chore(deps): update rust crate rpassword to v7.5.0 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
rpassword	workspace.dependencies	minor	7.3.1 → 7.5.0

---

rpassword affected by partial password reveal when input is interrupted

GHSA-2p6r-x3vv-xqm2

More information

Details

rpassword maintainers were made aware of a possible issue with a partial password reveal when input is interrupted.

To quote @​squell:

@​conradkleinespel I've confirmed this problem with SequoiaPGP, which I think uses rpassword, e.g.:

Suppose we use pkill -9 sq in a different terminal right after the password has been typed in:

$ sq key generate --userid "barf" --with-password
Enter password to protect the key: Killed
$ hello^C

Where the password I typed in is "hello".

This has been fixed in version v7.5.0 and above.

Severity

• CVSS Score: 3.8 / 10 (Low)
• Vector String: CVSS:3.1/AV:P/AC:H/PR:H/UI:R/S:U/C:H/I:N/A:N

References

• https://github.com/conradkleinespel/rpassword/security/advisories/GHSA-2p6r-x3vv-xqm2
• https://github.com/conradkleinespel/rpassword/releases/tag/v7.5.0
• https://github.com/advisories/GHSA-2p6r-x3vv-xqm2

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

conradkleinespel/rpassword (rpassword)

v7.5.0

Compare Source

This release comes with lots of stuff. It should be fully backward compatible.

New features

• Support for masking or partially masking a password as it's being typed. Thank you, @​chipsenkbeil, for your contribution.
• New API. The documentation has been vastly improved to support this, see https://docs.rs/rpassword/. To sum up, you can now call read_password_with_config(config) and there is a ConfigBuilder that allows you to configure how passwords should be read. This makes the library much more flexible and means new options will be added without breaking existing code.

Fixes

• Fix for CVE-2025-64170 which affects rpassword on versions v7.4.0 and below. Thank you, @​squell and @​DevLaTron, for reporting this.
• Better support for multibyte characters and more reliable handling of control characters and terminal escape sequences. Thank you again, @​chipsenkbeil, for your contribution.

Deprecations

• _from_bufread functions have been deprecated. You are encouraged to migrate to _with_config functions. See UPGRADE.md as well as the documentation which has examples that you can most likely drop into your code without other changes.

Misc

• Update of the windows-sys dependency.
• Update Rust edition from 2018 to 2024.
• Better cross-platform testing, through more unit tests and a CI that runs Linux, Windows and Wasm.

Feedback is very much welcome.

v7.4.0

Compare Source

Changes and updates in this release:

• Updates windows-sys from 0.52 to 0.59, see cb2244a;
• Improves Chinese character handling, the commit is in the rtoolbox crate, for which the change is visible in conradkleinespel/duck@55eaf6a. Thank you @​Jordan-Haidee for providing a fix in #​97.

I've noticed after publishing the release that the size of the crate on crates.io went from 7KiB to 121KiB. That's due to the addition of an image in the README.md, which I did not anticipate would be distributed to everyone. The fix (7c30111) will be included in the next release.

No functionality changes in this release. It is backwards compatible.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	rpassword@​7.3.1 ⏵ 7.5.0		+1

View full report