Skip to content

chore(deps): bump the cargo group across 1 directory with 10 updates#22

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/cargo-c0f63e1cf6
Open

chore(deps): bump the cargo group across 1 directory with 10 updates#22
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/cargo-c0f63e1cf6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 27, 2026

Copy link
Copy Markdown

Bumps the cargo group with 10 updates in the / directory:

Package From To
tokio 1.50.0 1.52.3
axum 0.8.8 0.8.9
hyper 1.8.1 1.10.1
reqwest 0.12.28 0.13.4
serde_json 1.0.149 1.0.150
clap 4.6.0 4.6.1
sha2 0.10.9 0.11.0
libsql 0.6.0 0.9.30
http 1.4.0 1.4.2
anyhow 1.0.102 1.0.103

Updates tokio from 1.50.0 to 1.52.3

Release notes

Sourced from tokio's releases.

Tokio v1.52.3

1.52.3 (May 8th, 2026)

Fixed

  • sync: fix underflow in mpsc channel len() (#8062)
  • sync: notify receivers in mpsc OwnedPermit::release() method (#8075)
  • sync: require that an RwLock has max_readers != 0 (#8076)
  • sync: return Empty from try_recv() when mpsc is closed with outstanding permits (#8074)

#8062: tokio-rs/tokio#8062 #8074: tokio-rs/tokio#8074 #8075: tokio-rs/tokio#8075 #8076: tokio-rs/tokio#8076

Tokio v1.52.2

1.52.2 (May 4th, 2026)

This release reverts the LIFO slot stealing change introduced in 1.51.0 (#7431), due to [its performance impact]#8065. (#8100)

#7431: tokio-rs/tokio#7431 #8065: tokio-rs/tokio#8065 #8100: tokio-rs/tokio#8100

Tokio v1.52.1

1.52.1 (April 16th, 2026)

Fixed

  • runtime: revert #7757 to fix [a regression]#8056 that causes spawn_blocking to hang (#8057)

#7757: tokio-rs/tokio#7757 #8056: tokio-rs/tokio#8056 #8057: tokio-rs/tokio#8057

Tokio v1.52.0

1.52.0 (April 14th, 2026)

Added

  • io: AioSource::register_borrowed for I/O safety support (#7992)
  • net: add try_io function to unix::pipe sender and receiver types (#8030)

Added (unstable)

  • runtime: Builder::enable_eager_driver_handoff setting enable eager hand off of the I/O and time drivers before polling tasks (#8010)
  • taskdump: add trace_with() for customized task dumps (#8025)
  • taskdump: allow impl FnMut() in trace_with instead of just fn() (#8040)
  • fs: support io_uring in AsyncRead for File (#7907)

... (truncated)

Commits

Updates axum from 0.8.8 to 0.8.9

Release notes

Sourced from axum's releases.

axum-v0.8.9

  • added: WebSocketUpgrade::{requested_protocols, set_selected_protocol} for more flexible subprotocol selection (#3597)
  • changed: Update minimum rust version to 1.80 (#3620)
  • fixed: Set connect endpoint on correct field in MethodRouter (#3656)
  • fixed: Return specific error message when multipart body limit is exceeded (#3611)

#3597: tokio-rs/axum#3597 #3620: tokio-rs/axum#3620 #3656: tokio-rs/axum#3656 #3611: tokio-rs/axum#3611

Commits

Updates hyper from 1.8.1 to 1.10.1

Release notes

Sourced from hyper's releases.

v1.10.1

What's Changed

Full Changelog: hyperium/hyper@v1.10.0...v1.10.1

v1.10.0

Features

Bug Fixes

  • http1:
  • http2:
    • do not reserve capacity before body data is available (#4061) (99f24345, closes #4003)
    • reading trailers shouldn't propagate NO_ERROR from early response (#3998) (e5ad96b1)

Refactors, chores, et al

New Contributors

... (truncated)

Changelog

Sourced from hyper's changelog.

v1.10.1 (2026-05-29)

Bug Fixes

  • http1: fix busy loop when peer half-closes and open body (#4086) (c6cb906f, closes #4085)

v1.10.0 (2026-05-27)

Bug Fixes

  • http1:
  • http2:
    • do not reserve capacity before body data is available (#4061) (99f24345, closes #4003)
    • reading trailers shouldn't propagate NO_ERROR from early response (#3998) (e5ad96b1)

Features

v1.9.0 (2026-03-31)

Bug Fixes

  • ffi: validate null pointers before dereferencing in request/response functions (#4038 (28e73ccd)
  • http1:
  • http2:
    • cancel sending client request body on response future drop (#4042) (5b17a69e, closes #4040)
    • non-utf8 char in Connection header may cause panic when calling to_str (#4019) (c36ca8a5)

Features

  • client:
  • error: add 'Error::is_parse_version_h2' method (393c77c7)

... (truncated)

Commits

Updates reqwest from 0.12.28 to 0.13.4

Release notes

Sourced from reqwest's releases.

v0.13.4

tl;dr

  • Add ClientBuilder::tls_sslkeylogfile(bool) option to allow using the related environment variable.
  • Add ClientBuilder::http2_keep_alive_* options for the blocking client.
  • Add TLS 1.3 support when using native-tls backend.
  • Fix redirect handling to strip sensitive headers when the scheme changes.
  • Fix HTTP/3 happy-eyeball connection creation.
  • Upgrade hickory-resolver to 0.26.

What's Changed

New Contributors

Full Changelog: seanmonstar/reqwest@v0.13.3...v0.13.4

v0.13.3

tl;dr

  • Fix CertificateRevocationList parsing of PEM values.
  • Fix logging in resolver to only show host, not full URL.
  • Fix hickory-dns to fallback to a default if /etc/resolv.conf fails.
  • Fix HTTP/3 to handle STOP_SENDING as not an error.
  • Fix HTTP/3 pool to remove timed out QUIC connections.
  • Fix HTTP/3 connection establishment picking IPv4 and IPv6.
  • Upgrade rustls-platform-verifier.
  • (wasm) Only use wasm-bindgen on unknown-* targets.

What's Changed

... (truncated)

Changelog

Sourced from reqwest's changelog.

v0.13.4

  • Add ClientBuilder::tls_sslkeylogfile(bool) option to allow using the related environment variable.
  • Add ClientBuilder::http2_keep_alive_* options for the blocking client.
  • Add TLS 1.3 support when using native-tls backend.
  • Fix redirect handling to strip sensitive headers when the scheme changes.
  • Fix HTTP/3 happy-eyeball connection creation.
  • Upgrade hickory-resolver to 0.26.

v0.13.3

  • Fix CertificateRevocationList parsing of PEM values.
  • Fix logging in resolver to only show host, not full URL.
  • Fix hickory-dns to fallback to a default if /etc/resolv.conf fails.
  • Fix HTTP/3 to handle STOP_SENDING as not an error.
  • Fix HTTP/3 pool to remove timed out QUIC connections.
  • Fix HTTP/3 connection establishment picking IPv4 and IPv6.
  • Upgrade rustls-platform-verifier.
  • (wasm) Only use wasm-bindgen on unknown-* targets.

v0.13.2

  • Fix HTTP/2 and native-tls ALPN feature combinations.
  • Fix HTTP/3 to send h3 ALPN.
  • (wasm) fix RequestBuilder::json() from override previously set content-type.

v0.13.1

  • Fixes compiling with rustls on Android targets.

v0.13.0

  • Breaking changes:
    • rustls is now the default TLS backend, instead of native-tls.
    • rustls crypto provider defaults to aws-lc instead of ring. (rustls-no-provider exists if you want a different crypto provider)
    • rustls-tls has been renamed to rustls.
    • rustls roots features removed, rustls-platform-verifier is used by default.
      • To use different roots, call tls_certs_only(your_roots).
    • native-tls now includes ALPN. To disable, use native-tls-no-alpn.
    • query and form are now crate features, disabled by default.
    • Long-deprecated methods and crate features have been removed (such as trust-dns, which was renamed hickory-dns a while ago).
  • Many TLS-related methods renamed to improve autocompletion and discovery, but previous name left in place with a "soft" deprecation. (just documented, no warnings)
    • For example, prefer tls_backend_rustls() over use_rustls_tls().
Commits
  • 11489b3 v0.13.4
  • d31ffbb feat: Expose HTTP2 keep alive configurations in blocking client (#3043)
  • 79ed0d7 feat: support TLS 1.3 as min version under native-tls 🎉 (#2975)
  • fb7bf6a fix: remove unwrap in hickory initialization (#3041)
  • 3da616f fix: update hickory-resolver to 0.26 and adjust code accordingly (#3040)
  • c77e7b2 fix(http3): use happy eyeballs for h3 connect (#3030)
  • 9cbb65b chore: clean up minimal-versions CI job (#3039)
  • 17a7dc5 chore: upgrade MSRV to 1.85 (#3038)
  • 03db63a fix(redirect): strip sensitive headers on scheme change across redirects (#3034)
  • 4b813a8 feat: add tls_sslkeylogfile builder method (#2923)
  • Additional commits viewable in compare view

Updates serde_json from 1.0.149 to 1.0.150

Release notes

Sourced from serde_json's releases.

v1.0.150

Commits
  • a1ae73a Release 1.0.150
  • 1a360b0 Merge pull request #1324 from puneetdixit200/reject-non-string-enum-keys
  • 2037b63 Reject non-string enum object keys
  • 5d30df6 Resolve manual_assert_eq pedantic clippy lint
  • dc8003a Raise required compiler for preserve_order feature to 1.85
  • a42fa98 Unpin CI miri toolchain
  • 684a60e Pin CI miri to nightly-2026-02-11
  • 7c7da33 Raise required compiler to Rust 1.71
  • acf4850 Simplify Number::is_f64
  • 6b8ceab Resolve unnecessary_map_or clippy lint
  • Additional commits viewable in compare view

Updates clap from 4.6.0 to 4.6.1

Release notes

Sourced from clap's releases.

v4.6.1

[4.6.1] - 2026-04-15

Fixes

  • (derive) Ensure rebuilds happen when an read env variable is changed
Changelog

Sourced from clap's changelog.

[4.6.1] - 2026-04-15

Fixes

  • (derive) Ensure rebuilds happen when an read env variable is changed
Commits
  • 1420275 chore: Release
  • d2c817d docs: Update changelog
  • f88c94e Merge pull request #6341 from epage/sep
  • acbb822 fix(complete): Reduce risk of conflict with actual subcommands
  • a49fadb refactor(complete): Pull out subcommand separator
  • ddc008b Merge pull request #6332 from epage/update
  • 497dc50 chore: Update compatible dependencies
  • dca2326 Merge pull request #6331 from clap-rs/renovate/j178-prek-action-2.x
  • 54bdaa3 chore(deps): Update j178/prek-action action to v2
  • f0d30d9 chore: Release
  • Additional commits viewable in compare view

Updates sha2 from 0.10.9 to 0.11.0

Commits

Updates libsql from 0.6.0 to 0.9.30

Commits
  • 0653c57 0.9.30
  • dda0414 libsql: Fix total_changes accumulation for SQL over HTTP batch execution (#2220)
  • eb0fe77 Pin cargo-chef to 0.1.75 to fix Docker build on rustc 1.85.0
  • 3044eb7 Fix Docker build by using --locked for cargo-chef install (#2222)
  • 46a0527 Fix Docker build by using --locked for cargo-chef install
  • 5835b55 bindings/c: Add support for Intel architecture (#2218)
  • b7cc2b8 libsql: Fix total_changes accumulation for SQL over HTTP batch execution
  • 99e6ad3 libsql-sqlite3: Pin psm version in extension tests (#2221)
  • 79b5ace libsql-sqlite3: Pin psm version in extension tests
  • cd605eb Add support for intel
  • Additional commits viewable in compare view

Updates http from 1.4.0 to 1.4.2

Release notes

Sourced from http's releases.

v1.4.1

tl;dr

  • Fix PathAndQuery::from_static() and from_shared() to reject inputs that do not start with /.
  • Fix Extend for HeaderMap to clamp max size hint and not overflow.
  • Fix header::IntoIter that could use-after-free if the generic value type could panic on drop.
  • Fix header::{IterMut, ValuesIterMut} to not violate stacked borrows.

What's Changed

New Contributors

Full Changelog: hyperium/http@v1.4.0...v1.4.1

Changelog

Sourced from http's changelog.

1.4.2 (June 8, 2026)

  • Fix uri::Builder to allow "*" as the path when scheme and authority are also set, used in HTTP/2 requests.
  • Fix Uri to properly reject DEL characters.

