deps: bump the production-dependencies group across 1 directory with 7 updates

[dependabot]

Bumps the production-dependencies group with 7 updates in the / directory:

Package	From	To
flate2	1.1.5	1.1.9
clap	4.5.53	4.6.1
tracing	0.1.43	0.1.44
tracing-subscriber	0.3.22	0.3.23
rayon	1.11.0	1.12.0
regex	1.12.2	1.12.3
tree-sitter	0.26.3	0.26.8

Updates flate2 from 1.1.5 to 1.1.9

Release notes

Sourced from flate2's releases.

1.1.8

What's Changed

• Document feature flags using document-features crate by @​Copilot in rust-lang/flate2-rs#519
• Complete the zlib-rs support without the need for C-bindings by @​Byron in rust-lang/flate2-rs#524
• test zlib API for all compatible backends by @​Byron in rust-lang/flate2-rs#525

New Contributors

• @​Copilot made their first contribution in rust-lang/flate2-rs#519

Full Changelog: rust-lang/flate2-rs@1.1.7...1.1.8

1.1.7 - depend on zlib-rs directly and remove libz-rs-sys

What's Changed

• chore: make some documents clearer by @​reddaisyy in rust-lang/flate2-rs#510
• Explain rationale for choosing bufread,read,write modules by @​jongiddy in rust-lang/flate2-rs#512
• use Decompress::reset() instead of recreating in DeflateDecoder by @​amirshukayev in rust-lang/flate2-rs#514
• use zlib_rs api by @​folkertdev in rust-lang/flate2-rs#513

New Contributors

• @​reddaisyy made their first contribution in rust-lang/flate2-rs#510
• @​amirshukayev made their first contribution in rust-lang/flate2-rs#514

Full Changelog: rust-lang/flate2-rs@1.1.5...1.1.6

1.1.6 - YANKED

It caused rust-lang/flate2-rs#515.

What's Changed

• chore: make some documents clearer by @​reddaisyy in rust-lang/flate2-rs#510
• Explain rationale for choosing bufread,read,write modules by @​jongiddy in rust-lang/flate2-rs#512
• use Decompress::reset() instead of recreating in DeflateDecoder by @​amirshukayev in rust-lang/flate2-rs#514
• use zlib_rs api by @​folkertdev in rust-lang/flate2-rs#513

New Contributors

• @​reddaisyy made their first contribution in rust-lang/flate2-rs#510
• @​amirshukayev made their first contribution in rust-lang/flate2-rs#514

Full Changelog: rust-lang/flate2-rs@1.1.5...1.1.6

Commits

• 19ddb18 Merge pull request #529 from folkertdev/update-zlib-rs-0.6.0
• c956e12 upgrade zlib-rs to version 0.6.0
• 21d5eeb Merge pull request #528 from wgyt/wgyt/patch
• 54f8484 update LICENSE-MIT
• f4924fe Merge pull request #527 from jongiddy/crc-tests
• 8b9b7a6 Add tests to check data CRC
• fd17c74 Merge pull request #526 from folkertdev/zlib-rs-crc32
• aef26ac check that zlib-rs no longer compiles crc32fast
• 5ec7647 make crc32fast an optional dependency
• c584e97 use zlib-rs for crc32 (when available)
• Additional commits viewable in compare view

Updates clap from 4.5.53 to 4.6.1

Release notes

Sourced from clap's releases.

v4.6.1

[4.6.1] - 2026-04-15

Fixes

• (derive) Ensure rebuilds happen when an read env variable is changed

v4.5.60

[4.5.60] - 2026-02-19

Fixes

• (help) Quote empty default values, possible values

v4.5.59

[4.5.59] - 2026-02-16

Fixes

• Command::ignore_errors no longer masks help/version on subcommands

v4.5.58

[4.5.58] - 2026-02-11

v4.5.57

[4.5.57] - 2026-02-03

Fixes

• Regression from 4.5.55 where having an argument with .value_terminator("--") caused problems with an argument with .last(true)

v4.5.56

[4.5.56] - 2026-01-29

Fixes

• On conflict error, don't show conflicting arguments in the usage

v4.5.55

[4.5.55] - 2026-01-27

Fixes

• Fix inconsistency in precedence between positionals with a value_terminator("--") and escapes (--) where ./foo -- bar means the first arg is empty, rather than escaping future args

v4.5.54

[4.5.54] - 2026-01-02

Fixes

... (truncated)

Changelog

Sourced from clap's changelog.

[4.6.1] - 2026-04-15

Fixes

• (derive) Ensure rebuilds happen when an read env variable is changed

[4.6.0] - 2026-03-12

Compatibility

• Update MSRV to 1.85

[4.5.61] - 2026-03-12

Internal

• Update dependencies

[4.5.60] - 2026-02-19

Fixes

• (help) Quote empty default values, possible values

[4.5.59] - 2026-02-16

Fixes

• Command::ignore_errors no longer masks help/version on subcommands

[4.5.58] - 2026-02-11

[4.5.57] - 2026-02-03

Fixes

• Regression from 4.5.55 where having an argument with .value_terminator("--") caused problems with an argument with .last(true)

[4.5.56] - 2026-01-29

Fixes

• On conflict error, don't show conflicting arguments in the usage

[4.5.55] - 2026-01-27

Fixes

• Fix inconsistency in precedence between positionals with a value_terminator("--") and escapes (--) where ./foo -- bar means the first arg is empty, rather than escaping future args

... (truncated)

Commits

• 1420275 chore: Release
• d2c817d docs: Update changelog
• f88c94e Merge pull request #6341 from epage/sep
• acbb822 fix(complete): Reduce risk of conflict with actual subcommands
• a49fadb refactor(complete): Pull out subcommand separator
• ddc008b Merge pull request #6332 from epage/update
• 497dc50 chore: Update compatible dependencies
• dca2326 Merge pull request #6331 from clap-rs/renovate/j178-prek-action-2.x
• 54bdaa3 chore(deps): Update j178/prek-action action to v2
• f0d30d9 chore: Release
• Additional commits viewable in compare view

Updates tracing from 0.1.43 to 0.1.44

Release notes

Sourced from tracing's releases.

tracing 0.1.44

Fixed

• Fix record_all panic (#3432)

Changed

• tracing-core: updated to 0.1.36 (#3440)

#3432: tokio-rs/tracing#3432 #3440: tokio-rs/tracing#3440

Commits

• 2d55f6f chore: prepare tracing 0.1.44 (#3439)
• 10a9e83 chore: prepare tracing-core 0.1.36 (#3440)
• ee82cf9 tracing: fix record_all panic (#3432)
• 9978c36 chore: prepare tracing-mock 0.1.0-beta.3 (#3429)
• cc44064 chore: prepare tracing-subscriber 0.3.22 (#3428)
• See full diff in compare view

Updates tracing-subscriber from 0.3.22 to 0.3.23

Release notes

Sourced from tracing-subscriber's releases.

tracing-subscriber 0.3.23

Fixed

• Allow ansi sanitization to be disabled (#3484)

#3484: tokio-rs/tracing#3484

Commits

• 54ede4d chore: prepare tracing-subscriber 0.3.23 (#3490)
• 37558d5 subscriber: allow ansi sanitization to be disabled (#3484)
• efc690f core: add missing const (#3449)
• 0c32367 core: Use const initializers instead of once_cell
• 9feb241 docs: add arcswap reload crate to related (#3442)
• 2d55f6f chore: prepare tracing 0.1.44 (#3439)
• 10a9e83 chore: prepare tracing-core 0.1.36 (#3440)
• ee82cf9 tracing: fix record_all panic (#3432)
• 9978c36 chore: prepare tracing-mock 0.1.0-beta.3 (#3429)
• See full diff in compare view

Updates rayon from 1.11.0 to 1.12.0

Changelog

Sourced from rayon's changelog.

Release rayon 1.12.0 (2026-04-13)

• Fixed a bug in parallel Range<char> when the end is 0xE000, just past the surrogate boundary, which was unsafely producing invalid char values.
• The new method ParallelSlice::par_array_windows works like par_windows but with a constant length, producing &[T; N] items.

Commits

• 7449d7d Merge #1093
• b3d9e3f Release rayon 1.8.0 and rayon-core 1.12.0
• 3fe51e5 Fix clippy::let_and_return
• 082f215 Merge #1087
• ea0c06d core: registry: Factor out "wait till out of work" part of the main loop.
• 75524e2 Merge #1063
• 01d2800 Ignore the multi-threaded test on emscripten/wasm
• 40b59c0 core: Make use_current_thread error rather than panic when already in the pool.
• f4db4d7 core: tests: Add some basic tests for ThreadPoolBuilder::use_current_thread.
• 87274ad core: registry: Add some more documentation for ThreadPoolBuilder::use_curren...
• Additional commits viewable in compare view

Updates regex from 1.12.2 to 1.12.3

Changelog

Sourced from regex's changelog.

1.12.3 (2025-02-03)

This release excludes some unnecessary things from the archive published to crates.io. Specifically, fuzzing data and various shell scripts are now excluded. If you run into problems, please file an issue.

Improvements:

• #1319: Switch from a Cargo exclude list to an include list, and exclude some unnecessary stuff.

Commits

• b028e4f 1.12.3
• 5e195de regex-automata-0.4.14
• a3433f6 regex-syntax-0.8.9
• 0c07fae regex-lite-0.1.9
• 6a81006 cargo: exclude development scripts and fuzzing data
• 4733e28 automata: fix onepass::DFA::try_search_slots panic when too many slots are ...
• See full diff in compare view

Updates tree-sitter from 0.26.3 to 0.26.8

Release notes

Sourced from tree-sitter's releases.

v0.26.8

What's Changed

• fix(generate): allow disabling qjs-rt feature from CLI by @​WillLillis in tree-sitter/tree-sitter#5448
• fix(lib): document invariants that must be upheld for TSInputEdit by @​WillLillis in tree-sitter/tree-sitter#5452
• fix(cli): correct typo in parse command's help text by @​WillLillis in tree-sitter/tree-sitter#5465
• perf(cli): misc. improvements by @​tree-sitter-ci-bot[bot] in tree-sitter/tree-sitter#5476
• Fix wasm loading of languages w/ multiple reserved word sets by @​tree-sitter-ci-bot[bot] in tree-sitter/tree-sitter#5477
• generate: avoid panicking when a supertype only has hidden external token children by @​tree-sitter-ci-bot[bot] in tree-sitter/tree-sitter#5478
• release v0.26.8 by @​clason in tree-sitter/tree-sitter#5479

Full Changelog: tree-sitter/tree-sitter@v0.26.7...v0.26.8

v0.26.7

Notable Changes

• A regression in v0.26.6 with quantified alternations was fixed.
• Release artifacts for the tree-sitter CLI are now published as zip archives (in addition to gzipped executables, which are planned for removal in a future minor release).

What's Changed

• fix: skip missing Makefile in version command by @​tree-sitter-ci-bot[bot] in tree-sitter/tree-sitter#5386
• fix(wasm): pass target triple to clang (#5385) by @​clason in tree-sitter/tree-sitter#5390
• chore(parser): return NULL, not false, for incomplete parse by @​tree-sitter-ci-bot[bot] in tree-sitter/tree-sitter#5398
• fix(loader): link with libc on OpenBSD to compile parser by @​tree-sitter-ci-bot[bot] in tree-sitter/tree-sitter#5399
• refactor(query): remove alternative_is_immediate by @​tree-sitter-ci-bot[bot] in tree-sitter/tree-sitter#5412
• fix(query): don't add copies for quantifier steps outside alternations by @​tree-sitter-ci-bot[bot] in tree-sitter/tree-sitter#5414
• revert allowing dashes in parser name by @​tree-sitter-ci-bot[bot] in tree-sitter/tree-sitter#5433
• ci(release): publish zip archives by @​clason in tree-sitter/tree-sitter#5434
• release v0.26.7 by @​clason in tree-sitter/tree-sitter#5435

Full Changelog: tree-sitter/tree-sitter@v0.26.6...v0.26.7

v0.26.6

What's Changed

• lib: clean up strict aliasing fixes in array.h by @​tree-sitter-ci-bot[bot] in tree-sitter/tree-sitter#5311
• feat: allow - in grammar names by @​tree-sitter-ci-bot[bot] in tree-sitter/tree-sitter#5318
• fix(cli): allow for both debug logs and graphs by @​tree-sitter-ci-bot[bot] in tree-sitter/tree-sitter#5319
• web: add default export to CJS bundle by @​tree-sitter-ci-bot[bot] in tree-sitter/tree-sitter#5323
• fix(query): prevent cross-branch capture contamination in alternations with quantifiers by @​tree-sitter-ci-bot[bot] in tree-sitter/tree-sitter#5320
• ci: speed it up by @​WillLillis in tree-sitter/tree-sitter#5325
• use provided by RedoxOS byte orders implementations by @​tree-sitter-ci-bot[bot] in tree-sitter/tree-sitter#5346
• build(deps): bump wasmtime to v36.0.5 LTS by @​clason in tree-sitter/tree-sitter#5351
• fix(lib): cast NULL in ts_subtree_children macro by @​tree-sitter-ci-bot[bot] in tree-sitter/tree-sitter#5353
• ci: backport release check workflow by @​WillLillis in tree-sitter/tree-sitter#5358
• ci: retrigger crates check on PR updates by @​tree-sitter-ci-bot[bot] in tree-sitter/tree-sitter#5361
• cli: init -u fixes by @​WillLillis in tree-sitter/tree-sitter#5367
• build(deps): bump wasmtime to v36.0.6 by @​clason in tree-sitter/tree-sitter#5370
• 0.26.6 by @​clason in tree-sitter/tree-sitter#5372

... (truncated)

Commits

• cd5b087 release v0.26.8
• c0d1444 generate: avoid panicking when a supertype only has hidden external token chi...
• 0b04fd0 Fix wasm loading of languages w/ multiple reserved word sets (#5475)
• 05cf9a1 perf(cli): minor allocation and write call reductions
• bab4851 perf(cli): buffer stdout in parse and query output
• e28cb5a fix(cli): correct typo in parse command's help text
• 3839f6f fix(lib): document invariants that must be upheld for TSInputEdit
• 001a926 fix(generate): allow disabling qjs-rt feature from CLI
• 6f2e8a6 release v0.26.7
• 0ae6158 ci(release): publish zip archives
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Dependency Review

The following issues were found:

• ✅ 0 vulnerable package(s)
• ✅ 0 package(s) with incompatible licenses
• ✅ 0 package(s) with invalid SPDX license definitions
• ⚠️ 2 package(s) with unknown licenses.

See the Details below.

License Issues

extractor/Cargo.toml

Package	Version	License	Issue Type
clap	>= 4.6.0, < 5.0.0	Null	Unknown License
rayon	>= 1.12.0, < 2.0.0	Null	Unknown License

