Skip to content

chore(deps): update rust dependencies#27

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/rust-dependencies
Open

chore(deps): update rust dependencies#27
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/rust-dependencies

Conversation

@renovate

@renovate renovate Bot commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
anyhow workspace.dependencies patch 1.0.1021.0.103
config workspace.dependencies patch 0.15.230.15.25
feed-rs workspace.dependencies minor 2.3.12.4.0
rand (source) workspace.dependencies patch 0.10.10.10.2
rust-embed workspace.dependencies minor 8.11.08.12.0
tower-http workspace.dependencies minor 0.60.7
uuid workspace.dependencies patch 1.23.31.23.5

Release Notes

dtolnay/anyhow (anyhow)

v1.0.103

Compare Source

  • Fix Stacked Borrows violation (UB) in Error::downcast_mut (#​451, #​452)
rust-cli/config-rs (config)

v0.15.25

Compare Source

Fixes
  • (ron) Support u64, and not just i64

v0.15.24

Compare Source

Fixes
  • (json) Support u64, and not just i64
feed-rs/feed-rs (feed-rs)

v2.4.0

Compare Source

What's Changed

Motivated by RUSTSEC-2026-0194 and RUSTSEC-2026-0195, this release upgrades quick-xml and other dependencies.
It also bumps the MSRV to 1.96.1 per freedesktop-sdk's dependencies.

Thanks to @​gebruder for raising the issue and @​adam-symbolica for the fix.

Full Changelog: feed-rs/feed-rs@v2.3.1...v2.4.0

rust-random/rand (rand)

v0.10.2

Compare Source

Fixes
  • Fix possible memory safety violation due to deserialization of UniformChar from bad source (#​1790)
Changes
  • Document required output order of fn partial_shuffle and apply #[must_use] (#​1769)
  • Avoid usage of unsafe in contexts where non-local memory corruption could invalidate contract (#​1791)
tower-rs/tower-http (tower-http)

v0.7.0

Compare Source

Changes since 0.6.11

Added

  • csrf: add cross-site request forgery (CSRF) protection middleware, porting the cross-origin protection scheme introduced in Go 1.25 (#​699)

    use tower::ServiceBuilder;
    use tower_http::csrf::CsrfLayer;
    
    // Rejects cross-origin state-changing requests using `Sec-Fetch-Site`,
    // an `Origin` allow-list, and an `Origin`/`Host` fallback. No per-request
    // token state required.
    let layer = CsrfLayer::new().add_trusted_origin("https://example.com")?;
    
    let service = ServiceBuilder::new().layer(layer).service_fn(handler);
  • timeout: add DeadlineBody for non-resetting body timeouts, applied via the new RequestBodyDeadlineLayer and ResponseBodyDeadlineLayer (#​688)

    Unlike TimeoutBody, which resets its deadline on every frame, DeadlineBody caps the total time of a body transfer. A slow client trickling one byte at a time never trips an idle timeout but will trip a deadline.

    use std::time::Duration;
    use tower::ServiceBuilder;
    use tower_http::timeout::RequestBodyDeadlineLayer;
    
    // Abort the request body transfer after 30s total, regardless of how
    // frequently data arrives.
    let service = ServiceBuilder::new()
        .layer(RequestBodyDeadlineLayer::new(Duration::from_secs(30)))
        .service_fn(handler);
  • fs: add strong ETag support to ServeDir, including If-Match and If-None-Match precondition handling per RFC 9110. 304 Not Modified responses now carry the ETag and Last-Modified validators (#​691)

  • fs: add a Backend trait to make ServeDir work with non-filesystem sources (e.g. embedded assets or object storage). The default TokioBackend preserves existing behavior. Use ServeDir::with_backend() to plug in custom implementations (#​684)

    use tower_http::services::fs::ServeDir;
    
    // `MyBackend` implements `tower_http::services::fs::Backend`.
    // The default `ServeDir::new()` continues to use `TokioBackend` (local FS).
    let service = ServeDir::with_backend("assets", MyBackend::new());
  • fs: add html_as_default_extension option to ServeDir, appending .html when the request path has no extension (#​519)

  • fs: add redirect_path_prefix option to ServeDir, prepending a prefix on trailing-slash redirects so the service can be mounted under a sub-path (#​486)

  • validate-request: add ValidateRequestHeaderLayer::has_header_value() to reject requests when a header does not have an expected value (#​360)

  • body: UnsyncBoxBody::new() constructor and From<ServeFileSystemResponseBody> conversion to avoid double-boxing when combining ServeDir responses with other body types (#​537)

  • limit: implement Default for limit::ResponseBody when the wrapped body also implements Default (#​679)

Changed

  • breaking: compression: the middleware now handles the * wildcard and identity;q=0 in Accept-Encoding per RFC 9110 §12.5.3. Requests that previously fell back to identity (e.g. *;q=0 or identity;q=0 with no other acceptable encoding) now receive a 406 Not Acceptable response. Clients that explicitly reject all encodings without listing an alternative will see different behavior. (#​693)

  • breaking: compression: upgrade the SizeAbove predicate threshold from u16 to u64, allowing minimum sizes above 64 KiB (#​704)

  • breaking: remove the implicit no-op tokio and async-compression features. These were kept as no-op features in 0.6.x for backwards compatibility after the switch to dep: syntax in #​642. Downstream crates that activate tower-http/tokio or tower http/async-compression should remove those feature entries; the underlying dependencies are still pulled in transitively by the features that need them (e.g. compression-gzip, fs, timeout). (#​628)

  • breaking: trace/classify: include the gRPC error message in tracing output. GrpcCode and GrpcFailureClass are now #[non_exhaustive], and GrpcStatus is exported from the classify module (#​422)

  • breaking: follow-redirect: FollowRedirect now forwards request Extensions to redirected requests instead of dropping them. The Standard policy drops extensions on cross-origin redirections (same-origin keeps them). Opt out with FollowRedirectLayer::preserve_extensions(false); keep specific types with FilterCredentials::allow_extension::<T>() or all of them with keep_all_extensions(). (#​706)

    use tower_http::follow_redirect::FollowRedirectLayer;
    
    // 0.7.0 forwards request `Extensions` across redirects by default.
    // Restore the previous behavior (drop all extensions) with:
    let layer = FollowRedirectLayer::new().preserve_extensions(false);
  • breaking: follow-redirect: header and extension filtering is now cumulative. A value a policy drops on one hop is no longer replayed on later hops, so FilterCredentials no longer re-sends Cookie/Authorization to a same-origin target reached after cross-origin hop. Custom Policy::on_request impls now see the previous hop's filtered request, not the original. (#​706)

  • trace: DefaultOnRequest, DefaultOnResponse, DefaultOnFailure, and DefaultOnEos now explicitly parent their tracing events to the request span rather than relying on the ambient span context. This fixes intermittent cases where events could appear without their request span attached (#​690)

  • cors: relax the Vary header defaults (#​674)

  • MSRV bumped from 1.64 to 1.65 (#​684)

Fixed

  • fs: ServeDir and ServeFile now emit a Vary: Accept-Encoding response
    header when precompressed serving is configured, ensuring caches correctly
    distinguish between compressed and uncompressed variants (#​692)
  • breaking: services: reject a trailing slash for file paths. File requests with a trailing slash now return 404 Not Found instead of serving the file (#​678)
  • fs: fix ServeDir stripping the file extension when serving with identity encoding (#​686)
  • compression: forward trailers from the inner body after compression finishes, fixing dropped gRPC status trailers (#​685)
  • trace: fire on_eos when the inner body reports is_end_stream with a precise content-length (#​687)
  • on-early-drop: suppress the early-drop guard when is_end_stream is reported after a data frame (#​687)
  • set-header: make SetMultipleRequestHeaders and SetMultipleResponseHeaders Clone for non-Clone HTTP bodies (#​703)

Thanks

New Contributors
uuid-rs/uuid (uuid)

v1.23.5

Compare Source

What's Changed

New Contributors

Full Changelog: uuid-rs/uuid@v1.23.4...v1.23.5

v1.23.4

Compare Source

What's Changed

New Contributors

Full Changelog: uuid-rs/uuid@v1.23.3...v1.23.4


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title chore(deps): update rust dependencies to 0.7 chore(deps): update rust dependencies Jun 16, 2026
@renovate renovate Bot force-pushed the renovate/rust-dependencies branch from 8af4aa7 to 08d8075 Compare June 16, 2026 22:06
@renovate renovate Bot force-pushed the renovate/rust-dependencies branch from 08d8075 to 48ee73b Compare June 24, 2026 22:36
@renovate renovate Bot force-pushed the renovate/rust-dependencies branch from 48ee73b to 78841a8 Compare June 25, 2026 21:45
@renovate renovate Bot force-pushed the renovate/rust-dependencies branch from 78841a8 to df8dbc9 Compare June 26, 2026 21:04
@renovate renovate Bot force-pushed the renovate/rust-dependencies branch from df8dbc9 to 544db2c Compare July 2, 2026 10:34
@renovate renovate Bot force-pushed the renovate/rust-dependencies branch from 544db2c to f4968d4 Compare July 7, 2026 08:47
@renovate renovate Bot force-pushed the renovate/rust-dependencies branch from f4968d4 to f160eb6 Compare July 8, 2026 10:07
@renovate renovate Bot force-pushed the renovate/rust-dependencies branch from f160eb6 to 54bb8a5 Compare July 13, 2026 00:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants