build(deps): bump the cargo-dependencies group across 1 directory with 12 updates

[dependabot]

Bumps the cargo-dependencies group with 12 updates in the / directory:

Package	From	To
reqwest	0.13.3	0.13.4
tower-http	0.6.10	0.6.11
tar	0.4.45	0.4.46
histogram	1.3.1	1.4.1
log	0.4.29	0.4.30
metriken-query	0.10.4	0.10.6
serde_json	1.0.149	1.0.150
autocfg	1.5.0	1.5.1
bumpalo	3.20.2	3.20.3
crypto-common	0.2.1	0.2.2
either	1.15.0	1.16.0
num-conv	0.2.1	0.2.2

Updates reqwest from 0.13.3 to 0.13.4

Release notes

Sourced from reqwest's releases.

v0.13.4

tl;dr

• Add ClientBuilder::tls_sslkeylogfile(bool) option to allow using the related environment variable.
• Add ClientBuilder::http2_keep_alive_* options for the blocking client.
• Add TLS 1.3 support when using native-tls backend.
• Fix redirect handling to strip sensitive headers when the scheme changes.
• Fix HTTP/3 happy-eyeball connection creation.
• Upgrade hickory-resolver to 0.26.

What's Changed

• fix(tls): improve rustls-no-provider panic message and add module docs by @​smythg4 in seanmonstar/reqwest#3021
• fix: do not lose the url in error when decoding json by @​Dushistov in seanmonstar/reqwest#3026
• Add tls_sslkeylogfile builder method by @​passcod in seanmonstar/reqwest#2923
• fix(redirect): strip sensitive headers on scheme change across redirects by @​SAY-5 in seanmonstar/reqwest#3034
• chore: upgrade MSRV to 1.85 by @​seanmonstar in seanmonstar/reqwest#3038
• chore: clean up minimal-versions CI job by @​seanmonstar in seanmonstar/reqwest#3039
• fix(http3): use happy eyeballs for h3 connect by @​lyuzichong in seanmonstar/reqwest#3030
• fix: update hickory-resolver to 0.26 and adjust code accordingly by @​seanmonstar in seanmonstar/reqwest#3040
• fix: remove unwrap in hickory initialization by @​mat813 in seanmonstar/reqwest#3041
• feat(https): support TLS 1.3 as min version under native-tls 🎉 by @​AverageHelper in seanmonstar/reqwest#2975
• Expose keep alive configurations in blocking client by @​aeb-dev in seanmonstar/reqwest#3043
• Prepare v0.13.4 by @​seanmonstar in seanmonstar/reqwest#3046

New Contributors

• @​smythg4 made their first contribution in seanmonstar/reqwest#3021
• @​Dushistov made their first contribution in seanmonstar/reqwest#3026
• @​SAY-5 made their first contribution in seanmonstar/reqwest#3034
• @​mat813 made their first contribution in seanmonstar/reqwest#3041
• @​AverageHelper made their first contribution in seanmonstar/reqwest#2975
• @​aeb-dev made their first contribution in seanmonstar/reqwest#3043

Full Changelog: seanmonstar/reqwest@v0.13.3...v0.13.4

Changelog

Sourced from reqwest's changelog.

v0.13.4

• Add ClientBuilder::tls_sslkeylogfile(bool) option to allow using the related environment variable.
• Add ClientBuilder::http2_keep_alive_* options for the blocking client.
• Add TLS 1.3 support when using native-tls backend.
• Fix redirect handling to strip sensitive headers when the scheme changes.
• Fix HTTP/3 happy-eyeball connection creation.
• Upgrade hickory-resolver to 0.26.

Commits

• 11489b3 v0.13.4
• d31ffbb feat: Expose HTTP2 keep alive configurations in blocking client (#3043)
• 79ed0d7 feat: support TLS 1.3 as min version under native-tls 🎉 (#2975)
• fb7bf6a fix: remove unwrap in hickory initialization (#3041)
• 3da616f fix: update hickory-resolver to 0.26 and adjust code accordingly (#3040)
• c77e7b2 fix(http3): use happy eyeballs for h3 connect (#3030)
• 9cbb65b chore: clean up minimal-versions CI job (#3039)
• 17a7dc5 chore: upgrade MSRV to 1.85 (#3038)
• 03db63a fix(redirect): strip sensitive headers on scheme change across redirects (#3034)
• 4b813a8 feat: add tls_sslkeylogfile builder method (#2923)
• Additional commits viewable in compare view

Updates tower-http from 0.6.10 to 0.6.11

Release notes

Sourced from tower-http's releases.

tower-http-0.6.11

Added

• set-header: add SetMultipleResponseHeadersLayer and SetMultipleResponseHeader for setting multiple response headers at once. Supports overriding, appending, and if_not_present modes. Header values can be fixed or computed dynamically via closures (#672)

  use http::{Response, header::{self, HeaderValue}};
  use http_body::Body as _;
  use tower_http::set_header::response::SetMultipleResponseHeadersLayer;
  let layer = SetMultipleResponseHeadersLayer::overriding(vec![
  (header::X_FRAME_OPTIONS, HeaderValue::from_static("DENY")).into(),
  (header::CONTENT_LENGTH, |res: &Response<MyBody>| {
  res.body().size_hint().exact()
  .map(|size| HeaderValue::from_str(&size.to_string()).unwrap())
  }).into(),
  ]);

• set-header: add SetMultipleRequestHeadersLayer and SetMultipleRequestHeaders for setting multiple request headers at once, mirroring the response-side API (#677)

• classify: add From<i32> and From<NonZeroI32> impls for GrpcCode. Unrecognized status codes map to GrpcCode::Unknown (#506)

Changed

• compression: compress application/grpc-web responses. Previously all application/grpc* content types were excluded from compression; now only application/grpc (non-web) is excluded (#408)

Fixed

• fs: fix ServeDir returning 500 instead of 405 for non-GET/HEAD requests when call_fallback_on_method_not_allowed is enabled but no fallback service is configured (#587)
• fs: remove duplicate cfg attribute on is_reserved_dos_name (#675)

#408: tower-rs/tower-http#408 #506: tower-rs/tower-http#506 #587: tower-rs/tower-http#587 #672: tower-rs/tower-http#672 #675: tower-rs/tower-http#675 #677: tower-rs/tower-http#677

All PRs

• ci: fix flaky encoding test, add nightly stress test job by @​jlizen in tower-rs/tower-http#670

... (truncated)

Commits

• 1d082ef v0.6.11
• 9c3117d feat: set multiple request header (#677)
• 667e7c7 Remove duplicate cfg attribute for is_reserved_dos_name (#675)
• 7551a9b feat(set_header): refactor and improve multiple header middleware (#672)
• 991e9ee add From<i32> impl for GrpcCode (#506)
• 3962dba Do compress grpc-web responses (#408)
• f0b3bb6 Fix serve_dir method not allowed handling when no fallback is configured (#587)
• d1a571b ci: use static timeout in stress-test workflow (#671)
• 309555a ci: fix flaky encoding test, add nightly stress test job (#670)
• See full diff in compare view

Updates tar from 0.4.45 to 0.4.46

Release notes

Sourced from tar's releases.

0.4.46

Security

• archive: Fix another PAX header desync (GHSA-3cv2-h65g-fgmm) by @​cgwalters in composefs/tar-rs#454

See also GHSA-3cv2-h65g-fgmm

Other changes

• ci: Fix and re-enable reverse dependency testing by @​cgwalters in composefs/tar-rs#444
• Update astral-tokio-tar requirement from 0.5 to 0.6 by @​dependabot[bot] in composefs/tar-rs#446
• Update some links by @​atouchet in composefs/tar-rs#445
• Add support of absolute paths by @​zxvfc in composefs/tar-rs#426
• docs: Expand notes on concurrent mutations and following symlinks by @​cgwalters in composefs/tar-rs#453
• Update repo links by @​cgwalters in composefs/tar-rs#451
• ci: Add crates.io trusted publishing workflow by @​cgwalters in composefs/tar-rs#456
• Release 0.4.46 by @​cgwalters in composefs/tar-rs#455

New Contributors

• @​dependabot[bot] made their first contribution in composefs/tar-rs#446
• @​atouchet made their first contribution in composefs/tar-rs#445
• @​zxvfc made their first contribution in composefs/tar-rs#426

Full Changelog: composefs/tar-rs@0.4.45...0.4.46

Commits

• fc459c1 Release 0.4.46
• 43e05a8 ci: Add crates.io trusted publishing workflow
• bba5666 Update repo links
• cd94c46 docs: Document TOCTOU / concurrent-mutation threat model
• 1b4997c builder: Expand docs for follow_symlinks and append_dir_all
• bab14dd archive: Fix another PAX header desync (GHSA-3cv2-h65g-fgmm)
• 2349b49 Add support of absolute paths
• 39d0311 Update some links
• 59d803e Update astral-tokio-tar requirement from 0.5 to 0.6
• 8296b9a ci: Fix and re-enable reverse dependency testing (#444)
• See full diff in compare view

Updates histogram from 1.3.1 to 1.4.1

Release notes

Sourced from histogram's releases.

v1.4.1

What's Changed

• Add mean() to borrowed CumulativeRO Ref views by @​thinkingfish in iopsystems/histogram#21
• release: v1.4.1 by @​thinkingfish in iopsystems/histogram#22

Full Changelog: iopsystems/histogram@v1.4.0...v1.4.1

Changelog

Sourced from histogram's changelog.

[1.4.1] - 2026-05-19

Added

• Midpoint-based mean() on the borrowed CumulativeROHistogramRef / CumulativeROHistogram32Ref views. The mean is stored on the view (computed once at construction, or carried over from the owned histogram's cached value), so mean() is a cheap field access exposed just like count() — no per-call streaming computation — letting a zero-alloc reducer fold it in directly. Returns None for an empty histogram.

Changed

• CumulativeROHistogramRef / CumulativeROHistogram32Ref no longer implement Eq (they now carry an f64 mean); PartialEq is retained.

[1.4.0] - 2026-05-19

Added

• Midpoint-based mean() on CumulativeROHistogram / CumulativeROHistogram32 — the mean of all observations, estimated from bucket midpoints, computed once at construction time across from_parts, From<&Histogram>, and From<&SparseHistogram>. Returns None for an empty histogram.

Changed

• CumulativeROHistogram / CumulativeROHistogram32 no longer implement Eq (they now store an f64 mean); PartialEq is retained. The borrowed *Ref view types are unaffected.

Commits

• 07e228d release: v1.4.1 (#22)
• 5b08a9c Add mean() to borrowed CumulativeRO Ref views (#21)
• f074613 release: v1.4.0 (#20)
• f4858d0 Add midpoint-based mean to CumulativeRO histogram (#19)
• See full diff in compare view

Updates log from 0.4.29 to 0.4.30

Release notes

Sourced from log's releases.

0.4.30

What's Changed

• Support capturing of std::net types by @​KodrAus in rust-lang/log#724

New Contributors

• @​V0ldek made their first contribution in rust-lang/log#720
• @​woodruffw made their first contribution in rust-lang/log#723

Full Changelog: rust-lang/log@0.4.29...0.4.30

Notable Changes

• MSRV is bumped to 1.71.0 in rust-lang/log#723

Changelog

Sourced from log's changelog.

[0.4.30] - 2026-05-21

What's Changed

• Support capturing of std::net types by @​KodrAus in rust-lang/log#724

New Contributors

• @​V0ldek made their first contribution in rust-lang/log#720
• @​woodruffw made their first contribution in rust-lang/log#723

Full Changelog: rust-lang/log@0.4.29...0.4.30

Notable Changes

• MSRV is bumped to 1.71.0 in rust-lang/log#723

Commits

• 9c55760 Merge pull request #725 from rust-lang/cargo/0.4.30
• d1acb05 update docs on current MSRV and note latest bump in changelog
• 5068293 prepare for 0.4.30 release
• 7ccd873 Merge pull request #724 from rust-lang/feat/net-to-value
• 923dfaa fix up test cfgs
• ecb7de8 gate net value impls on std
• 67bb4f6 run fmt
• 25f49fe rework net type capturing
• 7087dcb feat: impl ToValue for core::net types
• 67bc7e3 Merge pull request #723 from woodruffw-forks/ww/ci
• Additional commits viewable in compare view

Updates metriken-query from 0.10.4 to 0.10.6

Changelog

Sourced from metriken-query's changelog.

metriken-query 0.10.6

• Add histogram_irate(m) — per-step rate of a histogram's cumulative sample count, returned as an instant vector. Lets dashboards derive a fallback event-rate line for histograms that have no standalone counter (scheduler_runqueue_latency, scheduler_offcpu, scheduler_running, tcp_packet_latency). Replaces the sum(irate(histogram_count(m)[5m])) idiom suggested for histogram_count in 0.10.5, which never parsed — PromQL disallows range vectors on function-call results.
• Add an optional by (..) / without (..) aggregation modifier to histogram_irate, histogram_count, and histogram_mean, matching standard PromQL aggregation-operator syntax. With no modifier, every matching series collapses into one {__name__: metric_name} output (today's behaviour); with by/without, one series per distinct projected-label tuple. Lets histogram_mean by (source) (m) return one mean per source in a single query — previously required N filtered queries.

metriken-query 0.10.2

• Restore the matcher-less single-right binary broadcast. Queries shaped like sum(rate(x[..])) / y (where the aggregate strips labels and y carries some) were silently empty in 0.10.0/0.10.1 on single-host parquets — the rezolus viewer's CPU-utilization tiles relied on this fallback. Now matrix_matrix_op materialises the lone unmatched right series into a shared timestamp lookup and broadcasts it across every unmatched left series, mirroring the eager engine's per-left fallback.

metriken-query 0.10.1

• Cache the parquet footer once per load and decode columns one at a time within each row group. Restores load performance on wide files that regressed in 0.9.6's per-column projection rewrite — 5–28× faster than 0.10.0 across the rezolus dashboard fixtures (vllm.parquet 21.0s → 0.74s; sglang-nixl-16c 130s → 6.0s).

metriken-query 0.10.0

Breaking — collapses the PromQL evaluator to streaming-only and narrows the supported surface to the subset rezolus actually uses.

• All eager evaluation removed. evaluate_expr now forwards every expression to the streaming dispatcher; any AST shape the dispatcher doesn't recognise becomes QueryError::Unsupported.
• histogram_heatmap now streams its input — peak transient heap drops ~54% per query versus the eager merge-then-walk path.
• histogram_quantile, histogram_quantiles, counter deriv

... (truncated)

Commits

• See full diff in compare view

Updates serde_json from 1.0.149 to 1.0.150

Release notes

Sourced from serde_json's releases.

v1.0.150

• Reject non-string enum object keys (#1324, thanks @​puneetdixit200)

Commits

• a1ae73a Release 1.0.150
• 1a360b0 Merge pull request #1324 from puneetdixit200/reject-non-string-enum-keys
• 2037b63 Reject non-string enum object keys
• 5d30df6 Resolve manual_assert_eq pedantic clippy lint
• dc8003a Raise required compiler for preserve_order feature to 1.85
• a42fa98 Unpin CI miri toolchain
• 684a60e Pin CI miri to nightly-2026-02-11
• 7c7da33 Raise required compiler to Rust 1.71
• acf4850 Simplify Number::is_f64
• 6b8ceab Resolve unnecessary_map_or clippy lint
• Additional commits viewable in compare view

Updates autocfg from 1.5.0 to 1.5.1

Commits

• 2799b09 Merge pull request #80 from cuviper/noscript
• 8e7f49a ci: extend the tested versions
• 303aa6a Release 1.5.1
• 73483fb Make tests/wrappers work without a script
• See full diff in compare view

Updates bumpalo from 3.20.2 to 3.20.3

Changelog

Sourced from bumpalo's changelog.

3.20.3

Released 2026-05-22.

Fixed

• Fixed the try_alloc_slice_fill_with, alloc_slice_try_fill_with, alloc_slice_fill_with methods to properly rewind the bump pointer on allocation, initialization, and panic failure and avoid wasting bump capacity.
• Fixed a drop bug in bumpalo::collections::vec::DrainFilter (used by retain and retain_mut) when the predicate panics.

---

Commits

• 84654ac Rewind on slice allocation failure (#324)
• 5325624 Fix a couple bugs (#323)
• fcf8370 Fix UB in Allocator::grow_zeroed (#321)
• 657caf8 test: fix test for OOM instead of overflow (#320)
• 1db9be9 fix: fix typo in comment (#318)
• a47f6d6 fix: bump pointer/bump chunk debug assertion (#313)
• 0b12966 Update Cargo.toml with keywords (#303)
• See full diff in compare view

Updates crypto-common from 0.2.1 to 0.2.2

Commits

• 93dee26 Release crypto-common v0.2.2 (#2421)
• f73c4bc crypto-common: add SetIvState trait (#2420)
• 94f108f ci: bump crate-ci/typos from 1.46.1 to 1.46.2 (#2419)
• e4d7d34 elliptic-curve: remove bits feature (#2417)
• d2cf1f9 Update Cargo.lock (#2415)
• 40f6b7b ci: bump crate-ci/typos from 1.46.0 to 1.46.1 (#2409)
• 5debc66 elliptic-curve: fix minimal-versions check (#2414)
• 4e999e3 digest: remove unused file (#2411)
• ff5fd17 elliptic-curve: disable minimal-versions CI job (#2412)
• e4f7a91 elliptic-curve: add SecretKey::from_der (#2408)
• Additional commits viewable in compare view

Updates either from 1.15.0 to 1.16.0

Commits

• 8f4ecd9 Merge pull request #138 from cuviper/release-1.16.0
• c35bb4e Release 1.16.0
• 652486e Fix an unused import
• c26e693 Merge pull request #137 from ronnodas/map-both
• aa7f1d4 Add a single-ident version of map_both!
• a706625 Format the map_both! example
• 85b1b56 Merge pull request #128 from A4-Tacks/for-both-ident-pattern
• 304e814 Merge pull request #127 from A4-Tacks/map-or
• ff9e326 Apply formatting suggestions from code review
• 71c9a91 Merge pull request #126 from A4-Tacks/is-and
• Additional commits viewable in compare view

Updates num-conv from 0.2.1 to 0.2.2

Commits

• b022fe8 Rename extend to widen
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions