Skip to content

Bump calamine from 0.32.0 to 0.33.0 in /native/xler_native#75

Closed
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/cargo/native/xler_native/calamine-0.33.0
Closed

Bump calamine from 0.32.0 to 0.33.0 in /native/xler_native#75
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/cargo/native/xler_native/calamine-0.33.0

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Feb 5, 2026

Bumps calamine from 0.32.0 to 0.33.0.

Release notes

Sourced from calamine's releases.

v0.33.0 - 2026-02-04

Added

  • Added support for reading data from Pivot Tables, which involves reading data from the internal Pivot Cache. [PR #559].

    [PR #559]: tafia/calamine#559

Changed

  • Update dependencies for release 0.33.0:

    • zip: 4.2.0 -> 7.0.
    • atoi_simd: 0.16 -> 0.17

Fixed

  • Fixed potential memory exhaustion issue in ODS files that could be triggered via repeated empty rows/columns.

    The fix adds limits to prevent memory exhaustion from malicious ODS files that declare billions of repeated cells via table:number-rows-repeated and table:number-columns-repeated attributes.

    The change adds the following protection layers:

    • Add cap for columns per row at MAX_COLUMNS (16,384).
    • Add cap for total row repeats at MAX_ROWS (1,048,576).
    • Add cap for total cells at MAX_CELLS (100 million) in get_range().

    These limits match XLSX's existing row/column limits and prevent a 7KB malicious file from attempting to allocate memory for 17+ billion cells.

    When MAX_CELLS is exceeded, return OdsError::CellLimitExceeded instead of silently returning an empty range. This ensures callers are properly informed of truncation rather than receiving silent data loss.

    [Issue #594], [PR #596].

    [Issue #594]: tafia/calamine#594 [PR #596]: tafia/calamine#596

  • Fixed an issue where XLSX files with tables that had the internal insertRow attribute set returned a Dimensions object where the end row was less than the start row. This caused an assert/panic when trying to create a Range object to return the table range. [Issue #589].

    [Issue #589]: tafia/calamine#589

  • Fixed an issue with XLSX files where worksheet tables used the unusual, but

... (truncated)

Changelog

Sourced from calamine's changelog.

[0.33.0] - 2026-02-04

Added

  • Added support for reading data from Pivot Tables, which involves reading data from the internal Pivot Cache. [PR #559].

    [PR #559]: tafia/calamine#559

Changed

  • Update dependencies for release 0.33.0:

    • zip: 4.2.0 -> 7.0.
    • atoi_simd: 0.16 -> 0.17

Fixed

  • Fixed potential memory exhaustion issue in ODS files that could be triggered via repeated empty rows/columns.

    The fix adds limits to prevent memory exhaustion from malicious ODS files that declare billions of repeated cells via table:number-rows-repeated and table:number-columns-repeated attributes.

    The change adds the following protection layers:

    • Add cap for columns per row at MAX_COLUMNS (16,384).
    • Add cap for total row repeats at MAX_ROWS (1,048,576).
    • Add cap for total cells at MAX_CELLS (100 million) in get_range().

    These limits match XLSX's existing row/column limits and prevent a 7KB malicious file from attempting to allocate memory for 17+ billion cells.

    When MAX_CELLS is exceeded, return OdsError::CellLimitExceeded instead of silently returning an empty range. This ensures callers are properly informed of truncation rather than receiving silent data loss.

    [Issue #594], [PR #596].

    [Issue #594]: tafia/calamine#594 [PR #596]: tafia/calamine#596

  • Fixed an issue where XLSX files with tables that had the internal insertRow attribute set returned a Dimensions object where the end row was less than the start row. This caused an assert/panic when trying to create a Range object to return the table range. [Issue #589].

    [Issue #589]: tafia/calamine#589

... (truncated)

Commits
  • 203258c release: 0.33.0
  • 778bd8b deps: update dependencies for release 0.33.0
  • b17b040 feat: add support for reading PivotTable/PivotCache (#559)
  • a1b5768 ods: fix DoS via repeated rows/columns (issue #594) (#596)
  • 1dc58c6 xlsx: fix table issue when insertRow attribute is set
  • 9111009 xlsx: fix issue with table reference ids
  • e76bcd7 docs: prep changelog for next release
  • See full diff in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
Bump calamine from 0.32.0 to 0.33.0 in /native/xler_native
4c5e491 
Bumps [calamine](https://github.com/tafia/calamine) from 0.32.0 to 0.33.0.
- [Release notes](https://github.com/tafia/calamine/releases)
- [Changelog](https://github.com/tafia/calamine/blob/master/Changelog.md)
- [Commits](tafia/calamine@v0.32.0...v0.33.0)

---
updated-dependencies:
- dependency-name: calamine
  dependency-version: 0.33.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file rust Pull requests that update Rust code labels Feb 5, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Mar 9, 2026

Superseded by #77.

@dependabot dependabot bot closed this Mar 9, 2026
@dependabot dependabot bot deleted the dependabot/cargo/native/xler_native/calamine-0.33.0 branch March 9, 2026 04:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update Rust code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants