Bump bytes from 1.7.2 to 1.11.1 in /test/substreams_acme

[dependabot]

Bumps bytes from 1.7.2 to 1.11.1.

Release notes

Sourced from bytes's releases.

Bytes v1.11.1

1.11.1 (February 3rd, 2026)

• Fix integer overflow in BytesMut::reserve

Bytes v1.11.0

1.11.0 (November 14th, 2025)

• Bump MSRV to 1.57 (#788)

Fixed

• fix: BytesMut only reuse if src has remaining (#803)
• Specialize BytesMut::put::<Bytes> (#793)
• Reserve capacity in BytesMut::put (#794)
• Change BytesMut::remaining_mut to use isize::MAX instead of usize::MAX (#795)

Internal changes

• Guarantee address in slice() for empty slices. (#780)
• Rename Vtable::to_* -> Vtable::into_* (#776)
• Fix latest clippy warnings (#787)
• Ignore BytesMut::freeze doctest on wasm (#790)
• Move drop_fn of from_owner into vtable (#801)

Bytes v1.10.1

1.10.1 (March 5th, 2025)

Fixed

• Fix memory leak when using to_vec with Bytes::from_owner (#773)

#773: tokio-rs/bytes#773

Bytes v1.10.0

1.10.0 (February 3rd, 2025)

Added

• Add feature to support platforms without atomic CAS (#467)
• try_get_* methods for Buf trait (#753)
• Implement Buf::chunks_vectored for Take (#617)
• Implement Buf::chunks_vectored for VecDeque<u8> (#708)

Fixed

• Remove incorrect guarantee for chunks_vectored (#754)
• Ensure that tests pass under panic=abort (#749)

... (truncated)

Changelog

Sourced from bytes's changelog.

1.11.1 (February 3rd, 2026)

• Fix integer overflow in BytesMut::reserve

1.11.0 (November 14th, 2025)

• Bump MSRV to 1.57 (#788)

Fixed

• fix: BytesMut only reuse if src has remaining (#803)
• Specialize BytesMut::put::<Bytes> (#793)
• Reserve capacity in BytesMut::put (#794)
• Change BytesMut::remaining_mut to use isize::MAX instead of usize::MAX (#795)

Internal changes

• Guarantee address in slice() for empty slices. (#780)
• Rename Vtable::to_* -> Vtable::into_* (#776)
• Fix latest clippy warnings (#787)
• Ignore BytesMut::freeze doctest on wasm (#790)
• Move drop_fn of from_owner into vtable (#801)

1.10.1 (March 5th, 2025)

Fixed

• Fix memory leak when using to_vec with Bytes::from_owner (#773)

1.10.0 (February 3rd, 2025)

Added

• Add feature to support platforms without atomic CAS (#467)
• try_get_* methods for Buf trait (#753)
• Implement Buf::chunks_vectored for Take (#617)
• Implement Buf::chunks_vectored for VecDeque<u8> (#708)

Fixed

• Remove incorrect guarantee for chunks_vectored (#754)
• Ensure that tests pass under panic=abort (#749)

1.9.0 (November 27, 2024)

Added

• Add Bytes::from_owner to enable externally-allocated memory (#742)

Documented

... (truncated)

Commits

• 417dccd Release bytes v1.11.1 (#820)
• d0293b0 Merge commit from fork
• a7952fb chore: prepare bytes v1.11.0 (#804)
• 60cbb77 fix: BytesMut only reuse if src has remaining (#803)
• 7ce330f Move drop_fn of from_owner into vtable (#801)
• 4b53a29 Tweak BytesMut::remaining_mut (#795)
• 016fdbd Reserve capacity in BytesMut::put (#794)
• ef7f257 Specialize BytesMut::put::<Bytes> (#793)
• 8b4f54d Ignore BytesMut::freeze doctest on wasm (#790)
• 16132ad Fix latest clippy warnings (#787)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[sduchesneau]

🔍 Vulnerabilities of ghcr.io/streamingfast/firehose-core:f5d8a0f-amd64

📦 Image Reference ghcr.io/streamingfast/firehose-core:f5d8a0f-amd64

digest	sha256:b352c6ec5b63c0c829cd7f505b0b117fdbc18512d142be7e911166f1b3b5a86e
vulnerabilities
platform	linux/amd64
size	200 MB
packages	505

📦 Base Image ubuntu:24.04

also known as	84bda043709f9066841484e9b8e440aa0d6d04ab49d09e367ef0fb68ace864cf latest noble noble-20260410
digest	sha256:cdb5fd928fced577cfecf12c8966e830fcdf42ee481fb0b91904eeddc2fe5eff
vulnerabilities

golang.org/x/crypto 0.50.0 (golang) pkg:golang/golang.org/x/crypto@0.50.0 Affected range <0.52.0 Fixed version 0.52.0 EPSS Score 0.040% EPSS Percentile 12th percentile Description Previously, CVE-2024-45337 fixed an authorization bypass for misused ssh server configurations; if any other type of callback is passed other than public key, then the source-address validation would be skipped. Affected range <0.52.0 Fixed version 0.52.0 EPSS Score 0.030% EPSS Percentile 9th percentile Description Previously, a revoked 'SignatureKey' belonging to a CA was not correctly checked for revocation. Now, both the 'key' and 'key.SignatureKey' are checked for @Revoked. Affected range <0.52.0 Fixed version 0.52.0 EPSS Score 0.042% EPSS Percentile 13th percentile Description When writing data larger than 4GB in a single Write call on an SSH channel, an integer overflow in the internal payload size calculation caused the write loop to spin indefinitely, sending empty packets without making progress. The size comparison now uses int64 to prevent truncation. Affected range <0.52.0 Fixed version 0.52.0 EPSS Score 0.033% EPSS Percentile 10th percentile Description The in-memory keyring returned by NewKeyring() silently accepted keys with the ConfirmBeforeUse constraint but never enforced it. The key would sign without any confirmation prompt, with no indication to the caller that the constraint was not in effect. NewKeyring() now returns an error when unsupported constraints are requested. Affected range <0.52.0 Fixed version 0.52.0 EPSS Score 0.030% EPSS Percentile 9th percentile Description When adding a key to a remote agent constraint extensions such as restrict-destination-v00@openssh.com were not serialized in the request. Destination restrictions were silently stripped when forwarding keys, allowing unrestricted use of the key on the remote host. The client now serializes all constraint extensions. Additionally, the in-memory keyring returned by NewKeyring() now rejects keys with unsupported constraint extensions instead of silently ignoring them. Affected range <0.52.0 Fixed version 0.52.0 EPSS Score 0.022% EPSS Percentile 7th percentile Description The Verify() method for FIDO/U2F security key types (sk-ecdsa-sha2-nistp256@openssh.com, sk-ssh-ed25519@openssh.com) did not check the User Presence flag. Signatures generated without physical touch were accepted, allowing unattended use of a hardware security key. To restore the previous behavior, return a "no-touch-required" extension in Permissions.Extensions from PublicKeyCallback. Affected range <0.52.0 Fixed version 0.52.0 EPSS Score 0.042% EPSS Percentile 13th percentile Description A malicious SSH peer could send unsolicited global request responses to fill an internal buffer, blocking the connection's read loop. The blocked goroutine could not be released by calling Close(), resulting in a resource leak per connection. Unsolicited global responses are now discarded. Affected range <0.52.0 Fixed version 0.52.0 EPSS Score 0.042% EPSS Percentile 13th percentile Description An incorrectly placed cast from bytes to int allowed for server-side panic in the AES-GCM packet decoder for well-crafted inputs. Affected range <0.52.0 Fixed version 0.52.0 EPSS Score 0.074% EPSS Percentile 22nd percentile Description The RSA and DSA public key parsers did not enforce size limits on key parameters. A crafted public key with an excessively large modulus or DSA parameter could cause several minutes of CPU consumption during signature verification. This could be triggered by unauthenticated clients during public key authentication. RSA moduli are now limited to 8192 bits, and DSA parameters are validated per FIPS 186-2.

golang.org/x/net 0.53.0 (golang) pkg:golang/golang.org/x/net@0.53.0 Affected range <0.55.0 Fixed version 0.55.0 EPSS Score 0.045% EPSS Percentile 14th percentile Description The ToASCII and ToUnicode functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For example, ToUnicode("xn--example-.com") incorrectly returns the name "example.com" rather than an error. This behavior can lead to privilege escalation in programs using the idna package. For example, a program which performs privilege checks on the ASCII hostname may reject "example.com" but permit "xn--example-.com". If that program subsequently converts the ASCII hostname to Unicode, it will inadvertently permits access to the Unicode name "example.com".