1.4.1 (May 25, 2026)

  • Fix PathAndQuery::from_static() and from_shared() to reject inputs that do not start with /.
  • Fix Extend for HeaderMap to clamp max size hint and not overflow.
  • Fix header::IntoIter that could use-after-free if the generic value type could panic on drop.
  • Fix header::{IterMut, ValuesIterMut} to not violate stacked borrows.
Commits

Updates anyhow from 1.0.102 to 1.0.103

Release notes

Sourced from anyhow's releases.

1.0.103

  • Fix Stacked Borrows violation (UB) in Error::downcast_mut (#451, #452)
Commits
  • 5bdb0e2 Release 1.0.103
  • e621bd3 Merge pull request #452 from dtolnay/downcast
  • 6e8c000 Eliminate pointer->reference->pointer during downcast
  • 67c4abd Add regression test for issue 451
  • 917a169 Update actions/upload-artifact@v6 -> v7
  • d9dc3fa Update actions/checkout@v6 -> v7
  • 841522b Raise minimum tested compiler to rust 1.85
  • See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Summary by cubic

Update core networking and database dependencies to latest minor/patch versions for security and stability, including reqwest 0.13 with rustls by default and libsql 0.9.30 fixes. No app code changes.

  • Dependencies

    • reqwest 0.13.4 (default TLS is rustls; HTTP/3 and redirect handling fixes)
    • hyper 1.10.1 and http 1.4.2 (HTTP/1.x and HTTP/2 fixes)
    • tokio 1.52.3 (runtime reliability fixes)
    • axum 0.8.9 (minor fixes)
    • libsql 0.9.30 (batch total_changes fix)
    • Also: serde_json 1.0.150, clap 4.6.1, sha2 0.11.0, anyhow 1.0.103
  • Migration

    • Requires Rust 1.85+.
    • TLS now uses rustls with platform verifier; re-test outbound HTTPS calls.

Written for commit c8b1713. Summary will update on new commits.

Bumps the cargo group with 10 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [tokio](https://github.com/tokio-rs/tokio) | `1.50.0` | `1.52.3` |
| [axum](https://github.com/tokio-rs/axum) | `0.8.8` | `0.8.9` |
| [hyper](https://github.com/hyperium/hyper) | `1.8.1` | `1.10.1` |
| [reqwest](https://github.com/seanmonstar/reqwest) | `0.12.28` | `0.13.4` |
| [serde_json](https://github.com/serde-rs/json) | `1.0.149` | `1.0.150` |
| [clap](https://github.com/clap-rs/clap) | `4.6.0` | `4.6.1` |
| [sha2](https://github.com/RustCrypto/hashes) | `0.10.9` | `0.11.0` |
| [libsql](https://github.com/tursodatabase/libsql) | `0.6.0` | `0.9.30` |
| [http](https://github.com/hyperium/http) | `1.4.0` | `1.4.2` |
| [anyhow](https://github.com/dtolnay/anyhow) | `1.0.102` | `1.0.103` |



Updates `tokio` from 1.50.0 to 1.52.3
- [Release notes](https://github.com/tokio-rs/tokio/releases)
- [Commits](tokio-rs/tokio@tokio-1.50.0...tokio-1.52.3)

Updates `axum` from 0.8.8 to 0.8.9
- [Release notes](https://github.com/tokio-rs/axum/releases)
- [Changelog](https://github.com/tokio-rs/axum/blob/main/CHANGELOG.md)
- [Commits](tokio-rs/axum@axum-v0.8.8...axum-v0.8.9)

Updates `hyper` from 1.8.1 to 1.10.1
- [Release notes](https://github.com/hyperium/hyper/releases)
- [Changelog](https://github.com/hyperium/hyper/blob/master/CHANGELOG.md)
- [Commits](hyperium/hyper@v1.8.1...v1.10.1)

Updates `reqwest` from 0.12.28 to 0.13.4
- [Release notes](https://github.com/seanmonstar/reqwest/releases)
- [Changelog](https://github.com/seanmonstar/reqwest/blob/master/CHANGELOG.md)
- [Commits](seanmonstar/reqwest@v0.12.28...v0.13.4)

Updates `serde_json` from 1.0.149 to 1.0.150
- [Release notes](https://github.com/serde-rs/json/releases)
- [Commits](serde-rs/json@v1.0.149...v1.0.150)

Updates `clap` from 4.6.0 to 4.6.1
- [Release notes](https://github.com/clap-rs/clap/releases)
- [Changelog](https://github.com/clap-rs/clap/blob/master/CHANGELOG.md)
- [Commits](clap-rs/clap@clap_complete-v4.6.0...clap_complete-v4.6.1)

Updates `sha2` from 0.10.9 to 0.11.0
- [Commits](RustCrypto/hashes@sha2-v0.10.9...sha2-v0.11.0)

Updates `libsql` from 0.6.0 to 0.9.30
- [Release notes](https://github.com/tursodatabase/libsql/releases)
- [Commits](tursodatabase/libsql@v0.6.0...libsql-0.9.30)

Updates `http` from 1.4.0 to 1.4.2
- [Release notes](https://github.com/hyperium/http/releases)
- [Changelog](https://github.com/hyperium/http/blob/master/CHANGELOG.md)
- [Commits](hyperium/http@v1.4.0...v1.4.2)

Updates `anyhow` from 1.0.102 to 1.0.103
- [Release notes](https://github.com/dtolnay/anyhow/releases)
- [Commits](dtolnay/anyhow@1.0.102...1.0.103)

---
updated-dependencies:
- dependency-name: tokio
  dependency-version: 1.52.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: cargo
- dependency-name: axum
  dependency-version: 0.8.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: cargo
- dependency-name: hyper
  dependency-version: 1.10.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: cargo
- dependency-name: reqwest
  dependency-version: 0.13.4
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: cargo
- dependency-name: serde_json
  dependency-version: 1.0.150
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: cargo
- dependency-name: clap
  dependency-version: 4.6.1
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: cargo
- dependency-name: sha2
  dependency-version: 0.11.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: cargo
- dependency-name: libsql
  dependency-version: 0.9.30
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: cargo
- dependency-name: http
  dependency-version: 1.4.2
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: cargo
- dependency-name: anyhow
  dependency-version: 1.0.103
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: cargo
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update rust code labels Jun 27, 2026
@sonarqubecloud

Copy link
Copy Markdown

@socket-security

Copy link
Copy Markdown

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: cargo tokio is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: Cargo.lockcargo/tokio@1.52.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/tokio@1.52.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@codacy-production

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric Results
Complexity 0
Duplication 0

View in Codacy

NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.

@codecov

codecov Bot commented Jun 27, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@greptile-apps

greptile-apps Bot commented Jun 27, 2026

Copy link
Copy Markdown

Greptile Summary

Routine dependabot dependency bump across 10 Rust crates with several bug-fix-only point releases and two notable major/minor upgrades (reqwest 0.12 → 0.13 and libsql 0.6 → 0.9.30). The existing reqwest usage (basic HTTP methods, .header(), .send(), .status()) does not hit any of the 0.13 breaking changes, and neither the query nor form features (now opt-in) are consumed by this codebase.

  • reqwest 0.12 → 0.13: Switches the default TLS backend from native-tls to rustls/aws-lc, removing hyper-tls and foreign-types from the tree and adding aws-lc-sys + aws-lc-rs. aws-lc-sys compiles native C/C++ code via cmake, which is a new build-time requirement.
  • libsql 0.6 → 0.9.30: All libsql sub-crates are bumped in lockstep; libsql-ffi now also adds a cmake build dependency. The API surface used (Builder, Connection, Database, params!) is unchanged.
  • Bug/correctness fixes: anyhow 1.0.103 fixes a Stacked Borrows UB in Error::downcast_mut; http 1.4.1 fixes a potential use-after-free in header::IntoIter and stacked-borrows violations; hyper 1.10.x fixes a busy-loop and a large-body read bug on 32-bit systems; tokio 1.52.3 patches four mpsc channel correctness bugs.

Confidence Score: 4/5

Safe to merge; the existing reqwest, sha2, and libsql API surface is forward-compatible with the new versions, and several upstream bug fixes are beneficial.

All 10 dependency bumps bring only bug-fix or minor feature additions that do not affect the codebase's current API usage. The one practical concern is that both reqwest 0.13 and libsql-ffi 0.9.30 now require cmake at build time, which was not previously needed; this could silently break builds in minimal CI environments but does not affect runtime correctness.

Cargo.toml and Cargo.lock: verify that all CI runners and Docker build images have cmake available before merging.