OpenSSF Scorecard

Scorecard details

Package	Version	Score	Details
cargo/anstream	1.0.0	🟢 5.8	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 0 Found 0/10 approved changesets -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License ⚠️ 0 license file not detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST 🟢 10 SAST tool is run on all commits
cargo/anstyle	1.0.14	🟢 5.8	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 0 Found 0/10 approved changesets -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License ⚠️ 0 license file not detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST 🟢 10 SAST tool is run on all commits
cargo/anstyle-parse	1.0.0	🟢 5.8	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 0 Found 0/10 approved changesets -- score normalized to 0 Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License ⚠️ 0 license file not detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST 🟢 10 SAST tool is run on all commits
cargo/clap	4.6.1	🟢 5.5	Details Check Score Reason Code-Review ⚠️ 1 Found 3/19 approved changesets -- score normalized to 1 Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/clap_builder	4.6.0	🟢 5.5	Details Check Score Reason Code-Review ⚠️ 1 Found 3/19 approved changesets -- score normalized to 1 Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/clap_derive	4.6.1	🟢 5.5	Details Check Score Reason Code-Review ⚠️ 1 Found 3/19 approved changesets -- score normalized to 1 Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/clap_lex	1.1.0	🟢 5.5	Details Check Score Reason Code-Review ⚠️ 1 Found 3/19 approved changesets -- score normalized to 1 Maintained 🟢 10 30 commit(s) and 21 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Security-Policy ⚠️ 0 security policy file not detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/flate2	1.1.9	🟢 6.7	Details Check Score Reason Maintained 🟢 10 14 commit(s) and 3 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection 🟢 5 branch protection is not maximal on development and all release branches Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/proc-macro2	1.0.106	🟢 5.6	Details Check Score Reason Maintained 🟢 9 10 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 9 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Code-Review ⚠️ 0 Found 0/23 approved changesets -- score normalized to 0 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Packaging ⚠️ -1 packaging workflow not detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 3 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/quote	1.0.45	🟢 5.1	Details Check Score Reason Code-Review ⚠️ 1 Found 4/23 approved changesets -- score normalized to 1 Maintained 🟢 10 15 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy 🟢 3 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/rayon	1.12.0	🟢 4.5	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 2 Found 2/8 approved changesets -- score normalized to 2 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Security-Policy ⚠️ 0 security policy file not detected Packaging ⚠️ -1 packaging workflow not detected Binary-Artifacts 🟢 10 no binaries found in the repo Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/regex	1.12.3	🟢 6.2	Details Check Score Reason Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Code-Review ⚠️ 0 Found 2/26 approved changesets -- score normalized to 0 Maintained 🟢 10 10 commit(s) and 4 issue activity found in the last 90 days -- score normalized to 10 Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Binary-Artifacts 🟢 10 no binaries found in the repo Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy 🟢 10 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/syn	2.0.117	🟢 5.7	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10 Code-Review ⚠️ 0 Found 2/24 approved changesets -- score normalized to 0 Packaging ⚠️ -1 packaging workflow not detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions 🟢 10 GitHub workflow tokens follow principle of least privilege Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Fuzzing 🟢 10 project is fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches Security-Policy 🟢 3 security policy file detected SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/tracing	0.1.44	🟢 6.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 12 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/tracing-core	0.1.36	🟢 6.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 12 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/tracing-subscriber	0.3.23	🟢 6.1	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 10 12 commit(s) and 1 issue activity found in the last 90 days -- score normalized to 10 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Security-Policy 🟢 9 security policy file detected Packaging ⚠️ -1 packaging workflow not detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Pinned-Dependencies ⚠️ 0 dependency not pinned by hash detected -- score normalized to 0 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Branch-Protection ⚠️ -1 internal error: error during branchesHandler.setup: internal error: some github tokens can't read classic branch protection rules: https://github.com/ossf/scorecard-action/blob/main/docs/authentication/fine-grained-auth-token.md SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/tree-sitter	0.26.8	🟢 5.1	Details Check Score Reason Maintained 🟢 10 30 commit(s) and 17 issue activity found in the last 90 days -- score normalized to 10 Code-Review 🟢 10 all changesets reviewed CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions License 🟢 10 license file detected Fuzzing ⚠️ 0 project is not fuzzed Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Security-Policy ⚠️ 0 security policy file not detected Branch-Protection 🟢 4 branch protection is not maximal on development and all release branches Packaging 🟢 10 packaging workflow detected Signed-Releases ⚠️ 0 Project has not signed or included provenance with any releases. SAST ⚠️ 0 SAST tool is not run on all commits -- score normalized to 0
cargo/clap	>= 4.6.0, < 5.0.0	Unknown	Unknown
cargo/rayon	>= 1.12.0, < 2.0.0	Unknown	Unknown

Scanned Files

• Cargo.lock
• extractor/Cargo.toml