deps(deps): bump keyring from 2.3.3 to 3.6.3

[dependabot]

Bumps keyring from 2.3.3 to 3.6.3.

Release notes

Sourced from keyring's releases.

v3.6.3: Likely final release of v3

This release integrates a few important bug fixes (thanks @​vermiculus, @​unkcpz) that have come in since the release of v3.6.2, and is the last release expected for the v3 series. The release of v4 is expected in about a month, and it will bring significant changes:

• the cross-platform API will become its own crate: keyring-core.
• each credential store will become its own store.
• this crate will become an example of how to write a keyring-based application.

PLEASE NOTE: with this release, the main branch has changed significantly. What was on the main branch has moved to be a v4 branch, and the main branch was reverted to v3.6.2 and then had bug fix commits added on. If you have an existing fork of this repository, you should immediately sync your repo by choosing the "discard commits" option, which will take your repo back to v3.6.2 and then pull the newer commits. Then, if you have development work on one of your other branches, you should rebase that work onto the updated main.

v3.6.2: better docs, lighter-weight tests

Thanks to @​unkcpz, this release fully documents all the platform-specific modules in each platform on docs.rs.

The dev dependencies (used for testing) have been switched from using rand to using the lighter-weight module fastrand.

There are no functional code changes in this release, only test changes.

v3.6.1: Update dependencies

Two of the dependencies (openssl and whoami) were discovered to have vulnerabilities which were fixed in minor or patch releases. This crate has been updated to insist that the minor/patch release number of these dependencies is high enough to ensure use of a patched version.

There is no reason to think that the vulnerabilities in these dependencies could have been exercised through this crate. In addition, builds of clients done after the dependencies were patched would have already picked up the non-vulnerable versions. So this change is simply to ensure that future builds cannot use the vulnerable versions.

There are no code changes in this release.

v3.6.0: Add new combination keystore

This release contains a new credential store for Linux: a combination of keyutils (for use by headless processes) and secret service (for persistence of credentials beyond reboot). Thanks very much to @​soywod for the contribution!

v3.5.0: Add debug logging of internal operations

• Add debug logging of internal operations (thanks to @​soywod).
• Revert iOS security-framework dependency to v2 (see #225).

v3.4.0: allow simultaneous use of secret-service and keyutils

As pointed out in #214, it is possible to use both the secret-service and the keyutils credential stores at the same time, so this should be an allowed combination of specified features. This release allows that combination, selecting the secret-service as the default keystore but also loading the keyutils keystore.

v3.3.0: Support additional credential store attributes

• Add support for credential-store attributes other than those used by this crate. This allows the creation of credentials that are more compatible with 3rd-party clients, such as the OS-provided GUIs over credentials. Fixes #208.
• Make the textual descriptions of entries consistently follow the form user@service (or user@service:target if a target was specified).

v3.2.1: Re-enable access to v1 credentials

The v3.2.0 release, which fixed #204, had an unfortunate side effect: it broke compatibility with credentials that were originally written by a v1.x release (see #207). This bug-fix release restores that compatibility.

With this change, the CLI changes in v3.2.0 have been reverted, because they are no longer necessary.

v3.2.0: Improve secret-service handling of targets

As reported in #201 and now fixed in #204, the secret-service credential store implementation could not disambiguate credentials that were created with different targets unless the collections containing those targets had already been unlocked.

The fix for this issue introduces a compatibility break: secret-service credentials created by the keyring v1 implementation, which were readable using platform-independent code in keyring v2, are no longer readable without using platform-specific code in v3. The necessary platform-specific code is very simple, and it has been added to the CLI (both for documentation purposes and to allow the CLI to access v1 credentials). The comments in issue #204 explain why the decision was made to add this secret-service-specific compatibility break; these include the fact that keyring v2 was released 18 months ago so only those users who haven't changed their password in a very long time would still have a v1 credential in their secret-service store.

The README has been updated to address this compatibility break and to provide recommendations for keyring clients who want to update their code to make sure users with old credentials are not impacted.

v3.1.0: enhance the CLI

... (truncated)

Commits

• 315cbdf Credits for v3.6.3 release.
• edee747 Merge pull request #260 from open-source-cooperative/dependabot/cargo/windows...
• a3470f1 Update windows-sys requirement from 0.59 to 0.60
• f38b5e9 Cherry pick all contributions since 3.6.2.
• b9af61d Zero out credential passwords before dealloc.
• 19ec928 Don't clone returned passwords.
• 46eebf5 windows: use static value for 'comment' attribute
• 7b408ed Revert variable renaming
• 88a3d6c Cosmetic fix: remove blank lines
• afcc314 Implement default byte -> password conversion methods.
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: dependencies, rust. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.