Conversation
dependabot
bot
added
dependabot
dependencies
github-actions
bot
force-pushed
the
dependabot-cargo-sentry-tracing-0.47.0
branch
from
769d8d8 to
e8c114c
Compare
github-actions
bot
changed the title
🧾 cargo-vet automated audit summary
|
![cloudwalk-review-agent[bot]](https://avatars.githubusercontent.com/u/6581007?s=60&v=4){kind=small}
There was a problem hiding this comment.
Summary
Dependabot bump of sentry-tracing 0.46.1 → 0.47.0. The change is Cargo.lock + one line in Cargo.toml.
One thing to flag: the comment in Cargo.toml says # Should match sentry version, but sentry is still pinned at =0.46.0 while sentry-tracing is now =0.47.0. The lock file now carries both sentry-core 0.46.1 and sentry-core 0.47.0 simultaneously — that's the expected consequence of bumping only the tracing sub-crate. If this version split is intentional (e.g. deferring the reqwest 0.13 migration that came with sentry 0.47.0), the comment should be updated to say so. If not, sentry should be bumped to =0.47.0 here to collapse the duplicate and keep the comment accurate.
Otherwise, the bump is clean — Cargo.lock changes are consistent with the dependency graph updates for deranged, num-conv, time, time-core, time-macros, and the new sentry-types 0.47.0.
There was a problem hiding this comment.
Follow-up
The new diff is purely supply-chain/imports.lock — cargo-vet publisher/audit entries for sentry-core, sentry-tracing, sentry-types 0.47.0, plus Mozilla audits for deranged, num-conv, time, time-core, time-macros. All entries are from trusted publishers (getsentry-bot, Mozilla) with safe-to-deploy criteria. Nothing to flag here.
My previous note about the # Should match sentry version comment in Cargo.toml (with sentry still at =0.46.0) still stands — worth addressing if this split is unintentional.
Automated changes by create-pull-request GitHub action