fix(deps): update all

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
hyper (source)	dependencies	minor	1.8.1 → 1.10.1
hyper-rustls	dependencies	patch	0.27.7 → 0.27.9
libversion-sys	dependencies	digest	6839151 → 93c5691
once_cell	dependencies	patch	1.21.3 → 1.21.4
quick-xml	dependencies	minor	0.39.0 → 0.40.0
rand (source)	dev-dependencies	patch	0.10.0 → 0.10.1
regex	dependencies	patch	1.12.3 → 1.12.4
reqwest	dependencies	patch	0.13.2 → 0.13.4
rustls	dependencies	patch	0.23.36 → 0.23.40
rustls-platform-verifier	dependencies	minor	0.6.2 → 0.7.0
serde_json	dependencies	patch	1.0.149 → 1.0.150
serial_test	dev-dependencies	minor	3.4.0 → 3.5.0
tempfile (source)	dev-dependencies	minor	3.26.0 → 3.27.0
tokio	dependencies	minor	1.49.0 → 1.52.3
uuid	dependencies	minor	1.21.0 → 1.23.3

---

Release Notes

hyperium/hyper (hyper)

v1.10.1

Compare Source

Bug Fixes

• http1: fix busy loop when peer half-closes and open body (#​4086) (c6cb906f, closes #​4085)

v1.10.0

Compare Source

Bug Fixes

• http1:
  • send error when dispatcher is dropped mid-body (#​4069) (b7a679ba, closes #​3995, #​4016)
  • fix reading large bodies on 32-bit systems (#​4056) (b12f6525, closes #​4055)
  • fix rare missed write wakeup on connections v2 (743a3ba0)
• http2:
  • do not reserve capacity before body data is available (#​4061) (99f24345, closes #​4003)
  • reading trailers shouldn't propagate NO_ERROR from early response (#​3998) (e5ad96b1)

Features

• http2:
  • add reset_stream_duration() client option (#​4068) (156a6f6a, closes #​2599)
  • Add 'header_table_size()' method to server builder (#​4062) (6c9182c4)

v1.9.0

Compare Source

Bug Fixes

• ffi: validate null pointers before dereferencing in request/response functions (#​4038 (28e73ccd)
• http1:
  • allow keep-alive for chunked requests with trailers (#​4043) (7211ec25, closes #​4044)
  • use case-insensitive matching for trailer fields (#​4011) (3b344cac, closes #​4010)
  • use httparse config for Servers (#​4002) (bcb8ec57, closes #​3923)
• http2:
  • cancel sending client request body on response future drop (#​4042) (5b17a69e, closes #​4040)
  • non-utf8 char in Connection header may cause panic when calling to_str (#​4019) (c36ca8a5)

Features

• client:
  • expose HTTP/2 current max stream count (#​4026) (d51cb715)
  • add HTTP/2 max_local_error_reset_streams option (#​4021) (57787459)
• error: add 'Error::is_parse_version_h2' method (393c77c7)
• http1: add UpgradeableConnection::into_parts (e21205cf)

v1.8.1 (2025-11-13)

Bug Fixes

• http1: fix consuming extra CPU from previous change (#​3977) (4492f31e)

matklad/once_cell (once_cell)

v1.21.4

Compare Source

• Fix unsoundness in OnceCell::wait under --features=parking_lot, #​295.

  If thread A calls wait, while thread B calls get_or_try_init(f), and, furthermore, f panics,
  the wait incorrectly returns and thread A observes uninitialized memory.

  Kudos to @​meng-xu-cs for a nice find!

tafia/quick-xml (quick-xml)

v0.40.1

Compare Source

Bug Fixes

• #​964: Fix unreachable!() panic in the serde deserializer when a DOCTYPE
  declaration appears between two text runs inside an element (e.g.
  <a>x<!DOCTYPE y>z</a>). The DOCTYPE used to break drain_text's
  consecutive-text merge, so two DeEvent::Text events reached
  read_text and tripped its "Cannot be two consequent Text events"
  invariant. DOCTYPE is now treated as transparent during text drain —
  it still goes through the entity resolver, but the surrounding text
  is merged into one run. Discovered via libFuzzer on a real-world
  SAML deserializer harness.

Misc Changes

v0.40.0

Compare Source

MSRV bumped to 1.79.

Now quick-xml supports the UTF-16 encoded documents. See the new DecodingReader type.

New Features

• #​956: Add DecodingReader, a BufRead adapter that auto-detects encoding
  from BOM or XML declaration and transcodes to UTF-8. Enabled by the encoding feature.

• #​938: Add new enumeration XmlVersion and typified getter BytesDecl::xml_version().

• #​938: Add new error variant IllFormedError::UnknownVersion.

• #​371: Add new error variant EscapeError::TooManyNestedEntities.

• #​371: Improved compliance with the XML attribute value normalization process by adding

  • Attribute::normalized_value()
  • Attribute::normalized_value_with()
  • Attribute::decoded_and_normalized_value()
  • Attribute::decoded_and_normalized_value_with()

  which ought to be used in place of deprecated

  • Attribute::unescape_value()
  • Attribute::unescape_value_with()
  • Attribute::decode_and_unescape_value()
  • Attribute::decode_and_unescape_value_with()

  Deprecated functions now behaves the same as newly added.

Bug Fixes

• #​938: Use correct rules for EOL normalization in Deserializer when parse XML 1.0 documents.
  Previously XML 1.1. rules was applied.

Misc Changes

• #​914: Remove deprecated .prefixes(), .resolve(), .resolve_attribute(), and .resolve_element()
  of NsReader. Use .resolver().<...> methods instead.
• #​938: Now BytesText::xml_content, BytesCData::xml_content and BytesRef::xml_content
  accepts XmlVersion parameter to apply correct EOL normalization rules.
• #​944: read_text() now returns BytesText which allows you to get the content with
  properly normalized EOLs. To get the previous behavior use .read_text().decode()?.
• #​956: Bumped MSRV from 1.59 (Feb 2022) to 1.79 (June 2024)

v0.39.4

Compare Source

Bug Fixes

• #​957: Fix slice-index panic when reading malformed DTD whose unknown markup
  is split across BufReader chunks. As with #​950, the returned
  Event::DocType may contain the malformed DTD; this fix only ensures that
  the parser does not panic.
• #​960: Fix sibling slice-index panic when a single chunk delivers < followed
  by 9+ bytes of unknown markup inside a DTD internal subset. Same disposition
  as #​957 / #​950: parser must not panic; DTD validity reporting is a future
  improvement.

v0.39.3

Compare Source

Bug Fixes

• #​950: Fix subtraction with overflow when parse malformed DTD in some cases.
  Note, that currently we do not check the validity of DTD, so the returned Event::DocType
  may contain the malformed DTD.

rust-random/rand (rand)

v0.10.1

Compare Source

This release includes a fix for a soundness bug; see #​1763.

Changes

• Document panic behavior of make_rng and add #[track_caller] (#​1761)
• Deprecate feature log (#​1763)

rust-lang/regex (regex)

v1.12.4

Compare Source

===================
This release includes a performance optimization for compilation of regexes
with very large character classes.

Improvements:

• #​1308:
  Avoid re-canonicalizing the entire interval set when pushing new class ranges.

seanmonstar/reqwest (reqwest)

v0.13.4

Compare Source

• Add ClientBuilder::tls_sslkeylogfile(bool) option to allow using the related environment variable.
• Add ClientBuilder::http2_keep_alive_* options for the blocking client.
• Add TLS 1.3 support when using native-tls backend.
• Fix redirect handling to strip sensitive headers when the scheme changes.
• Fix HTTP/3 happy-eyeball connection creation.
• Upgrade hickory-resolver to 0.26.

v0.13.3

Compare Source

• Fix CertificateRevocationList parsing of PEM values.
• Fix logging in resolver to only show host, not full URL.
• Fix hickory-dns to fallback to a default if /etc/resolv.conf fails.
• Fix HTTP/3 to handle STOP_SENDING as not an error.
• Fix HTTP/3 pool to remove timed out QUIC connections.
• Fix HTTP/3 connection establishment picking IPv4 and IPv6.
• Upgrade rustls-platform-verifier.
• (wasm) Only use wasm-bindgen on unknown-* targets.

palfrey/serial_test (serial_test)

v3.5.0

Compare Source

What's Changed

• Replace scc/sdd with std::sync::Mutex for Miri strict provenance compatibility by @​justanotheranonymoususer in #​157

New Contributors

• @​justanotheranonymoususer made their first contribution in #​157

Full Changelog: palfrey/serial_test@v3.4.0...v3.5.0

Stebalien/tempfile (tempfile)

v3.27.0

Compare Source

This release adds TempPath::try_from_path and deprecates TempPath::from_path.

