chore: update dependencies

.circleci/config.yml

@@ -1,8 +1,8 @@
 version: 2.1
 
 orbs:
-  python: circleci/python@1.3.4
-  docker: circleci/docker@2.5.0
+  python: circleci/python@3.2.0
+  docker: circleci/docker@2.8.2
 
 commands:
   build-and-publish-image:
@@ -65,13 +65,13 @@ jobs:
       - run:
          name: Check format with Black
          command: |
-            pip install "black==22.3.0"
+            pip install "black==25.1.0"
             python -m black --check .
 
   golang-build-and-test:
     docker:
       # specify the version
-      - image: cimg/go:1.23
+      - image: cimg/go:1.24
         auth:
           username: ${DOCKER_LOGIN}
           password: ${DOCKER_PASSWORD}
@@ -106,7 +106,7 @@ jobs:
 
   rust-create-cascade-build-and-test:
     docker:
-      - image: cimg/rust:1.82.0
+      - image: cimg/rust:1.89.0
     environment:
       RUSTFLAGS: '-D warnings'
     working_directory: ~/crlite/rust-create-cascade

.github/dependabot.yml

@@ -0,0 +1,22 @@
+# https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/optimizing-pr-creation-version-updates
+
+version: 2
+updates:
+  - package-ecosystem: cargo
+    directories:
+      - rust-create-cascade
+      - rust-query-crlite
+    schedule:
+      interval: weekly
+  - package-ecosystem: docker
+    directory: containers
+    schedule:
+      interval: weekly
+  - package-ecosystem: gomod
+    directory: go
+    schedule:
+      interval: weekly
+  - package-ecosystem: pip
+    directory: /
+    schedule:
+      interval: weekly

containers/Dockerfile

@@ -1,4 +1,4 @@
-FROM golang:1.24.5-bookworm AS go-builder
+FROM golang:1.24.6-bookworm AS go-builder
 RUN mkdir /build
 ADD go /build/
 WORKDIR /build
@@ -20,7 +20,7 @@ WORKDIR /build/rust-query-crlite
 RUN cargo build --release --target-dir /build
 
 
-FROM python:3.12.2-slim-bookworm
+FROM python:3.13.6-slim-bookworm
 RUN apt update \
     && apt install -y ca-certificates \
     && apt -y upgrade \

go/go.mod

@@ -3,12 +3,12 @@ module github.com/mozilla/crlite/go
 require (
 	filippo.io/sunlight v0.5.2
 	filippo.io/torchwood v0.5.1-0.20250713221105-b067ac9d4cf6
-	github.com/bluele/gcache v0.0.0-20190518031135-bc40bd653833
+	github.com/bluele/gcache v0.0.2
 	github.com/go-redis/redis v6.15.9+incompatible
-	github.com/golang/glog v1.2.4
+	github.com/golang/glog v1.2.5
 	github.com/google/certificate-transparency-go v1.3.2
 	github.com/google/renameio v1.0.1
-	github.com/hashicorp/go-metrics v0.5.3
+	github.com/hashicorp/go-metrics v0.5.4
 	github.com/jpillora/backoff v1.0.0
 	gopkg.in/ini.v1 v1.67.0
 )
@@ -28,4 +28,4 @@ require (
 
 go 1.24.4
 
-toolchain go1.24.5
+toolchain go1.24.6

moz_kinto_publisher/main.py

@@ -751,9 +751,9 @@ def publish_crlite_record(
     #   await FilterExpressions.eval(expression, context)
     # See https://remote-settings.readthedocs.io/en/latest/target-filters.html
     # for the expression syntax and the definition of env.
-    attributes[
-        "filter_expression"
-    ] = f"env.version|versionCompare('{channel.supported_version}.!') >= 0 && '{channel.slug}' == 'security.pki.crlite_channel'|preferenceValue('none')"
+    attributes["filter_expression"] = (
+        f"env.version|versionCompare('{channel.supported_version}.!') >= 0 && '{channel.slug}' == 'security.pki.crlite_channel'|preferenceValue('none')"
+    )
 
     record = rw_client.create_record(
         collection=settings.KINTO_CRLITE_COLLECTION,

rust-create-cascade/Cargo.toml

@@ -3,16 +3,16 @@ name = "rust-create-cascade"
 version = "0.1.0"
 
 [dependencies]
-base64 = "0.13"
-bincode = "1.3"
-clap = { version = "3.0", features = ["derive"] }
+base64 = "0.22"
+bincode = { version = "2.0", features = ["serde"] }
+clap = { version = "4.5", features = ["derive"] }
 hex = "0.4"
 log = "0.4"
-rand="0.7"
+rand="0.9"
 rayon = "1.5"
 rust_cascade = { version = "1.5.0" , features = ["builder"] }
 statsd = "0.16.0"
-stderrlog = "0.5"
+stderrlog = "0.6"
 tempfile = "3.10.1"
 clubcard = { version = "0.3", features = ["builder"] }
 clubcard-crlite = { version = "0.3", features = ["builder"] }

rust-create-cascade/src/cascade_helper.rs

@@ -14,8 +14,7 @@ use std::fs::File;
 use std::io::prelude::Write;
 use std::path::Path;
 
-use rand::rngs::OsRng;
-use rand::RngCore;
+use rand::{rngs::OsRng, TryRngCore};
 
 impl FilterBuilder for CascadeBuilder {
     type ExcludeSetType = ExcludeSet;
@@ -114,7 +113,7 @@ pub fn create_cascade(
 
     let mut salt = vec![0u8; salt_len];
     if salt_len > 0 {
-        OsRng.fill_bytes(&mut salt);
+        let _ = OsRng.try_fill_bytes(&mut salt);
     }
 
     let mut builder = CascadeBuilder::new(hash_alg, salt, revoked, not_revoked);

rust-create-cascade/src/main.rs

@@ -44,6 +44,7 @@ extern crate statsd;
 extern crate stderrlog;
 extern crate tempfile;
 
+use base64::{Engine as _, engine::general_purpose::URL_SAFE};
 use clap::Parser;
 use log::*;
 use rayon::iter::{IntoParallelRefIterator, ParallelIterator};
@@ -260,7 +261,7 @@ impl Iterator for KnownSerialIterator {
 }
 
 fn decode_issuer(s: &str) -> [u8; 32] {
-    base64::decode_config(s, base64::URL_SAFE)
+    URL_SAFE.decode(s)
         .expect("found invalid issuer id: not url-safe base64.")
         .try_into()
         .expect("found invalid issuer id: not 32 bytes.")
@@ -584,9 +585,9 @@ fn write_revset_and_delta(
 ) {
     let prev_revset: HashSet<Vec<u8>> = match std::fs::read(prev_revset_file)
         .as_deref()
-        .map(bincode::deserialize)
+        .map(|b| bincode::serde::decode_from_slice(b, bincode::config::legacy()))
     {
-        Ok(Ok(prev_revset)) => prev_revset,
+        Ok(Ok((prev_revset, _))) => prev_revset,
         _ => {
             warn!("Could not load previous revset. Stash file will be large.");
             Default::default()
@@ -615,7 +616,7 @@ fn write_revset_and_delta(
         }
     }
 
-    let revset_bytes = bincode::serialize(&revset).unwrap();
+    let revset_bytes = bincode::serde::encode_to_vec(&revset, bincode::config::legacy()).unwrap();
     info!("Revset is {} bytes", revset_bytes.len());
     std::fs::write(output_revset_file, &revset_bytes).expect("can't write revset file");
 
@@ -684,29 +685,29 @@ enum FilterType {
 
 #[derive(Parser)]
 struct Cli {
-    #[clap(long, parse(from_os_str), default_value = "./known/")]
+    #[arg(long, value_parser = clap::value_parser!(PathBuf), default_value = "./known/")]
     known: PathBuf,
-    #[clap(long, parse(from_os_str), default_value = "./revoked/")]
+    #[arg(long, value_parser = clap::value_parser!(PathBuf), default_value = "./revoked/")]
     revoked: PathBuf,
-    #[clap(long, parse(from_os_str), default_value = "./prev_revset.bin")]
+    #[arg(long, value_parser = clap::value_parser!(PathBuf), default_value = "./prev_revset.bin")]
     prev_revset: PathBuf,
-    #[clap(long, parse(from_os_str), default_value = "./ct-logs.json")]
+    #[arg(long, value_parser = clap::value_parser!(PathBuf), default_value = "./ct-logs.json")]
     ct_logs_json: PathBuf,
-    #[clap(long, parse(from_os_str), default_value = ".")]
+    #[arg(long, value_parser = clap::value_parser!(PathBuf), default_value = ".")]
     outdir: PathBuf,
-    #[clap(long, value_enum, default_value = "all")]
+    #[arg(long, value_enum, default_value = "all")]
     reason_set: ReasonSet,
-    #[clap(long, value_enum, default_value = "all")]
+    #[arg(long, value_enum, default_value = "all")]
     delta_reason_set: ReasonSet,
-    #[clap(long)]
+    #[arg(long)]
     statsd_host: Option<String>,
-    #[clap(long)]
+    #[arg(long)]
     murmurhash3: bool,
-    #[clap(long, value_enum, default_value = "cascade")]
+    #[arg(long, value_enum, default_value = "cascade")]
     filter_type: FilterType,
-    #[clap(long)]
+    #[arg(long)]
     clobber: bool,
-    #[clap(short = 'v', parse(from_occurrences))]
+    #[arg(short = 'v', value_parser = clap::value_parser!(usize))]
     verbose: usize,
 }
 
@@ -1006,9 +1007,9 @@ mod tests {
         decode_issuer, decode_serial, write_revset_and_delta, write_stash, CheckableFilter, Reason,
         ReasonSet,
     };
+    use base64::{Engine as _, engine::general_purpose::URL_SAFE};
     use clubcard_crlite::CRLiteClubcard;
-    use rand::rngs::OsRng;
-    use rand::RngCore;
+    use rand::{rngs::OsRng, TryRngCore};
     use rust_cascade::{Cascade, HashAlgorithm};
     use std::collections::HashSet;
     use std::convert::TryInto;
@@ -1044,19 +1045,19 @@ mod tests {
 
         fn add_issuer(&self) -> String {
             let mut issuer_bytes = vec![0u8; 32];
-            OsRng.fill_bytes(&mut issuer_bytes);
+            OsRng.try_fill_bytes(&mut issuer_bytes).expect("could not fill issuer_bytes");
 
-            let issuer_str = base64::encode_config(issuer_bytes, base64::URL_SAFE);
+            let issuer_str = URL_SAFE.encode(issuer_bytes);
             std::fs::File::create(self.known_dir().join(&issuer_str))
-                .expect("could not create issuer file");
+                .expect(&format!("could not create issuer file {issuer_str}"));
             std::fs::File::create(self.revoked_dir().join(&issuer_str))
                 .expect("could not create issuer file");
             issuer_str
         }
 
         fn add_serial(&self, issuer: &str) -> String {
             let mut serial_bytes = vec![0u8; 20];
-            OsRng.fill_bytes(&mut serial_bytes);
+            let _ = OsRng.try_fill_bytes(&mut serial_bytes);
 
             let mut known_file = std::fs::OpenOptions::new()
                 .append(true)
@@ -1071,7 +1072,7 @@ mod tests {
 
         fn add_revoked_serial(&self, issuer: &str, reason: Reason) -> String {
             let mut serial_bytes = vec![0u8; 20];
-            OsRng.fill_bytes(&mut serial_bytes);
+            let _ = OsRng.try_fill_bytes(&mut serial_bytes);
 
             let mut known_file = std::fs::OpenOptions::new()
                 .append(true)
@@ -1202,7 +1203,7 @@ mod tests {
         std::fs::rename(&revset_file, &prev_revset_file).expect("could not move revset file");
         let first_revset_bytes = std::fs::read(&prev_revset_file).expect("could not read revset");
         let first_revset: HashSet<Vec<u8>> =
-            bincode::deserialize(&first_revset_bytes).expect("could not parse revset");
+            bincode::serde::decode_from_slice(&first_revset_bytes, bincode::config::legacy()).expect("could not parse revset").0;
 
         // Add a revoked serial after writing the first revset and stash
         let serial = env.add_revoked_serial(&issuer, Reason::Unspecified);
@@ -1221,7 +1222,7 @@ mod tests {
 
         let second_revset_bytes = std::fs::read(&revset_file).expect("could not read revset");
         let second_revset: HashSet<Vec<u8>> =
-            bincode::deserialize(&second_revset_bytes).expect("could not parse revset");
+            bincode::serde::decode_from_slice(&second_revset_bytes, bincode::config::legacy()).expect("could not parse revset").0;
 
         let serial_bytes = decode_serial(&serial);
         let issuer_bytes = decode_issuer(&issuer);
@@ -1255,7 +1256,7 @@ mod tests {
 
         let third_revset_bytes = std::fs::read(&revset_file).expect("could not read revset");
         let third_revset: HashSet<Vec<u8>> =
-            bincode::deserialize(&third_revset_bytes).expect("could not parse revset");
+            bincode::serde::decode_from_slice(&third_revset_bytes, bincode::config::legacy()).expect("could not parse revset").0;
 
         // The newly revoked serial should not be in the third revset as it has
         // an unspecified reason code

rust-query-crlite/Cargo.toml

@@ -4,22 +4,22 @@ version = "0.1.0"
 edition = "2021"
 
 [dependencies]
-base64 = "0.21"
-bincode = "1.3"
+base64 = "0.22"
+bincode = { version = "2.0", features = ["serde"] }
 byteorder = "1.2.7"
 clap = { version = "4.5", features = ["derive"] }
 clubcard = "0.3"
 clubcard-crlite = "0.3"
-der-parser = "9.0"
+der-parser = "10.0"
 hex = "0.4"
 log = "0.4"
 num-bigint = "0.4"
-pem = "1.0"
-reqwest = { version = "0.11", features = ["blocking", "json", "rustls-tls"] }
+pem = "3.0"
+reqwest = { version = "0.12", features = ["blocking", "json", "rustls-tls"] }
 rust_cascade = "1.4.0"
 rustls = { version = "0.21", features = ["dangerous_configuration"] }
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 sha2 = "0.10.2"
-stderrlog = "0.5"
-x509-parser = { version = "0.16.0", features = ["verify"] }
+stderrlog = "0.6"
+x509-parser = { version = "0.17.0", features = ["verify"] }