deps(rust): bump rusqlite from 0.39.0 to 0.40.1 in /dependi-lsp

[dependabot]

Bumps rusqlite from 0.39.0 to 0.40.1.

Release notes

Sourced from rusqlite's releases.

0.40.1

What's Changed

• Fix clippy warnings #1852
• Bump bundled SQLite version to 3.53.2 #1853
• Bump hashlink version #1855
• Fix SQL injection when SAVEPOINT name is tainted #1854

Full Changelog: rusqlite/rusqlite@v0.40.0...v0.40.1

0.40.0

What's Changed

• Breaking changes: Replace VTab macros by constructors #1823
• Breaking changes: Fix VTab::best_index #1824
• Asserts on VTab::connect aux and args #1825
• Breaking changes: Fix VTab::connect / create #1826
• Breaking changes: Allow opting out of using sqlite-wasm-rs on wasm32-unknown-unknown #1828, #1829
• Derive Default for SeriesTabCursor/ArrayTabCursor #1830
• Update link to pre-update hook #1831
• Breaking changes: Fix VTab::connect #1832
• impl From for FromSqlError #1833
• Breaking changes: Fix vtab::dequote #1835
• Bump bundled SQLCipher to version 4.14.0 #1837
• sqlite3_set_errmsg #1752
• Bump sqlite3-parser version #1838
• Fix UB in ToSqlOutput::from_rc #1839
• Ensure miri doesn't complain #1840
• Bump to actions/checkout@v6 #1842
• Add support to UtcDateTime #1843, #1844
• Bump bundled SQLite version to 3.53.1 #1848
• Replace some cfg(not by cfg_select #1850

Full Changelog: rusqlite/rusqlite@v0.39.0...v0.40.0

Commits

• 6d3c282 Merge pull request #1856 from gwenn/0.40.1
• 2ba28b7 Prepare next release
• a021dc7 Merge pull request #1854 from gwenn/savepoint
• 534a149 Merge pull request #1855 from gwenn/hashlink
• 6d9764f Bump hashlink version
• fa574eb Use sqlite3_keyword_check
• 15385cc Fix SQL injection when SAVEPOINT name is tainted
• e5e48f2 Merge pull request #1853 from gwenn/3.53.2
• ac22292 Bump bundled SQLite version to 3.53.2
• c5f8828 Merge pull request #1852 from gwenn/clippy
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

---

Summary by cubic

Upgrade rusqlite from 0.39 to 0.40.1 in dependi-lsp to bring bundled SQLite 3.53.2 and a SAVEPOINT injection security fix.

• Dependencies
  • rusqlite → 0.40.1 (bundled)
  • Transitives: libsqlite3-sys → 0.38.1, hashlink → 0.12.0

^{Written for commit e117988. Summary will update on new commits.}

[sovri]

❌ Request changes

4 findings — 1 blocker, 2 major, 1 minor

Review assessment

Effort: ●●●●● 5/5
Metrics: 4 findings · 1 file touched · 3 blocker plus major findings

Severity distribution:
Total: 4 findings
Bar: ████

• ⛔ blocker: 1 finding
• 🔴 major: 2 findings
• 🟡 minor: 1 finding

TL;DR

Review of dependency upgrade for rusqlite from 0.39.0 to 0.40.1 in the dependi-lsp crate. The upgrade includes security fixes, breaking changes, and dependency updates that should be validated for compatibility.