Prior to this release, TempPath::from_path made no attempts to convert relative paths into absolute paths. The following code would have deleted the wrong file:

let tmp_path = TempPath::from_path("foo")
std::env::set_current_dir("/some/other/path").unwrap();
drop(tmp_path);

Now:

1. TempPath::from_path will attempt to convert relative paths into absolute paths. However, this isn't always possible as we need to call std::env::current_dir, which can fail. If we fail to convert the relative path to an absolute path, we simply keep the relative path.
2. The TempPath::try_from_path behaves exactly like TempPath::from_path, except that it returns an error if we fail to convert a relative path into an absolute path (or if the passed path is empty).

Neither function attempt to verify the existence of the file in question.

Thanks to @​meng-xu-cs for reporting this issue.

uuid-rs/uuid (uuid)

v1.23.3

Compare Source

What's Changed

• Fix up parser panic on empty input by @​KodrAus in #​886
• Prepare for 1.23.3 release by @​KodrAus in #​887

Full Changelog: uuid-rs/uuid@v1.23.2...v1.23.3

v1.23.2

Compare Source

What's Changed

• Improve error messages for ambiguous formats by @​KodrAus in #​882
• Prepare for 1.23.2 release by @​KodrAus in #​883

Full Changelog: uuid-rs/uuid@v1.23.1...v1.23.2

v1.23.1

Compare Source

What's Changed

• Remove deprecated msrv feature from wasm-bindgen dependency by @​guybedford in #​877
• fix: Timestamp::from_gregorian deprecation note by @​aznashwan in #​878
• Prepare for 1.23.1 release by @​KodrAus in #​879

New Contributors

• @​guybedford made their first contribution in #​877
• @​aznashwan made their first contribution in #​878

Full Changelog: uuid-rs/uuid@v1.23.0...v1.23.1

v1.23.0

Compare Source

What's Changed

• feat: add support for 'hyphenated' format in the serde module by @​FrenchDilettante in #​865
• Fix a number of bugs in time-related code by @​KodrAus in #​872
• Reword invalid char error message by @​KodrAus in #​873
• Impl cleanups by @​KodrAus in #​874
• Use LazyLock to synchronize v1/v6 context initialization by @​KodrAus in #​875
• Prepare for 1.23.0 release by @​KodrAus in #​876

New Contributors

• @​FrenchDilettante made their first contribution in #​865

Special thanks

@​meng-xu-cs raised a series of bugs against the timestamp logic in uuid using automated tooling. The issues themselves were reasonably and responsibly presented and the end result is a better uuid library for everyone. Thanks!

Deprecations

This release includes the following deprecations:

• Context: Renamed to ContextV1
• Timestamp::from_gregorian: Renamed to Timestamp::from_gregorian_time

Change to Version::Max

Version::Max's u8 representation has changed from 0xff to 0x0f to match the value returned by Uuid::get_version_num.

Change to Uuid::get_version for the max UUID

Uuid::get_version will only return Some(Version::Max) if the UUID is actually the max UUID (all bytes are 0xff). Previously it would return Some if only the version field was 0x0f. This change matches the behaviour of the nil UUID, which only returns Some(Version::Nil) if the UUID is the nil UUID (all bytes are 0x00).

Full Changelog: uuid-rs/uuid@v1.22.0...v1.23.0

v1.22.0

Compare Source

What's Changed

• Default to rand 0.10 by @​haxtibal in #​863
• Prepare for 1.22.0 release by @​KodrAus in #​864

New Contributors

• @​haxtibal made their first contribution in #​863

Full Changelog: uuid-rs/uuid@v1.21.0...v1.22.0

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.