Skip to content

Bump tracing-subscriber from 0.3.19 to 0.3.20#3

Merged
masc2023 merged 4 commits intomainfrom
dependabot/cargo/tracing-subscriber-0.3.20
Feb 11, 2026
Merged

Bump tracing-subscriber from 0.3.19 to 0.3.20#3
masc2023 merged 4 commits intomainfrom
dependabot/cargo/tracing-subscriber-0.3.20

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 30, 2025
edited
Loading

Bumps tracing-subscriber from 0.3.19 to 0.3.20.

Release notes

Sourced from tracing-subscriber's releases.

tracing-subscriber 0.3.20

Security Fix: ANSI Escape Sequence Injection (CVE-TBD)

Impact

Previous versions of tracing-subscriber were vulnerable to ANSI escape sequence injection attacks. Untrusted user input containing ANSI escape sequences could be injected into terminal output when logged, potentially allowing attackers to:

  • Manipulate terminal title bars
  • Clear screens or modify terminal display
  • Potentially mislead users through terminal manipulation

In isolation, impact is minimal, however security issues have been found in terminal emulators that enabled an attacker to use ANSI escape sequences via logs to exploit vulnerabilities in the terminal emulator.

Solution

Version 0.3.20 fixes this vulnerability by escaping ANSI control characters in when writing events to destinations that may be printed to the terminal.

Affected Versions

All versions of tracing-subscriber prior to 0.3.20 are affected by this vulnerability.

Recommendations

Immediate Action Required: We recommend upgrading to tracing-subscriber 0.3.20 immediately, especially if your application:

  • Logs user-provided input (form data, HTTP headers, query parameters, etc.)
  • Runs in environments where terminal output is displayed to users

Migration

This is a patch release with no breaking API changes. Simply update your Cargo.toml:

[dependencies]
tracing-subscriber = "0.3.20"

Acknowledgments

We would like to thank zefr0x who responsibly reported the issue at security@tokio.rs.

If you believe you have found a security vulnerability in any tokio-rs project, please email us at security@tokio.rs.

Commits

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot
Bump tracing-subscriber from 0.3.19 to 0.3.20
a0fce9a 
Bumps [tracing-subscriber](https://github.com/tokio-rs/tracing) from 0.3.19 to 0.3.20.
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](tokio-rs/tracing@tracing-subscriber-0.3.19...tracing-subscriber-0.3.20)

---
updated-dependencies:
- dependency-name: tracing-subscriber
  dependency-version: 0.3.20
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Sep 30, 2025
@github-actions
Copy link

github-actions bot commented Sep 30, 2025
edited
Loading

License Check Results

🚀 The license check job ran with the Bazel command:

bazel run //:license-check

Status: ⚠️ Needs Review

Click to expand output 
[License Check Output]
2026/02/11 10:56:48 Downloading https://github.com/aspect-build/aspect-cli/releases/download/5.9.36/bazel-5.9.36-linux-x86_64...
2026/02/11 10:56:48 Downloading https://releases.bazel.build/8.3.0/release/bazel-8.3.0-linux-x86_64...
Starting local Bazel server (8.3.0) and connecting to it...
INFO: Invocation ID: eb876562-240b-4160-a934-deeec5aa4069
Computing main repo mapping: 
Computing main repo mapping: 
Computing main repo mapping: 
WARNING: For repository 'aspect_rules_lint', the root module requires module version aspect_rules_lint@1.5.3, but got aspect_rules_lint@2.0.0 in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
WARNING: For repository 'rules_python', the root module requires module version rules_python@1.4.1, but got rules_python@1.8.3 in the resolved dependency graph. Please update the version in your MODULE.bazel or set --check_direct_dependencies=off
Loading: 
Loading: 0 packages loaded
Loading: 0 packages loaded
Loading: 0 packages loaded
    currently loading: 
Loading: 0 packages loaded
    currently loading: 
Analyzing: target //:license-check (1 packages loaded, 0 targets configured)
Analyzing: target //:license-check (1 packages loaded, 0 targets configured)

Analyzing: target //:license-check (15 packages loaded, 9 targets configured)

Analyzing: target //:license-check (73 packages loaded, 9 targets configured)

Analyzing: target //:license-check (86 packages loaded, 9 targets configured)

Analyzing: target //:license-check (139 packages loaded, 541 targets configured)

Analyzing: target //:license-check (154 packages loaded, 2052 targets configured)

Analyzing: target //:license-check (159 packages loaded, 2656 targets configured)

Analyzing: target //:license-check (161 packages loaded, 3072 targets configured)

Analyzing: target //:license-check (161 packages loaded, 3072 targets configured)

Analyzing: target //:license-check (161 packages loaded, 3072 targets configured)

Analyzing: target //:license-check (167 packages loaded, 9234 targets configured)

Analyzing: target //:license-check (188 packages loaded, 9306 targets configured)
[13 / 17] JavaToolchainCompileClasses external/rules_java+/toolchains/platformclasspath_classes; 0s disk-cache, processwrapper-sandbox
Analyzing: target //:license-check (192 packages loaded, 9316 targets configured)
[13 / 17] JavaToolchainCompileClasses external/rules_java+/toolchains/platformclasspath_classes; 1s disk-cache, processwrapper-sandbox ... (2 actions running)
INFO: From Generating Dash formatted dependency file ...:
INFO: Successfully converted 250 packages from Cargo.lock to bazel-out/k8-fastbuild/bin/formatted.txt
Analyzing: target //:license-check (192 packages loaded, 9316 targets configured)
[15 / 17] JavaToolchainCompileBootClasspath external/rules_java+/toolchains/platformclasspath.jar; 0s disk-cache, processwrapper-sandbox
Analyzing: target //:license-check (192 packages loaded, 9316 targets configured)
[16 / 17] [Prepa] Building license.check.license_check.jar ()
Analyzing: target //:license-check (192 packages loaded, 9316 targets configured)
[17 / 17] no actions running
Analyzing: target //:license-check (193 packages loaded, 13650 targets configured)
[17 / 17] no actions running
Analyzing: target //:license-check (193 packages loaded, 13650 targets configured)
[17 / 17] no actions running
Analyzing: target //:license-check (193 packages loaded, 13650 targets configured)
[17 / 17] no actions running
Analyzing: target //:license-check (193 packages loaded, 13650 targets configured)
[17 / 17] no actions running
Analyzing: target //:license-check (193 packages loaded, 13650 targets configured)
[17 / 17] no actions running
DEBUG: Rule 'rules_rust++rust+rust_linux_x86_64__x86_64-unknown-linux-gnu__stable_tools' indicated that a canonical reproducible form can be obtained by modifying arguments sha256s = {"rustc-1.93.0-x86_64-unknown-linux-gnu.tar.xz": "00c6e6740ea6a795e33568cd7514855d58408a1180cd820284a7bbf7c46af715", "clippy-1.93.0-x86_64-unknown-linux-gnu.tar.xz": "793108977514b15c0f45ade28ae35c58b05370cb0f22e89bd98fdfa61eabf55d", "cargo-1.93.0-x86_64-unknown-linux-gnu.tar.xz": "c23de3ae709ff33eed5e4ae59d1f9bcd75fa4dbaa9fb92f7b06bfb534b8db880", "llvm-tools-1.93.0-x86_64-unknown-linux-gnu.tar.xz": "86159dfa25c40cc7187ed9740f571b1c1ba3cc2d59a2ab1d12aa37198c96ba40", "rust-std-1.93.0-x86_64-unknown-linux-gnu.tar.xz": "a849a418d0f27e69573e41763c395e924a0b98c16fcdc55599c1c79c27c1c777"}
DEBUG: Repository rules_rust++rust+rust_linux_x86_64__x86_64-unknown-linux-gnu__stable_tools instantiated at:
  <builtin>: in <toplevel>
Repository rule rust_toolchain_tools_repository defined at:
  /home/runner/.bazel/external/rules_rust+/rust/repositories.bzl:567:50: in <toplevel>
Analyzing: target //:license-check (193 packages loaded, 13650 targets configured)
[17 / 17] no actions running
INFO: Analyzed target //:license-check (196 packages loaded, 13756 targets configured).
INFO: Found 1 target...
Target //:license.check.license_check up-to-date:
  bazel-bin/license.check.license_check
  bazel-bin/license.check.license_check.jar
INFO: Elapsed time: 40.490s, Critical Path: 4.39s
INFO: 17 processes: 12 internal, 4 processwrapper-sandbox, 1 worker.
INFO: Build completed successfully, 17 total actions
INFO: Running command line: bazel-bin/license.check.license_check ./formatted.txt <args omitted>
usage: org.eclipse.dash.licenses.cli.Main [-batch <int>] [-cd <url>]
       [-confidence <int>] [-ef <url>] [-excludeSources <sources>] [-help] [-lic
       <url>] [-project <shortname>] [-repo <url>] [-review] [-summary <file>]
       [-timeout <seconds>] [-token <token>]

@github-actions
Copy link

github-actions bot commented Sep 30, 2025

The created documentation from the pull request is available at: docu-html

@masc2023 masc2023 closed this Feb 10, 2026
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Feb 10, 2026

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot bot deleted the dependabot/cargo/tracing-subscriber-0.3.20 branch February 10, 2026 17:47
@masc2023 masc2023 restored the dependabot/cargo/tracing-subscriber-0.3.20 branch February 10, 2026 18:25
@masc2023 masc2023 reopened this Feb 10, 2026
masc2023
masc2023 previously approved these changes Feb 10, 2026
View reviewed changes
@masc2023
Merge branch 'main' into dependabot/cargo/tracing-subscriber-0.3.20
f8789f6 
Signed-off-by: Markus Schu <markus.schu@accenture.com>
@masc2023 masc2023 closed this Feb 11, 2026
@masc2023 masc2023 reopened this Feb 11, 2026
@masc2023 masc2023 merged commit 5e7b632 into main Feb 11, 2026
8 checks passed
@masc2023 masc2023 deleted the dependabot/cargo/tracing-subscriber-0.3.20 branch February 11, 2026 11:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@masc2023 masc2023 masc2023 approved these changes

@johannes-esr johannes-esr Awaiting requested review from johannes-esr

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@masc2023