chore(deps): bump the dependencies group with 8 updates

[dependabot]

Bumps the dependencies group with 8 updates:

Package	From	To
assert_cmd	2.2.1	2.2.2
clap_complete	4.6.3	4.6.5
http	1.4.0	1.4.1
lettre	0.11.21	0.11.22
redis	1.2.0	1.2.2
reqwest	0.13.3	0.13.4
serde_json	1.0.149	1.0.150
tokio	1.52.1	1.52.3

Updates assert_cmd from 2.2.1 to 2.2.2

Changelog

Sourced from assert_cmd's changelog.

[2.2.2] - 2026-05-11

Fixes

• Ensure #[track_caller] works for better panic messages

Commits

• feece89 chore: Release assert_cmd version 2.2.2
• 367cdf7 docs: Update changelog
• a98cc85 Merge pull request #289 from marcospb19/track_caller
• cd2e167 fix: .success() not reporting panic location
• 45a1c74 chore(deps): Update Prek to v0.3.13 (#293)
• f1d9b5b chore(deps): Update Prek to v0.3.12 (#292)
• 1d34bab Merge pull request #291 from epage/template
• d9a70ad style: Make clippy happy
• 4f5b5af chore: Update from _rust template
• 1e1d586 chore(renovate): Fix the tag
• Additional commits viewable in compare view

Updates clap_complete from 4.6.3 to 4.6.5

Commits

• c8c9355 chore: Release
• af74def docs: Update changelog
• c96f222 Merge pull request #6368 from truffle-dev/fix/fish-env-escaping
• 49a05cd fix(complete): Two-pass quote fish env-completer
• e791004 test(complete): Snapshot fish env quoting cases
• 87ec1ad chore: Release
• 78f2529 docs: Update changelog
• b61f270 Merge pull request #6369 from Metbcy/fix/zsh-completion-ordering
• 74c6666 fix(complete): Keep zsh candidate order
• d142d8f Merge pull request #6360 from epage/string
• Additional commits viewable in compare view

Updates http from 1.4.0 to 1.4.1

Release notes

Sourced from http's releases.

v1.4.1

tl;dr

• Fix PathAndQuery::from_static() and from_shared() to reject inputs that do not start with /.
• Fix Extend for HeaderMap to clamp max size hint and not overflow.
• Fix header::IntoIter that could use-after-free if the generic value type could panic on drop.
• Fix header::{IterMut, ValuesIterMut} to not violate stacked borrows.

What's Changed

• chore(header): fix clippy::assign_op_pattern by @​rxc-amzn in hyperium/http#806
• ci: pin itoa in msrv job by @​seanmonstar in hyperium/http#813
• Remove unnecessary explicit lifetimes by @​jplatte in hyperium/http#815
• chore(ci): update to actions/checkout@v6 by @​tottoto in hyperium/http#819
• tests: update to rand 0.10 by @​tottoto in hyperium/http#818
• refactor: Remove usage of float instruction by @​AurelienFT in hyperium/http#823
• refactor(uri): consolidate PathAndQuery::from_shared and from_static by @​seanmonstar in hyperium/http#825
• fix(uri): reject Path::from_shared/from_static if doesn't start with slash by @​seanmonstar in hyperium/http#826
• Rephrase comment by @​daalfox in hyperium/http#827
• Fix typo in request builder docs by @​vleksis in hyperium/http#831
• fix: clamp Extend size hint so HeaderMap reserve cannot overflow by @​SAY-5 in hyperium/http#833
• fix(headers): fix stacked borrows for IterMut/ValuesIterMut by @​seanmonstar in hyperium/http#837
• fix(header): use a set_len guard in IntoIter drop by @​seanmonstar in hyperium/http#838

New Contributors

• @​rxc-amzn made their first contribution in hyperium/http#806
• @​AurelienFT made their first contribution in hyperium/http#823
• @​daalfox made their first contribution in hyperium/http#827
• @​vleksis made their first contribution in hyperium/http#831
• @​SAY-5 made their first contribution in hyperium/http#833

Full Changelog: hyperium/http@v1.4.0...v1.4.1

Changelog

Sourced from http's changelog.

1.4.1 (May 25, 2026)

• Fix PathAndQuery::from_static() and from_shared() to reject inputs that do not start with /.
• Fix Extend for HeaderMap to clamp max size hint and not overflow.
• Fix header::IntoIter that could use-after-free if the generic value type could panic on drop.
• Fix header::{IterMut, ValuesIterMut} to not violate stacked borrows.

Commits

• a24c968 v1.4.1
• bc3b044 fix(header): use a set_len guard in IntoIter drop (#838)
• 1b968dc fix(header): fix stacked borrows for IterMut/ValuesIterMut (#837)
• 6e2dd42 fix: clamp Extend size hint so HeaderMap reserve cannot overflow (#833)
• 68e0abb docs: fix typo in request builder docs (#831)
• 29dd307 docs(extensions): rephrase internal comment (#827)
• ae48fb5 fix(uri): reject Path::from_shared/from_static if doesn't start with slash (#...
• 1ad200e refactor(uri): consolidate PathAndQuery::from_shared and from_static (#825)
• d59d939 refactor: Remove usage of float instruction (#823)
• ed680c4 tests: update to rand 0.10 (#818)
• Additional commits viewable in compare view

Updates lettre from 0.11.21 to 0.11.22

Release notes

Sourced from lettre's releases.

v0.11.22 - update now if you're using Boring TLS

Security

• Fix inverted TLS hostname verification flag in boring-tls backend that silently disabled hostname verification f5efffc

Bug Fixes

• Cap read_response buffer to prevent unbounded memory growth #1143

Misc

• Upgrade rustls-platform-verifier to v0.7 #1136

Changelog

Sourced from lettre's changelog.

v0.11.22 (2026-05-14)

Security

• Fix inverted TLS hostname verification flag in boring-tls backend that silently disabled hostname verification (f5efffc)

Bug Fixes

• Cap read_response buffer to prevent unbounded memory growth (#1143)

Misc

• Upgrade rustls-platform-verifier to v0.7 (#1136)

#1136: lettre/lettre#1136 #1143: lettre/lettre#1143

Commits

• 9b88c4f Prepare v0.11.22
• f5efffc fix(transport-smtp): negate hostname-verify flag for boring-tls
• f62f304 fix(transport-smtp): cap read_response buffer
• fa402db build(deps): upgrade rustls-platform-verifier to v0.7
• See full diff in compare view

Updates redis from 1.2.0 to 1.2.2

Release notes

Sourced from redis's releases.

redis-1.2.2

What's Changed

• Linter fixes (#2075 by @​StefanPalashev)
• Add TLS certificate-based authentication support (#2044 by @​StefanPalashev)
• add changelog entries for backports (#2077 by @​WaffleLapkin)
• Add support for the HOTKEYS commands (#2061 by @​StefanPalashev)
• add set_concurrency_limit to ConnectionManagerConfig (#2080 by @​jiangzhe)
• add support for setting SO_LINGER on redis sockets (#2086 by @​svix-jbrown)
• Support bb8 pool for sentinel client (#2087 by @​banthony42)
• add ?Sized bound to impl AsyncPushSender for std::sync::Arc (#2091 by @​anatawa12)

redis-1.2.1

Changes & Bug fixes

• commands: Stop double-take-ing for mset (#2043 by @​somechris)
• json: Stop double-wrapping commands in RedisResult (#2042 by @​somechris)
• ValueType: Add missing possible types (#2030 by @​somechris)
• Stream idempotent producers (at-most-once guarantee) (#2032 by @​StefanPalashev)
• Improve streaming auth error handling (#2021 by @​alexcole)
• feat: add Slot type and functions to create Slot / Route with key (#2047 by @​anatawa12)
• Fix async connection handling to avoid TCP deadlocks (#2070 by @​PDXKimani)

CI improvements

• ci: Bump Redis/Valkey versions (#2035 by @​somechris)
• ci: Clarify how databases get selected (#2040 by @​somechris)
• README: Declare "supported" versions (#2034 by @​somechris)
• Add EntraID integration tests for OSS cluster API (#2050 by @​StefanPalashev)
• fix new nightly lint & fmt (#2052 by @​nihohit)
• log sentinel test startup failures. (#2062 by @​nihohit)

Commits

• df42d67 Prepare new version (#2097)
• 53a8b6a Bump openssl from 0.10.79 to 0.10.80 (#2096)
• e29a6c1 feat: add ?Sized bound to impl AsyncPushSender for std::sync::Arc<T> (#2091)
• ffc8d25 Support bb8 pool for sentinel client (#2087)
• c811f34 add support for setting SO_LINGER on redis sockets (#2086)
• 6ee2769 Improve the redis-test documentation and make it more accessible (#2082)
• 867b057 add set_concurrency_limit to ConnectionManagerConfig (#2080)
• 3ae0500 Add support for the HOTKEYS commands (#2061)
• 2ab1c32 add changelog entries for backports (#2077)
• a605370 Bump openssl from 0.10.78 to 0.10.79 (#2076)
• Additional commits viewable in compare view

Updates reqwest from 0.13.3 to 0.13.4

Release notes

Sourced from reqwest's releases.

v0.13.4

tl;dr

• Add ClientBuilder::tls_sslkeylogfile(bool) option to allow using the related environment variable.
• Add ClientBuilder::http2_keep_alive_* options for the blocking client.
• Add TLS 1.3 support when using native-tls backend.
• Fix redirect handling to strip sensitive headers when the scheme changes.
• Fix HTTP/3 happy-eyeball connection creation.
• Upgrade hickory-resolver to 0.26.

What's Changed

• fix(tls): improve rustls-no-provider panic message and add module docs by @​smythg4 in seanmonstar/reqwest#3021
• fix: do not lose the url in error when decoding json by @​Dushistov in seanmonstar/reqwest#3026
• Add tls_sslkeylogfile builder method by @​passcod in seanmonstar/reqwest#2923
• fix(redirect): strip sensitive headers on scheme change across redirects by @​SAY-5 in seanmonstar/reqwest#3034
• chore: upgrade MSRV to 1.85 by @​seanmonstar in seanmonstar/reqwest#3038
• chore: clean up minimal-versions CI job by @​seanmonstar in seanmonstar/reqwest#3039
• fix(http3): use happy eyeballs for h3 connect by @​lyuzichong in seanmonstar/reqwest#3030
• fix: update hickory-resolver to 0.26 and adjust code accordingly by @​seanmonstar in seanmonstar/reqwest#3040
• fix: remove unwrap in hickory initialization by @​mat813 in seanmonstar/reqwest#3041
• feat(https): support TLS 1.3 as min version under native-tls 🎉 by @​AverageHelper in seanmonstar/reqwest#2975
• Expose keep alive configurations in blocking client by @​aeb-dev in seanmonstar/reqwest#3043
• Prepare v0.13.4 by @​seanmonstar in seanmonstar/reqwest#3046

New Contributors

• @​smythg4 made their first contribution in seanmonstar/reqwest#3021
• @​Dushistov made their first contribution in seanmonstar/reqwest#3026
• @​SAY-5 made their first contribution in seanmonstar/reqwest#3034
• @​mat813 made their first contribution in seanmonstar/reqwest#3041
• @​AverageHelper made their first contribution in seanmonstar/reqwest#2975
• @​aeb-dev made their first contribution in seanmonstar/reqwest#3043

Full Changelog: seanmonstar/reqwest@v0.13.3...v0.13.4

Changelog

Sourced from reqwest's changelog.

v0.13.4

• Add ClientBuilder::tls_sslkeylogfile(bool) option to allow using the related environment variable.
• Add ClientBuilder::http2_keep_alive_* options for the blocking client.
• Add TLS 1.3 support when using native-tls backend.
• Fix redirect handling to strip sensitive headers when the scheme changes.
• Fix HTTP/3 happy-eyeball connection creation.
• Upgrade hickory-resolver to 0.26.

Commits

• 11489b3 v0.13.4
• d31ffbb feat: Expose HTTP2 keep alive configurations in blocking client (#3043)
• 79ed0d7 feat: support TLS 1.3 as min version under native-tls 🎉 (#2975)
• fb7bf6a fix: remove unwrap in hickory initialization (#3041)
• 3da616f fix: update hickory-resolver to 0.26 and adjust code accordingly (#3040)
• c77e7b2 fix(http3): use happy eyeballs for h3 connect (#3030)
• 9cbb65b chore: clean up minimal-versions CI job (#3039)
• 17a7dc5 chore: upgrade MSRV to 1.85 (#3038)
• 03db63a fix(redirect): strip sensitive headers on scheme change across redirects (#3034)
• 4b813a8 feat: add tls_sslkeylogfile builder method (#2923)
• Additional commits viewable in compare view

Updates serde_json from 1.0.149 to 1.0.150

Release notes

Sourced from serde_json's releases.

v1.0.150

• Reject non-string enum object keys (#1324, thanks @​puneetdixit200)

Commits

• a1ae73a Release 1.0.150
• 1a360b0 Merge pull request #1324 from puneetdixit200/reject-non-string-enum-keys
• 2037b63 Reject non-string enum object keys
• 5d30df6 Resolve manual_assert_eq pedantic clippy lint
• dc8003a Raise required compiler for preserve_order feature to 1.85
• a42fa98 Unpin CI miri toolchain
• 684a60e Pin CI miri to nightly-2026-02-11
• 7c7da33 Raise required compiler to Rust 1.71
• acf4850 Simplify Number::is_f64
• 6b8ceab Resolve unnecessary_map_or clippy lint
• Additional commits viewable in compare view

Updates tokio from 1.52.1 to 1.52.3

Release notes

Sourced from tokio's releases.

Tokio v1.52.3

1.52.3 (May 8th, 2026)

Fixed

• sync: fix underflow in mpsc channel len() (#8062)
• sync: notify receivers in mpsc OwnedPermit::release() method (#8075)
• sync: require that an RwLock has max_readers != 0 (#8076)
• sync: return Empty from try_recv() when mpsc is closed with outstanding permits (#8074)

#8062: tokio-rs/tokio#8062 #8074: tokio-rs/tokio#8074 #8075: tokio-rs/tokio#8075 #8076: tokio-rs/tokio#8076

Tokio v1.52.2

1.52.2 (May 4th, 2026)

This release reverts the LIFO slot stealing change introduced in 1.51.0 (#7431), due to [its performance impact]#8065. (#8100)

#7431: tokio-rs/tokio#7431 #8065: tokio-rs/tokio#8065 #8100: tokio-rs/tokio#8100

Commits

• d875691 chore: prepare Tokio v1.52.3 (#8130)
• e1aebb0 Merge 'tokio-1.51.3' into 'tokio-1.52.x' (#8129)
• fd63094 chore: prepare Tokio v1.51.3 (#8127)
• 8c600d0 Merge 'tokio-1.47.5' into 'tokio-1.51.x' (#8123)
• 11bfc13 chore: prepare Tokio v1.47.5 (#8122)
• f085b62 sync: notify receivers in mpsc OwnedPermit::release() method (#8075)
• 30d25cc sync: require that an RwLock has max_readers != 0 (#8076)
• 9fccf53 sync: return Empty from try_recv() when mpsc is closed with outstanding p...
• ebf61b4 sync: fix underflow in mpsc channel len() (#8062)
• 4abe9d7 chore: prepare Tokio v1.52.2 (#8115)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[github-actions]

Bencher Report

Branch	dependabot/cargo/dependencies-a3b0012e9b
Testbed	github-ubuntu-latest

Click to view all benchmark results

Benchmark	Latency	Benchmark Result milliseconds (ms) (Result Δ%)	Upper Boundary milliseconds (ms) (Limit %)
empty_router/empty_router	📈 view plot 🚷 view threshold	7.12 ms (+16.19%) Baseline: 6.13 ms	7.77 ms (91.61%)
json_api/json_api	📈 view plot 🚷 view threshold	1.17 ms (+8.21%) Baseline: 1.08 ms	1.33 ms (87.86%)
nested_routers/nested_routers	📈 view plot 🚷 view threshold	1.06 ms (+6.26%) Baseline: 1.00 ms	1.21 ms (87.66%)
single_root_route/single_root_route	📈 view plot 🚷 view threshold	1.03 ms (+7.17%) Baseline: 0.96 ms	1.17 ms (87.75%)
single_root_route_burst/single_root_route_burst	📈 view plot 🚷 view threshold	19.90 ms (+12.85%) Baseline: 17.64 ms	21.13 ms (94.20%)

🐰 View full continuous benchmarking report in Bencher

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

Flag	Coverage Δ
rust	90.26% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.