chore(deps): bump the cargo group across 1 directory with 10 updates#22
chore(deps): bump the cargo group across 1 directory with 10 updates#22dependabot[bot] wants to merge 1 commit into
Conversation
Bumps the cargo group with 10 updates in the / directory: | Package | From | To | | --- | --- | --- | | [tokio](https://github.com/tokio-rs/tokio) | `1.50.0` | `1.52.3` | | [axum](https://github.com/tokio-rs/axum) | `0.8.8` | `0.8.9` | | [hyper](https://github.com/hyperium/hyper) | `1.8.1` | `1.10.1` | | [reqwest](https://github.com/seanmonstar/reqwest) | `0.12.28` | `0.13.4` | | [serde_json](https://github.com/serde-rs/json) | `1.0.149` | `1.0.150` | | [clap](https://github.com/clap-rs/clap) | `4.6.0` | `4.6.1` | | [sha2](https://github.com/RustCrypto/hashes) | `0.10.9` | `0.11.0` | | [libsql](https://github.com/tursodatabase/libsql) | `0.6.0` | `0.9.30` | | [http](https://github.com/hyperium/http) | `1.4.0` | `1.4.2` | | [anyhow](https://github.com/dtolnay/anyhow) | `1.0.102` | `1.0.103` | Updates `tokio` from 1.50.0 to 1.52.3 - [Release notes](https://github.com/tokio-rs/tokio/releases) - [Commits](tokio-rs/tokio@tokio-1.50.0...tokio-1.52.3) Updates `axum` from 0.8.8 to 0.8.9 - [Release notes](https://github.com/tokio-rs/axum/releases) - [Changelog](https://github.com/tokio-rs/axum/blob/main/CHANGELOG.md) - [Commits](tokio-rs/axum@axum-v0.8.8...axum-v0.8.9) Updates `hyper` from 1.8.1 to 1.10.1 - [Release notes](https://github.com/hyperium/hyper/releases) - [Changelog](https://github.com/hyperium/hyper/blob/master/CHANGELOG.md) - [Commits](hyperium/hyper@v1.8.1...v1.10.1) Updates `reqwest` from 0.12.28 to 0.13.4 - [Release notes](https://github.com/seanmonstar/reqwest/releases) - [Changelog](https://github.com/seanmonstar/reqwest/blob/master/CHANGELOG.md) - [Commits](seanmonstar/reqwest@v0.12.28...v0.13.4) Updates `serde_json` from 1.0.149 to 1.0.150 - [Release notes](https://github.com/serde-rs/json/releases) - [Commits](serde-rs/json@v1.0.149...v1.0.150) Updates `clap` from 4.6.0 to 4.6.1 - [Release notes](https://github.com/clap-rs/clap/releases) - [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md) - [Commits](clap-rs/clap@clap_complete-v4.6.0...clap_complete-v4.6.1) Updates `sha2` from 0.10.9 to 0.11.0 - [Commits](RustCrypto/hashes@sha2-v0.10.9...sha2-v0.11.0) Updates `libsql` from 0.6.0 to 0.9.30 - [Release notes](https://github.com/tursodatabase/libsql/releases) - [Commits](tursodatabase/libsql@v0.6.0...libsql-0.9.30) Updates `http` from 1.4.0 to 1.4.2 - [Release notes](https://github.com/hyperium/http/releases) - [Changelog](https://github.com/hyperium/http/blob/master/CHANGELOG.md) - [Commits](hyperium/http@v1.4.0...v1.4.2) Updates `anyhow` from 1.0.102 to 1.0.103 - [Release notes](https://github.com/dtolnay/anyhow/releases) - [Commits](dtolnay/anyhow@1.0.102...1.0.103) --- updated-dependencies: - dependency-name: tokio dependency-version: 1.52.3 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: cargo - dependency-name: axum dependency-version: 0.8.9 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cargo - dependency-name: hyper dependency-version: 1.10.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: cargo - dependency-name: reqwest dependency-version: 0.13.4 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: cargo - dependency-name: serde_json dependency-version: 1.0.150 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cargo - dependency-name: clap dependency-version: 4.6.1 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cargo - dependency-name: sha2 dependency-version: 0.11.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: cargo - dependency-name: libsql dependency-version: 0.9.30 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: cargo - dependency-name: http dependency-version: 1.4.2 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cargo - dependency-name: anyhow dependency-version: 1.0.103 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: cargo ... Signed-off-by: dependabot[bot] <support@github.com>
|
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
|
Warning Review the following alerts detected in dependencies. According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.
|
Up to standards ✅🟢 Issues
|
| Metric | Results |
|---|---|
| Complexity | 0 |
| Duplication | 0 |
NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Greptile SummaryRoutine dependabot dependency bump across 10 Rust crates with several bug-fix-only point releases and two notable major/minor upgrades (
Confidence Score: 4/5Safe to merge; the existing reqwest, sha2, and libsql API surface is forward-compatible with the new versions, and several upstream bug fixes are beneficial. All 10 dependency bumps bring only bug-fix or minor feature additions that do not affect the codebase's current API usage. The one practical concern is that both reqwest 0.13 and libsql-ffi 0.9.30 now require cmake at build time, which was not previously needed; this could silently break builds in minimal CI environments but does not affect runtime correctness. Cargo.toml and Cargo.lock: verify that all CI runners and Docker build images have cmake available before merging. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[reqwest 0.12] -->|was| B[native-tls / hyper-tls]
A2[reqwest 0.13] -->|now| C[rustls 0.23]
C --> D[aws-lc-rs]
D --> E[aws-lc-sys\nrequires cmake + C compiler]
A2 --> F[removes hyper-tls\nforeign-types]
G[libsql 0.6] -->|was| H[libsql-ffi 0.5\ncc only]
G2[libsql 0.9.30] -->|now| I[libsql-ffi 0.9.30\ncc + cmake]
subgraph Bug Fixes
J[anyhow 1.0.103\nStacked Borrows UB fix]
K[http 1.4.1-1.4.2\nuse-after-free + stacked borrows fix]
L[tokio 1.52.3\n4 mpsc channel bugs fixed]
M[hyper 1.10.x\nbusy-loop + 32-bit body fix]
end
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
A[reqwest 0.12] -->|was| B[native-tls / hyper-tls]
A2[reqwest 0.13] -->|now| C[rustls 0.23]
C --> D[aws-lc-rs]
D --> E[aws-lc-sys\nrequires cmake + C compiler]
A2 --> F[removes hyper-tls\nforeign-types]
G[libsql 0.6] -->|was| H[libsql-ffi 0.5\ncc only]
G2[libsql 0.9.30] -->|now| I[libsql-ffi 0.9.30\ncc + cmake]
subgraph Bug Fixes
J[anyhow 1.0.103\nStacked Borrows UB fix]
K[http 1.4.1-1.4.2\nuse-after-free + stacked borrows fix]
L[tokio 1.52.3\n4 mpsc channel bugs fixed]
M[hyper 1.10.x\nbusy-loop + 32-bit body fix]
end
Prompt To Fix All With AIFix the following 1 code review issue. Work through them one at a time, proposing concise fixes.
---
### Issue 1 of 1
Cargo.toml:19
**New cmake build dependency via reqwest 0.13**
`reqwest` 0.13 switches the default TLS backend to `rustls` with `aws-lc-rs` as the crypto provider, which pulls in `aws-lc-sys`. That crate compiles native C/C++ code and requires `cmake` (and a compatible C compiler) to be present at build time. `libsql-ffi` 0.9.30 also adds `cmake` as a new build dependency. Any CI runner, Docker image, or developer machine that previously built this project without `cmake` installed will now fail at the compile step. Confirming that all build environments have `cmake` available (or pinning a `rustls-no-provider`/`ring` feature for reqwest) would de-risk this.
Reviews (1): Last reviewed commit: "chore(deps): bump the cargo group across..." | Re-trigger Greptile |
| "service" | ||
| ] } | ||
| reqwest = { version = "0.12", features = [ "json" ] } | ||
| reqwest = { version = "0.13", features = [ "json" ] } |
There was a problem hiding this comment.
New cmake build dependency via reqwest 0.13
reqwest 0.13 switches the default TLS backend to rustls with aws-lc-rs as the crypto provider, which pulls in aws-lc-sys. That crate compiles native C/C++ code and requires cmake (and a compatible C compiler) to be present at build time. libsql-ffi 0.9.30 also adds cmake as a new build dependency. Any CI runner, Docker image, or developer machine that previously built this project without cmake installed will now fail at the compile step. Confirming that all build environments have cmake available (or pinning a rustls-no-provider/ring feature for reqwest) would de-risk this.
Prompt To Fix With AI
This is a comment left during a code review.
Path: Cargo.toml
Line: 19
Comment:
**New cmake build dependency via reqwest 0.13**
`reqwest` 0.13 switches the default TLS backend to `rustls` with `aws-lc-rs` as the crypto provider, which pulls in `aws-lc-sys`. That crate compiles native C/C++ code and requires `cmake` (and a compatible C compiler) to be present at build time. `libsql-ffi` 0.9.30 also adds `cmake` as a new build dependency. Any CI runner, Docker image, or developer machine that previously built this project without `cmake` installed will now fail at the compile step. Confirming that all build environments have `cmake` available (or pinning a `rustls-no-provider`/`ring` feature for reqwest) would de-risk this.
How can I resolve this? If you propose a fix, please make it concise.


Bumps the cargo group with 10 updates in the / directory:
1.50.01.52.30.8.80.8.91.8.11.10.10.12.280.13.41.0.1491.0.1504.6.04.6.10.10.90.11.00.6.00.9.301.4.01.4.21.0.1021.0.103Updates
tokiofrom 1.50.0 to 1.52.3Release notes
Sourced from tokio's releases.
... (truncated)
Commits
d875691chore: prepare Tokio v1.52.3 (#8130)e1aebb0Merge 'tokio-1.51.3' into 'tokio-1.52.x' (#8129)fd63094chore: prepare Tokio v1.51.3 (#8127)8c600d0Merge 'tokio-1.47.5' into 'tokio-1.51.x' (#8123)11bfc13chore: prepare Tokio v1.47.5 (#8122)f085b62sync: notify receivers in mpscOwnedPermit::release()method (#8075)30d25ccsync: require that anRwLockhasmax_readers != 0(#8076)9fccf53sync: returnEmptyfromtry_recv()when mpsc is closed with outstanding p...ebf61b4sync: fix underflow in mpsc channellen()(#8062)4abe9d7chore: prepare Tokio v1.52.2 (#8115)Updates
axumfrom 0.8.8 to 0.8.9Release notes
Sourced from axum's releases.
Commits
c59208crevert axum-core changelog changes99068f5Revert "FixIntoResponsefor tuples overriding error response codes (#3603)"23d7098Revert "axum-core 0.5.6"e8a39adaxum-macros 0.5.16e9a249axum-extra 0.12.60ec9041axum 0.8.9c3fcebbaxum-core 0.5.6a8790fcupdate release notes26ba7bbdocs: consolidate state management docs in crate root (#3683)9fc59efUpdate to tokio-tungstenite 0.29 (#3689)Updates
hyperfrom 1.8.1 to 1.10.1Release notes
Sourced from hyper's releases.
... (truncated)
Changelog
Sourced from hyper's changelog.
... (truncated)
Commits
e3bcd37v1.10.1c6cb906fix(http1): fix busy loop when peer half-closes and open body (#4086)54e8511v1.10.079dbab6style(ext): fix manual_assert lint (#4079)cca6bf1style(client): removing wildcard_imports lint allowance (#4080)3cc1158test(client): fix misuse of path_and_query in CONNECT test (#4078)cad38b7chore(lib): start a strict clippy config (#4075)7bb1d03chore(ci): fix security-audit job (#4076)5dbcae7docs(lib): fixup markdown and grammar in doc comments (#4074)08ef365refactor(lib): replace unwraps with expects (#4073)Updates
reqwestfrom 0.12.28 to 0.13.4Release notes
Sourced from reqwest's releases.
... (truncated)
Changelog
Sourced from reqwest's changelog.
Commits
11489b3v0.13.4d31ffbbfeat: Expose HTTP2 keep alive configurations in blocking client (#3043)79ed0d7feat: support TLS 1.3 as min version under native-tls 🎉 (#2975)fb7bf6afix: remove unwrap in hickory initialization (#3041)3da616ffix: update hickory-resolver to 0.26 and adjust code accordingly (#3040)c77e7b2fix(http3): use happy eyeballs for h3 connect (#3030)9cbb65bchore: clean up minimal-versions CI job (#3039)17a7dc5chore: upgrade MSRV to 1.85 (#3038)03db63afix(redirect): strip sensitive headers on scheme change across redirects (#3034)4b813a8feat: add tls_sslkeylogfile builder method (#2923)Updates
serde_jsonfrom 1.0.149 to 1.0.150Release notes
Sourced from serde_json's releases.
Commits
a1ae73aRelease 1.0.1501a360b0Merge pull request #1324 from puneetdixit200/reject-non-string-enum-keys2037b63Reject non-string enum object keys5d30df6Resolve manual_assert_eq pedantic clippy lintdc8003aRaise required compiler for preserve_order feature to 1.85a42fa98Unpin CI miri toolchain684a60ePin CI miri to nightly-2026-02-117c7da33Raise required compiler to Rust 1.71acf4850Simplify Number::is_f646b8ceabResolve unnecessary_map_or clippy lintUpdates
clapfrom 4.6.0 to 4.6.1Release notes
Sourced from clap's releases.
Changelog
Sourced from clap's changelog.
Commits
1420275chore: Released2c817ddocs: Update changelogf88c94eMerge pull request #6341 from epage/sepacbb822fix(complete): Reduce risk of conflict with actual subcommandsa49fadbrefactor(complete): Pull out subcommand separatorddc008bMerge pull request #6332 from epage/update497dc50chore: Update compatible dependenciesdca2326Merge pull request #6331 from clap-rs/renovate/j178-prek-action-2.x54bdaa3chore(deps): Update j178/prek-action action to v2f0d30d9chore: ReleaseUpdates
sha2from 0.10.9 to 0.11.0Commits
ffe0939Release sha2 0.11.0 (#806)8991b65Use the standard order of the[package]section fields (#807)3d2bc57sha2: refactor backends (#802)faa55fbsha3: bumpkeccakto v0.2 (#803)d3e6489sha3 v0.11.0-rc.9 (#801)bbf6f51sha2: tweak backend docs (#800)155dbbfsha3: add default value for theDSgeneric parameter onTurboShake128/256...ed514f2Use published version ofkeccakv0.2 (#799)702bcd8Migrate to closure-basedkeccak(#796)827c043sha3 v0.11.0-rc.8 (#794)Updates
libsqlfrom 0.6.0 to 0.9.30Commits
0653c570.9.30dda0414libsql: Fix total_changes accumulation for SQL over HTTP batch execution (#2220)eb0fe77Pin cargo-chef to 0.1.75 to fix Docker build on rustc 1.85.03044eb7Fix Docker build by using --locked for cargo-chef install (#2222)46a0527Fix Docker build by using --locked for cargo-chef install5835b55bindings/c: Add support for Intel architecture (#2218)b7cc2b8libsql: Fix total_changes accumulation for SQL over HTTP batch execution99e6ad3libsql-sqlite3: Pin psm version in extension tests (#2221)79b5acelibsql-sqlite3: Pin psm version in extension testscd605ebAdd support for intelUpdates
httpfrom 1.4.0 to 1.4.2Release notes
Sourced from http's releases.
Changelog
Sourced from http's changelog.
Commits
82db5b8v1.4.2a9cdbf8fix(uri): reject DEL character (#842)df75ca3fix(uri): allow STAR paths with scheme/auth (#843)ec3f8cefeat(method): impl PartialOrd + Ord (#840)a24c968v1.4.1bc3b044fix(header): use a set_len guard in IntoIter drop (#838)1b968dcfix(header): fix stacked borrows for IterMut/ValuesIterMut (#837)6e2dd42fix: clamp Extend size hint so HeaderMap reserve cannot overflow (#833)68e0abbdocs: fix typo in request builder docs (#831)29dd307docs(extensions): rephrase internal comment (#827)Updates
anyhowfrom 1.0.102 to 1.0.103Release notes
Sourced from anyhow's releases.
Commits
5bdb0e2Release 1.0.103e621bd3Merge pull request #452 from dtolnay/downcast6e8c000Eliminate pointer->reference->pointer during downcast67c4abdAdd regression test for issue 451917a169Update actions/upload-artifact@v6 -> v7d9dc3faUpdate actions/checkout@v6 -> v7841522bRaise minimum tested compiler to rust 1.85Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore <dependency name> major versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)@dependabot ignore <dependency name> minor versionwill close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)@dependabot ignore <dependency name>will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)@dependabot unignore <dependency name>will remove all of the ignore conditions of the specified dependency@dependabot unignore <dependency name> <ignore condition>will remove the ignore condition of the specified dependency and ignore conditionsSummary by cubic
Update core networking and database dependencies to latest minor/patch versions for security and stability, including
reqwest0.13 withrustlsby default andlibsql0.9.30 fixes. No app code changes.Dependencies
reqwest0.13.4 (default TLS isrustls; HTTP/3 and redirect handling fixes)hyper1.10.1 andhttp1.4.2 (HTTP/1.x and HTTP/2 fixes)tokio1.52.3 (runtime reliability fixes)axum0.8.9 (minor fixes)libsql0.9.30 (batchtotal_changesfix)serde_json1.0.150,clap4.6.1,sha20.11.0,anyhow1.0.103Migration
rustlswith platform verifier; re-test outbound HTTPS calls.Written for commit c8b1713. Summary will update on new commits.