Bump rust-lang/crates-io-auth-action from 1.0.4 to 1.0.5#377
Conversation
Bumps [rust-lang/crates-io-auth-action](https://github.com/rust-lang/crates-io-auth-action) from 1.0.4 to 1.0.5. - [Release notes](https://github.com/rust-lang/crates-io-auth-action/releases) - [Commits](rust-lang/crates-io-auth-action@v1.0.4...v1.0.5) --- updated-dependencies: - dependency-name: rust-lang/crates-io-auth-action dependency-version: 1.0.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
🤖 Cursor Dependency AnalysisSupply-Chain Malware ReviewReviewing how the action is used and what changed upstream between 1.0.4 and 1.0.5. This is a low-risk patch bump from the official Upstream change analysis (v1.0.4 → v1.0.5)
Malware scanner (status: warn) — false positives, not compromise
Checklist highlights
Recommendation: Approve and merge. Optional sanity check: run the Compatibility AnalysisI'll inspect how this action is used in the repo and compare it with the upstream v1.0.4→v1.0.5 changes. Compatibility & adoption analysis —
|
| Risk | Severity | Notes |
|---|---|---|
Bundled runtime drift in dist/chunk1.js |
Low | Only @actions/core patch bump; entrypoint logic unchanged |
| Auth path not exercised in PR CI | Pre-existing | Step is gated on RELEASE == 'true'; bump won't be validated until next release publish |
| Trusted publishing config on crates.io | Pre-existing | Required for release publish; unrelated to this patch |
Malware scan warn |
Informational | Heuristic hits on bundled JS; upstream is official rust-lang repo, patch-only tooling change |
No breaking API changes, no new permissions, no new inputs required.
4) Recommendation: merge
Patch bump with no contract or source changes. Safe to adopt. The only validation gap (auth runs only on release) existed before this PR; confirm on the next release publish that OIDC token exchange succeeds.
Malware Scan Summary
- Status: warn
- Warn only mode:
true - Changed upstream files scanned:
9 - Resolution strategy:
tag_range - Changed node/vendor paths:
0 - Changed lockfiles:
2 - Resolved upstream range:
bbd81622f20ce9e2dd9622e3218b975523e45bbe..c6f97d42243bad5fab37ca0427f495c86d5b1a18 - Resolved refs: from=
bbd81622f20ce9e2dd9622e3218b975523e45bbeto=c6f97d42243bad5fab37ca0427f495c86d5b1a18 - Unicode findings (post-allowlist):
0 - Confusable findings (post-allowlist):
0 - IOC findings (post-allowlist):
0 - Heuristic findings (post-allowlist):
198
Top findings
dist/chunk1.js:967codepoint_decoder ::if ((this.code = key.charCodeAt(index)) > 127) throw new TypeError("key must be ascii string");dist/chunk1.js:981codepoint_decoder ::const code = key.charCodeAt(index);dist/chunk1.js:1387codepoint_decoder ::for (let i = 0; i < characters.length; ++i) if (!isTokenCharCode(characters.charCodeAt(i))) return false;dist/chunk1.js:2681codepoint_decoder ::for (let i = "A".charCodeAt(0); i <= "Z".charCodeAt(0); i++) {dist/chunk1.js:3271codepoint_decoder ::if (data.charCodeAt(dataLength - 1) === 61) {dist/chunk1.js:3273codepoint_decoder ::if (data.charCodeAt(dataLength - 1) === 61) --dataLength;dist/chunk1.js:3373codepoint_decoder ::if (leading) while (lead < str.length && predicate(str.charCodeAt(lead))) lead++;dist/chunk1.js:3374codepoint_decoder ::if (trailing) while (trail > 0 && predicate(str.charCodeAt(trail))) trail--;dist/chunk1.js:3665codepoint_decoder ::for (let index = 0; index < x.length; index++) if (x.charCodeAt(index) > 255) throw new TypeError(Cannot convert argument to a ByteString because the character at index ${index} has a value of ${x.charCodeAt(index)} which is greater than 255.);dist/chunk1.js:3805codepoint_decoder ::const code = url.charCodeAt(i);dist/chunk1.js:3833codepoint_decoder ::const c = statusText.charCodeAt(i);dist/chunk1.js:4363codepoint_decoder ::if (data.charCodeAt(position.position) !== 61) return "failure";dist/chunk1.js:4367codepoint_decoder ::const code = char.charCodeAt(0);dist/chunk1.js:4372codepoint_decoder ::if (data.charCodeAt(position.position) !== 45) return "failure";dist/chunk1.js:4376codepoint_decoder ::const code = char.charCodeAt(0);dist/chunk1.js:4472codepoint_decoder ::if (position.position < input.length) if (input.charCodeAt(position.position) === 34) {dist/chunk1.js:4476codepoint_decoder ::assert$22(input.charCodeAt(position.position) === 44);dist/chunk1.js:4799codepoint_decoder ::for (let i = 0; i < chars.length; ++i) if ((chars.charCodeAt(i) & -128) !== 0) return false;dist/chunk1.js:4810codepoint_decoder ::const cp = boundary.charCodeAt(i);dist/chunk1.js:9950codepoint_decoder ::while (j > i && isHTTPWhiteSpaceCharCode(potentialValue.charCodeAt(j - 1))) --j;
Bumps rust-lang/crates-io-auth-action from 1.0.4 to 1.0.5.
Release notes
Sourced from rust-lang/crates-io-auth-action's releases.
Commits
c6f97d4Merge pull request #259 from rust-lang/renovate/lock-file-maintenanceb929a92package dist9d23f3bchore(deps): lock file maintenance2b6b194Merge pull request #263 from rust-lang/ci-links-accept-403-as-failure1a7afc2ci(links): accept 403 as success701b15cMerge pull request #260 from rust-lang/renovate/tsdown-0.x-lockfilecf898e1package dist1a6a621chore(deps): update dependency tsdown to v0.22.29f93ac2Merge pull request #261 from rust-lang/renovate/github-actions5463451chore(deps): update github actions to v6.0.3Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)Note
Low Risk
Patch-level GitHub Action bump with unchanged inputs/outputs; no application or security logic changes.
Overview
Updates the Rust bindings workflow’s crates.io publish step to use
rust-lang/crates-io-auth-action@v1.0.5instead ofv1.0.4. The step still runs only on release (env.RELEASE == 'true') and feedssteps.auth.outputs.tokenintoCARGO_REGISTRY_TOKENforcargo publish; no other workflow logic changes.Reviewed by Cursor Bugbot for commit a61a3f1. Bugbot is set up for automated code reviews on this repo. Configure here.