Skip to content

Bump clap from 4.5.38 to 4.5.60#1389

Open
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/cargo/clap-4.5.60
Open

Bump clap from 4.5.38 to 4.5.60#1389
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/cargo/clap-4.5.60

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github Mar 6, 2026
edited
Loading

Bumps clap from 4.5.38 to 4.5.60.

Release notes

Sourced from clap's releases.

v4.5.60

[4.5.60] - 2026-02-19

Fixes

  • (help) Quote empty default values, possible values

v4.5.59

[4.5.59] - 2026-02-16

Fixes

  • Command::ignore_errors no longer masks help/version on subcommands

v4.5.58

[4.5.58] - 2026-02-11

v4.5.57

[4.5.57] - 2026-02-03

Fixes

  • Regression from 4.5.55 where having an argument with .value_terminator("--") caused problems with an argument with .last(true)

v4.5.56

[4.5.56] - 2026-01-29

Fixes

  • On conflict error, don't show conflicting arguments in the usage

v4.5.55

[4.5.55] - 2026-01-27

Fixes

  • Fix inconsistency in precedence between positionals with a value_terminator("--") and escapes (--) where ./foo -- bar means the first arg is empty, rather than escaping future args

v4.5.54

[4.5.54] - 2026-01-02

Fixes

  • (help) Move [default] to its own paragraph when PossibleValue::help is present in --help

v4.5.53

[4.5.53] - 2025-11-19

Features

... (truncated)

Changelog

Sourced from clap's changelog.

[4.5.60] - 2026-02-19

Fixes

  • (help) Quote empty default values, possible values

[4.5.59] - 2026-02-16

Fixes

  • Command::ignore_errors no longer masks help/version on subcommands

[4.5.58] - 2026-02-11

[4.5.57] - 2026-02-03

Fixes

  • Regression from 4.5.55 where having an argument with .value_terminator("--") caused problems with an argument with .last(true)

[4.5.56] - 2026-01-29

Fixes

  • On conflict error, don't show conflicting arguments in the usage

[4.5.55] - 2026-01-27

Fixes

  • Fix inconsistency in precedence between positionals with a value_terminator("--") and escapes (--) where ./foo -- bar means the first arg is empty, rather than escaping future args

[4.5.54] - 2026-01-02

Fixes

  • (help) Move [default] to its own paragraph when PossibleValue::help is present in --help

[4.5.53] - 2025-11-19

Features

  • Add default_values_if, default_values_ifs

[4.5.52] - 2025-11-17

Fixes

  • Don't panic when args_conflicts_with_subcommands conflicts with an ArgGroup

... (truncated)

Commits
  • 33d24d8 chore: Release
  • 9332409 docs: Update changelog
  • b7adce5 Merge pull request #6166 from fabalchemy/fix-dynamic-powershell-completion
  • 009bba4 fix(clap_complete): Improve powershell registration
  • d89d57d chore: Release
  • f18b67e docs: Update changelog
  • 9d218eb Merge pull request #6165 from epage/shirt
  • 126440c fix(help): Correctly calculate padding for short-only args
  • 9e3c05e test(help): Show panic with short, valueless arg
  • c9898d0 test(help): Verify short with value
  • Additional commits viewable in compare view

Note

Medium Risk
Primarily a dependency bump, but it pulls in updated transitive crates (including new windows-sys versions and once_cell_polyfill), which could affect builds and CLI parsing/help output across platforms.

Overview
Updates the workspace dependency on clap from 4.5.38 to 4.5.60.

Refreshes Cargo.lock, upgrading clap’s resolved ecosystem (e.g., clap_*, anstream/anstyle*, proc-macro2/quote/syn) and introducing new transitive packages like once_cell_polyfill, windows-link, and an additional windows-sys version to satisfy updated Windows-related dependencies.

Written by Cursor Bugbot for commit 923c48c. This will update automatically on new commits. Configure here.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot dependabot Bot added Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file rust Pull requests that update Rust code labels Mar 6, 2026
@dependabot dependabot Bot mentioned this pull request Mar 6, 2026
Closed
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Mar 6, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedcargo/​proc-macro2@​1.0.95 ⏵ 1.0.1068010093100100
Updatedcargo/​quote@​1.0.40 ⏵ 1.0.4582 -1810093100100
Updatedcargo/​clap@​4.5.38 ⏵ 4.6.09910093100100
Updatedcargo/​syn@​2.0.101 ⏵ 2.0.117100 +1100100100100

View full report

@coveralls-official
Copy link
Copy Markdown

coveralls-official Bot commented Mar 6, 2026
edited
Loading

Pull Request Test Coverage Report for Build 23897782105

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 80.351%
Totals Coverage Status
Change from base Build 23897714852: 0.0%
Covered Lines: 14689
Relevant Lines: 18281
💛 - Coveralls

@dependabot dependabot Bot force-pushed the dependabot/cargo/clap-4.5.60 branch 3 times, most recently from 1ec18d4 to 847a44f Compare March 16, 2026 10:06
@socket-security
Copy link
Copy Markdown

socket-security Bot commented Mar 16, 2026
edited
Loading

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Block Medium
Install-time scripts: cargo quote

Install script: Package overview

Source: undefined

From: crates/chia_py_streamable_macro/Cargo.tomlcargo/quote@1.0.45

ℹ Read more on: This package | This alert | What is an install script?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/quote@1.0.45. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Medium
Native binaries present: cargo quote

Location: Package overview

From: crates/chia_py_streamable_macro/Cargo.tomlcargo/quote@1.0.45

ℹ Read more on: This package | This alert | Why is native code a concern?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/quote@1.0.45. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn Low
Potential code anomaly (AI signal): cargo anstyle-wincon is 100.0% likely to have a medium risk anomaly

Notes: The code appears to be a benign utility for displaying a colorized ANSI grid in a Windows console. While there are minor oddities (duplicate effect mapping and a variety of underline-related effects), these do not indicate malicious behavior. No external resource access beyond standard I/O and environment-based argument parsing is present.

Confidence: 1.00

Severity: 0.60

From: ?cargo/clap@4.6.0cargo/anstyle-wincon@3.0.11

ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/anstyle-wincon@3.0.11. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

cursor[bot]
cursor Bot reviewed Mar 16, 2026
View reviewed changes
Copy link
Copy Markdown

@cursor cursor Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Comment thread Cargo.lock
[[package]]
name = "clap"
version = "4.5.38"
version = "4.6.0"
Copy link
Copy Markdown

@cursor cursor Bot Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lockfile resolves clap 4.6.0, not intended 4.5.60

Low Severity

The PR states it bumps clap to 4.5.60 and Cargo.toml specifies "4.5.60", but the Cargo.lock resolves to clap 4.6.0 (along with clap_builder 4.6.0, clap_derive 4.6.0, and clap_lex jumping from 0.7.4 to 1.1.0). This happens because Cargo's caret requirement ^4.5.60 permits >=4.5.60, <5.0.0. The release notes in the PR description only cover changes through 4.5.60, so 4.6.0 changes are unreviewed.

Additional Locations (1)
Fix in Cursor Fix in Web

@dependabot dependabot Bot force-pushed the dependabot/cargo/clap-4.5.60 branch 2 times, most recently from e268de7 to 0ca8f82 Compare March 24, 2026 23:48
@dependabot dependabot Bot force-pushed the dependabot/cargo/clap-4.5.60 branch from 0ca8f82 to 9799619 Compare March 31, 2026 11:19
@dependabot
Bump clap from 4.5.38 to 4.5.60
923c48c 
Bumps [clap](https://github.com/clap-rs/clap) from 4.5.38 to 4.5.60.
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](clap-rs/clap@clap_complete-v4.5.38...clap_complete-v4.5.60)

---
updated-dependencies:
- dependency-name: clap
  dependency-version: 4.5.60
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/cargo/clap-4.5.60 branch from 9799619 to 923c48c Compare April 2, 2026 11:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Changed Required label for PR that categorizes merge commit message as "Changed" for changelog dependencies Pull requests that update a dependency file rust Pull requests that update Rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants