ttl Files

Security & maintenance release

This is a patch release covering security advisories, the hickory-resolver 0.26 upgrade, CI quality improvements, and a community contribution. No user-facing API changes.

Security

• hickory-proto via hickory-resolver 0.26.1 — RUSTSEC-2026-0119 (O(n²) DNS name compression CPU exhaustion). RUSTSEC-2026-0118 (NSEC3 unbounded loop) also no longer applies; ttl does not validate DNSSEC.
• rustls-webpki 0.103.13 — cumulative fixes for RUSTSEC-2026-0049/0098/0099/0104.
• aws-lc-sys 0.39.0 — RUSTSEC-2026-0044/0045/0046/0047/0048 (CRL/AES-CCM/X.509/PKCS7).
• quinn-proto 0.11.14 — RUSTSEC-2026-0037 (Quinn endpoint DoS — not exploitable in ttl, which only acts as a TLS client).

Added

• Pre-commit hooks (.pre-commit-config.yaml) for cargo fmt / clippy / test. Setup documented in CONTRIBUTING.md (recommends prek).
• CI: cargo clippy --all-targets -- -D warnings now runs on macOS and FreeBSD in addition to Linux.
• README: NetBSD pkgsrc install instructions; replay controls listed in the keybindings table.

Changed

• hickory-resolver upgraded 0.25 → 0.26 (transparent API migration).
• toml upgraded 0.9 → 1.x (no code changes required).
• CI: softprops/action-gh-release upgraded v2 → v3 (Node.js 24 runtime).

Fixed

• DNS resolver fallback (#71): restored Google DNS fallback when the system resolver builder constructs but its build() step fails.
• macOS clippy warnings (#72): unused imports, is_dgram variable, and three needless_return lints in src/probe/socket.rs. Contributed by @SSakutaro.
• FreeBSD/NetBSD: dead-code warnings on DGRAM ICMP socket helpers cfg-gated.
• clippy 1.95: collapsible_match and unnecessary_sort_by.
• FreeBSD CI: install ca_root_nss before fetching crates to avoid SSL verification failures from the FreeBSD VM image.

Dependencies

• libc 0.2.182 → 0.2.186, tokio 1.49 → 1.50, socket2 0.6.2 → 0.6.3, clap 4.5 → 4.6, clap_complete 4.5 → 4.6, proptest 1.10 → 1.11, chrono 0.4.43 → 0.4.44

Full changelog: https://github.com/lance0/ttl/blob/v0.19.1/CHANGELOG.md