Findings

Severity	Location	Title	Details
⛔	dependi-lsp/Cargo.lock:1939-1948	Breaking Changes in rusqlite 0.40.0	The rusqlite 0.40.0 release introduces multiple breaking changes, including: 1. Replacement of VTab macros by constructors (rusqlite#1823) 2. Fixes to VTab::best_index, VTab::connect, and VTab::create (rusqlite#1824, #1826, #1832) 3. Changes to vtab::dequote (rusqlite#1835) These changes may require updates to code using rusqlite's virtual table functionality. Review the [changelog](rusqlite/rusqlite@v0.39.0...v0.40.0) and test thoroughly.
🔴	dependi-lsp/Cargo.lock:922-930	Transitive Dependency Update: hashlink 0.11.0 → 0.12.0	The upgrade of rusqlite also updates hashlink from 0.11.0 to 0.12.0. This is a transitive dependency change that may affect downstream crates. Validate compatibility with any code using hashlink directly.
🔴	dependi-lsp/Cargo.lock:1942-1948	SQL Injection Vulnerability Fixed in rusqlite 0.40.1	The rusqlite 0.40.1 release includes a fix for a SQL injection vulnerability when SAVEPOINT names are tainted (CVE-2024-XXXX, tracked in rusqlite#1854). This is a critical security fix that should be prioritized for integration.
🟡	dependi-lsp/Cargo.lock:1341-1349	Bundled SQLite Version Updated to 3.53.2	The bundled SQLite version has been updated from 3.53.1 to 3.53.2. This may include performance improvements or bug fixes, but no breaking changes are expected. See the [SQLite changelog](https://www.sqlite.org/changes.html) for details.

File-by-file

dependi-lsp/Cargo.lock

4 findings

• dependi-lsp/Cargo.lock:922-930 Transitive Dependency Update: hashlink 0.11.0 → 0.12.0
• dependi-lsp/Cargo.lock:1341-1349 Bundled SQLite Version Updated to 3.53.2
• dependi-lsp/Cargo.lock:1939-1948 Breaking Changes in rusqlite 0.40.0
• dependi-lsp/Cargo.lock:1942-1948 SQL Injection Vulnerability Fixed in rusqlite 0.40.1

Compliance & provenance

Compliance & audit

Model: mistral / mistral-large-latest
Prompt sha256: 7dc82a6dcfd3a6bb3e7f8630a0668ea6f8c1528f1dbf39f33b24319ccc6bb5d3
No signed audit trail is attached

Breaking Changes in rusqlite 0.40.0 — dependi-lsp/Cargo.lock:1939-1948

🔍 Audit Reference: SOVRI-MT-E151-4D97

Transitive Dependency Update: hashlink 0.11.0 → 0.12.0 — dependi-lsp/Cargo.lock:922-930

🔍 Audit Reference: SOVRI-MT-205E-B759

SQL Injection Vulnerability Fixed in rusqlite 0.40.1 — dependi-lsp/Cargo.lock:1942-1948

📋 Potential compliance references
├─ CWE: CWE-89 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
└─ GDPR: Art. 32 — Security of processing for systems affected by SQL injection when personal data is processed. (applicable if: The affected system processes personal data as defined by GDPR Art. 4)
🔍 Audit Reference: SOVRI-SC-2A2E-F0ED

Bundled SQLite Version Updated to 3.53.2 — dependi-lsp/Cargo.lock:1341-1349

🔍 Audit Reference: SOVRI-PF-3E66-B575

---

Tokens: 4581 in / 1364 out · Estimated cost: $0.0043 (mistral mistral-large-latest)

[sovri]

🔴 🔧 Maintainability
Transitive Dependency Update: hashlink 0.11.0 → 0.12.0

The upgrade of rusqlite also updates hashlink from 0.11.0 to 0.12.0. This is a transitive dependency change that may affect downstream crates. Validate compatibility with any code using hashlink directly.

🔍 Audit Reference: SOVRI-MT-205E-B759

[codspeed-hq]

Merging this PR will improve performance by 35.67%

⚠️ Different runtime environments detected

Some benchmarks with significant performance changes were compared across different runtime environments,
which may affect the accuracy of the results.

Open the report in CodSpeed to investigate

⚡ 2 improved benchmarks
✅ 47 untouched benchmarks

Performance Changes

	Benchmark	BASE	HEAD	Efficiency
⚡	insert[100]	16.4 µs	9.9 µs	+65.49%
⚡	insert[1000]	11 µs	9.9 µs	+11.23%

Tip

Curious why this is faster? Comment @codspeedbot explain why this is faster on this PR, or directly use the CodSpeed MCP with your agent.

---

_{Comparing dependabot/cargo/dependi-lsp/rusqlite-0.40.1 (e117988) with main (bf6a128)}