Per the dependency policy in RELEASE.md, non-security dependency bumps should land at the first RC of the next minor cycle, not mid-1.7.0-RC cycle.
tokio-serial is exact-pinned (=5.4.5) because upstream historically shipped no changelog, git tags, or GitHub releases, so bumps are reviewed by hand.
5.5.0 (released 2026-06-15) is a good candidate:
SerialFramed refactored to use tokio_util::io::poll_read_buf instead of a custom unsafe read impl
futures replaced with futures-core/futures-sink (public API unchanged)
- New opt-in
serde feature (no effect unless enabled)
- MSRV raised to 1.71.0 (fine; dnp3 requires 1.75)
- No breaking API changes; no
mio-serial/serialport version change
- Upstream now publishes a CHANGELOG.md
Action: bump the pin to =5.5.0 in dnp3/Cargo.toml in its own commit with a note, refresh Cargo.lock, and confirm cargo audit stays green.
Per the dependency policy in
RELEASE.md, non-security dependency bumps should land at the first RC of the next minor cycle, not mid-1.7.0-RC cycle.tokio-serialis exact-pinned (=5.4.5) because upstream historically shipped no changelog, git tags, or GitHub releases, so bumps are reviewed by hand.5.5.0 (released 2026-06-15) is a good candidate:
SerialFramedrefactored to usetokio_util::io::poll_read_bufinstead of a customunsaferead implfuturesreplaced withfutures-core/futures-sink(public API unchanged)serdefeature (no effect unless enabled)mio-serial/serialportversion changeAction: bump the pin to
=5.5.0indnp3/Cargo.tomlin its own commit with a note, refreshCargo.lock, and confirmcargo auditstays green.