Important Files Changed

Filename Overview
Cargo.toml Version constraints updated for reqwest (0.12→0.13), sha2 (0.10→0.11), and libsql (0.6→0.9); basic API usage in the codebase is compatible with all new versions.
Cargo.lock Lock file regenerated to match new constraints; adds aws-lc-rs/aws-lc-sys (cmake build deps from reqwest 0.13), chrono, crc32fast, and jni crates; removes hyper-tls, foreign-types, and foreign-types-shared.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[reqwest 0.12] -->|was| B[native-tls / hyper-tls]
    A2[reqwest 0.13] -->|now| C[rustls 0.23]
    C --> D[aws-lc-rs]
    D --> E[aws-lc-sys\nrequires cmake + C compiler]
    A2 --> F[removes hyper-tls\nforeign-types]

    G[libsql 0.6] -->|was| H[libsql-ffi 0.5\ncc only]
    G2[libsql 0.9.30] -->|now| I[libsql-ffi 0.9.30\ncc + cmake]

    subgraph Bug Fixes
      J[anyhow 1.0.103\nStacked Borrows UB fix]
      K[http 1.4.1-1.4.2\nuse-after-free + stacked borrows fix]
      L[tokio 1.52.3\n4 mpsc channel bugs fixed]
      M[hyper 1.10.x\nbusy-loop + 32-bit body fix]
    end
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A[reqwest 0.12] -->|was| B[native-tls / hyper-tls]
    A2[reqwest 0.13] -->|now| C[rustls 0.23]
    C --> D[aws-lc-rs]
    D --> E[aws-lc-sys\nrequires cmake + C compiler]
    A2 --> F[removes hyper-tls\nforeign-types]

    G[libsql 0.6] -->|was| H[libsql-ffi 0.5\ncc only]
    G2[libsql 0.9.30] -->|now| I[libsql-ffi 0.9.30\ncc + cmake]

    subgraph Bug Fixes
      J[anyhow 1.0.103\nStacked Borrows UB fix]
      K[http 1.4.1-1.4.2\nuse-after-free + stacked borrows fix]
      L[tokio 1.52.3\n4 mpsc channel bugs fixed]
      M[hyper 1.10.x\nbusy-loop + 32-bit body fix]
    end
Loading

Fix All in Claude Code

Prompt To Fix All With AI
Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
Cargo.toml:19
**New cmake build dependency via reqwest 0.13**

`reqwest` 0.13 switches the default TLS backend to `rustls` with `aws-lc-rs` as the crypto provider, which pulls in `aws-lc-sys`. That crate compiles native C/C++ code and requires `cmake` (and a compatible C compiler) to be present at build time. `libsql-ffi` 0.9.30 also adds `cmake` as a new build dependency. Any CI runner, Docker image, or developer machine that previously built this project without `cmake` installed will now fail at the compile step. Confirming that all build environments have `cmake` available (or pinning a `rustls-no-provider`/`ring` feature for reqwest) would de-risk this.

Reviews (1): Last reviewed commit: "chore(deps): bump the cargo group across..." | Re-trigger Greptile

Comment thread Cargo.toml
"service"
] }
reqwest = { version = "0.12", features = [ "json" ] }
reqwest = { version = "0.13", features = [ "json" ] }

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 New cmake build dependency via reqwest 0.13

reqwest 0.13 switches the default TLS backend to rustls with aws-lc-rs as the crypto provider, which pulls in aws-lc-sys. That crate compiles native C/C++ code and requires cmake (and a compatible C compiler) to be present at build time. libsql-ffi 0.9.30 also adds cmake as a new build dependency. Any CI runner, Docker image, or developer machine that previously built this project without cmake installed will now fail at the compile step. Confirming that all build environments have cmake available (or pinning a rustls-no-provider/ring feature for reqwest) would de-risk this.

Prompt To Fix With AI
This is a comment left during a code review.
Path: Cargo.toml
Line: 19

Comment:
**New cmake build dependency via reqwest 0.13**

`reqwest` 0.13 switches the default TLS backend to `rustls` with `aws-lc-rs` as the crypto provider, which pulls in `aws-lc-sys`. That crate compiles native C/C++ code and requires `cmake` (and a compatible C compiler) to be present at build time. `libsql-ffi` 0.9.30 also adds `cmake` as a new build dependency. Any CI runner, Docker image, or developer machine that previously built this project without `cmake` installed will now fail at the compile step. Confirming that all build environments have `cmake` available (or pinning a `rustls-no-provider`/`ring` feature for reqwest) would de-risk this.

How can I resolve this? If you propose a fix, please make it concise.

Fix in Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update rust code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants