---
title: v0.12.1
date: 2026-06-08
description: 'Maintenance release: dependency updates, a transitive security patch, and CI fixes. No behavior changes.'
tags:
- fix
- security
---

## Maintenance and Security

A small maintenance release. There are no user-facing behavior changes — sites build and deploy exactly as before.

### Security

- Updated the transitive `rand` dependency to `0.9.3`, resolving [GHSA-cq8v-f236-94qc](https://github.com/advisories/GHSA-cq8v-f236-94qc) (a low-severity soundness advisory in `rand`).

### Dependencies

- Bumped `rustls-webpki` and the rest of the Rust dependency group to their latest patch releases.
- Refreshed pinned GitHub Actions to current versions.

### Internals

- Fixed two `clippy::unnecessary_sort_by` lints in the build pipeline (`sort_by` → `sort_by_key`). Sort order is unchanged.
- Updated `deny.toml` to acknowledge `RUSTSEC-2026-0105` (`core2` is unmaintained and pulled in transitively by the `rav1e` AVIF encoder, with no safe upgrade available), and bumped `cargo-deny-action` so the supply-chain audit job runs cleanly again.