[cargo] "Weird server reply (Invalid status line)" from proxy when downloading sparse index entries

[LilDojd]

Is there an existing issue for this?

• I have searched the existing issues

Package ecosystem
cargo

Package manager version
N/A

Language version
N/A

Manifest location and content before the Dependabot update
Workspace root /Cargo.toml: https://github.com/LilDojd/late-sh/blob/main/Cargo.toml

dependabot.yml content
https://github.com/LilDojd/late-sh/blob/main/.github/dependabot.yml

Updated dependency
Any — the failing package is non-deterministic across runs. Observed: serde_spanned, futures-util, futures-task, crossterm_winapi, regex, allocator-api2, reqwest, crossterm.

What you expected to see, versus what you actually saw

Expected: Dependabot opens a group update PR for Cargo dependencies.

Actual: Every run fails with dependency_file_not_resolvable. The root cause is curl error [8] Weird server reply (Invalid status line) when cargo attempts to download sparse registry index entries through Dependabot's proxy during lockfile resolution:

Updating crates.io index
error: failed to get `serde_spanned` as a dependency of package `toml v1.1.2`

Caused by:
  download of se/rd/serde_spanned failed

Caused by:
  failed to download from `https://index.crates.io/se/rd/serde_spanned`

Caused by:
  [8] Weird server reply (Invalid status line)

Reproduced on two unrelated repositories on the same day:

• https://github.com/LilDojd/late-sh/actions
• https://github.com/LilDojd/helix/actions (fork of helix-editor/helix)

Native package manager behavior
cargo update runs successfully locally with no errors.

Images of the diff or a link to the PR, issue, or logs

• https://github.com/LilDojd/late-sh/actions/runs/24510383568 (late-sh, failure)
• https://github.com/LilDojd/helix/actions/runs/24510709426 (helix fork, failure, more verbose logs showing full cause chain)

Smallest manifest that reproduces the issue
Any large Cargo workspace appears sufficient to trigger this. The helix workspace (https://github.com/LilDojd/helix/blob/master/Cargo.toml) reproduces it with a minimal dependabot.yml:

version: 2
updates:
  - package-ecosystem: "cargo"
    directory: "/"
    schedule:
      interval: "weekly"
    groups:
      rust-dependencies:
        update-types:
          - "minor"
          - "patch"

Note

LLM disclosure: This issue was drafted with AI assistance. I have personally verified the failure on two separate repositories and confirmed the logs and links are accurate.

[LilDojd]

Hmm, maybe it is upstream. Debugging with dependabot cli and earlier proxy and updater images yielded same errors

[skeet70]

Some more reproductions:

• https://github.com/IronCoreLabs/ironoxide-cli/actions/runs/24536593575/job/71732928348
• https://github.com/IronCoreLabs/ironcore-alloy/actions/runs/24536703866/job/71733299091
• https://github.com/IronCoreLabs/ironcore-ai-bench/actions/runs/24536986255/job/71734239585
• https://github.com/IronCoreLabs/ironhide/actions/runs/24537096613/job/71734596805
• https://github.com/IronCoreLabs/ironoxide-swig-bindings/actions/runs/24537150251/job/71734771223

re-run's haven't been bypassing the problem.

[jameswald]

This is impacting all of our rust repositories too. It started failing 2 days ago on April 15.

[solimike]

And for me too.

For example: https://github.com/solimike/rppal-mcp23s17/actions/runs/24579361286/job/71872892613

[object88]

I am having this problem as well. This shows up in my security console as:

And I am getting this in the logs:

updater | 2026/04/18 08:02:50 ERROR <job_1328599508> Error processing tokio (Dependabot::SharedHelpers::HelperSubprocessFailed)
2026/04/18 08:02:50 ERROR <job_1328599508> Updating crates.io index
error: failed to get `crossterm` as a dependency of package `ksh v0.0.1 (dependabot_tmp_dir)`

Caused by:
  download of cr/os/crossterm failed

Caused by:
  failed to download from `[https://index.crates.io/cr/os/crossterm`](https://index.crates.io/cr/os/crossterm%60)

Caused by:
  [8] Weird server reply (Invalid status line)

And

updater | 2026/04/18 08:02:54 INFO <job_1328599508> Handled error whilst updating clap: dependency_file_not_resolvable {message: "Updating crates.io index\nerror: failed to get `hyper-util` as a dependency of package `ksh v0.0.1 (dependabot_tmp_dir)`\n\nCaused by:\n  download of hy/pe/hyper-util failed\n\nCaused by:\n  failed to download from `[https://index.crates.io/hy/pe/hyper-util`\n\nCaused](https://index.crates.io/hy/pe/hyper-util%60/n/nCaused) by:\n  [8] Weird server reply (Invalid status line)"}

And

updater | 2026/04/18 08:02:55 INFO Results:
Dependabot encountered '2' error(s) during execution, please check the logs for more details.
+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
|                                                                                                                                                                                Dependencies failed to update                                                                                                                                                                                 |
+------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Dependency | Error Type                     | Error Details                                                                                                                                                                                                                                                                                                                                  |
+------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| tokio      | unknown_error                  | null                                                                                                                                                                                                                                                                                                                                           |
| clap       | dependency_file_not_resolvable | {                                                                                                                                                                                                                                                                                                                                              |
|            |                                |   "message": "Updating crates.io index\nerror: failed to get `hyper-util` as a dependency of package `ksh v0.0.1 (dependabot_tmp_dir)`\n\nCaused by:\n  download of hy/pe/hyper-util failed\n\nCaused by:\n  failed to download from `[https://index.crates.io/hy/pe/hyper-util`\n\nCaused](https://index.crates.io/hy/pe/hyper-util%60/n/nCaused) by:\n  [8] Weird server reply (Invalid status line)" |
|            |                                | }                                                                                                                                                                                                                                                                                                                                              |
+------------+--------------------------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
Failure running container 3b5ffb447243cacf5bdb27d291959b32caf51b9af3940170aba166521120099f: Error: Command failed with exit code 1: /bin/sh -c $DEPENDABOT_HOME/dependabot-updater/bin/run update_files

My first failure was at Apr 16, 1:15 AM PDT. My last successful run was at Apr 15, 1:15 AM PDT.

Perhaps coincidently, between the last successful run and the first failure, I changed my Dependabot configuration to add cooldown:

version: 2
updates:
  - package-ecosystem: "cargo"
    commit-message:
      include: "scope"
      prefix: "chore"
    directories:
      - "/"
    schedule:
      interval: "cron"
      cronjob: "0 8 * * *"
    # Added below here on the afternoon of April 15th
    cooldown:
      default-days: 5
      semver-major-days: 30

On further consideration, I don't think that the cooldown is related, because I have another repo that has had the same problem, same timeframe, and no cooldown in the Dependabot configuration.