release v7.5.0
  • e67e3b4 removes commented out code
  • fdde958 remove .idea from .gitignore
  • d531c59 allow reading from any Read and writing to any Write
  • 205dfb2 differentiate Input and Output targets
  • 6aa333a make PasswordFeedback internal though ConfigBuilder
  • aadeef2 allow more flexible input/output
  • ff7be55 add support for Ctrl-W
  • c56fefa format rust files with cargo fmt
  • c6f4f19 handle character encodings more reliably
  • Additional commits viewable in compare view

@dependabot @github

dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown
Author

Labels

The following labels could not be found: dependencies, rust. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Security Scan - Code

Severity: HIGH, CRITICAL

No vulnerabilities found

View scan results

Report Summary

┌─────────────────────────────────────────────┬────────────┬─────────────────┬───────────────────┐
│                   Target                    │    Type    │ Vulnerabilities │ Misconfigurations │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ Cargo.lock                                  │   cargo    │        0        │         -         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ crates/testing/fuzz-targets/Cargo.lock      │   cargo    │        0        │         -         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ crates/testing/fuzz-targets/fuzz/Cargo.lock │   cargo    │        0        │         -         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ etc/state-sum/Cargo.lock                    │   cargo    │        0        │         -         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ etc/tps/package-lock.json                   │    npm     │        0        │         -         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ rayls-contracts/package-lock.json           │    npm     │        0        │         -         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ etc/chaos-network/Dockerfile                │ dockerfile │        -        │         0         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ etc/docker-network/Dockerfile               │ dockerfile │        -        │         0         │
├─────────────────────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ etc/docker-replay/Dockerfile                │ dockerfile │        -        │         0         │
└─────────────────────────────────────────────┴────────────┴─────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)

Bumps [rpassword](https://github.com/conradkleinespel/rpassword) from 7.4.0 to 7.5.0.
- [Release notes](https://github.com/conradkleinespel/rpassword/releases)
- [Commits](conradkleinespel/rpassword@v7.4.0...v7.5.0)

---
updated-dependencies:
- dependency-name: rpassword
  dependency-version: 7.5.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@bdimitrov-netzine bdimitrov-netzine force-pushed the dependabot/cargo/rpassword-7.5.0 branch from 1fbd971 to 5416d55 Compare July 9, 2026 14:57
@github-actions

github-actions Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Claude finished @bdimitrov-netzine's task in 1m 9s —— View job


PR Review: bump rpassword 7.4.0 → 7.5.0

  • Gather context (CLAUDE.md, changed files, code using rpassword)
  • Review the dependency bump and its implications
  • Assess security impact (CVE-2025-64170)
  • Post final review

Summary

This is a security-critical dependency bump that resolves CVE-2025-64170 in rpassword, affecting all versions ≤ 7.4.0. The change is low-risk, fully backward compatible, and the CI security scan confirms 0 vulnerabilities post-upgrade. Recommend merging.


Findings

Version discrepancy (minor)

The PR title says "bump to 7.5.0" but the actual resolved version in Cargo.lock is 7.5.4:

-version = "7.4.0"
+version = "7.5.4"

Dependabot opened the PR for 7.5.0, and subsequent patch releases landed before merge. The lock file reflects the correct latest-stable version — this is fine but worth noting for the audit trail.

Cargo.toml workspace pin not updated

Cargo.toml:107 still reads:

rpassword = "7.4.0"

Because Cargo uses caret requirements by default (^7.4.0 = >=7.4.0, <8.0.0), the lockfile correctly resolves to 7.5.4. However, updating the manifest to reflect the new minimum (rpassword = "7.5") would be cleaner hygiene and make the intent explicit.
Fix this →

API usage is safe

All call sites use rpassword::prompt_password(), which is the stable, non-deprecated API:

  • bin/rayls-network/src/main.rs:45,46,89
  • crates/infrastructure/network-cli/src/keytool/rotate_passphrase.rs:56,57

The deprecated functions (_from_bufread variants) are not used, so no migration is needed.

Pre-existing typo (out of scope but worth noting)

bin/rayls-network/src/main.rs:45: "ecrypt" → should be "encrypt".


Security Assessment

Item Status
CVE-2025-64170 fixed ✅ Resolved by upgrading to ≥7.5.0
Security scan (HIGH/CRITICAL) ✅ 0 findings
windows-sys dependency Updated 0.59.0 → 0.61.2 (no issues)
API backward compatibility prompt_password() is stable
Breaking changes None

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants