tame-index / gix dependencies outdated (does dependabot ignore them?)

[decathorpe]

We're working on updating gix to the latest version (0.70.0) in Fedora Linux, among other things to avoid the latest RUSTSEC advisory for it: https://rustsec.org/advisories/RUSTSEC-2025-0001.html

I see tame-index update PRs being filed by dependabot in the past, but not recently. I see no reason why it shouldn't file PRs for these two crates, but it looks like it just doesn't.

The Cargo.toml file in the rustsec crate just says to "keep gix in sync with tame-index", but they're both currently quite outdated:

• tame-index: used ^0.14, latest is 0.17.0 (using gix 0.70)
• gix: used ^0.66, latest is 0.70

For example, this is leading to quite a number of dependency mismatches in projects like cargo-deny that depend on both gix, tame-index, and the rustsec crate (I see that this has been an issue in the past too - https://github.com/rustsec/rustsec/issues/1065 ).

[decathorpe]

(side note: I've tried porting rustsec to newer version of gix / tame-index myself, but got stuck due to API removals in gix: https://github.com/GitoxideLabs/gitoxide/discussions/1797 - otherwise I'd have submitted a PR with my changes instead of filing an issue)

[Shnatsel]

gix has made several accidental semver-breaking changes in the past, so we chose to be conservative with updating gix. This also helped keep MSRV sufficiently conservative to enable packaging in Linux distributions that do not track the latest Rust very closely.

This seems like a reasonable time to upgrade and bump MSRV. I don't think the issue actually affects us, but it would be nice to get it off people's vulnerability dashboards.

[decathorpe]

Note that I've asked for help in the GitOxide discussion forum wrt/ adapting to the removed APIs: https://github.com/GitoxideLabs/gitoxide/discussions/1797

If / when that is successful, I can submit a PR for the gix 0.70 / tame-index 0.17 update here 🙇🏼