build(deps): Bump http from 5.3.1 to 6.0.2

[dependabot]

Bumps http from 5.3.1 to 6.0.2.

Release notes

Sourced from http's releases.

v6.0.2

What's Changed

• Fix RBS syntax error by @​hakanensari in httprb/http#837

Full Changelog: httprb/http@v6.0.1...v6.0.2

v6.0.1

Full Changelog: httprb/http@v6.0.0...v6.0.1

v6.0.0

What's Changed

• Fixed incorrect link in CHANGES.md by @​daniel-sabourin in httprb/http#738
• Add Connection#finished_request? by @​c960657 in httprb/http#743
• Bump llhttp-ffi (0.5.0) by @​bryanp in httprb/http#744
• Let the instrumenter log exceptions too by @​foca in httprb/http#746
• Run CI against Ruby 3.2 by @​koheisg in httprb/http#742
• Update README.md by @​sandstrom in httprb/http#751
• Downcase Content-Type charset name by @​paul in httprb/http#753
• Add base64 to runtime dependency by @​koic in httprb/http#759
• DummyServer::Servlet#not_found requires two arguments by @​c960657 in httprb/http#761
• fix: close sockets on connection initialize timeout by @​rpeng in httprb/http#762
• Prevent CRLF injection due to broken URL normalizer by @​c960657 in httprb/http#765
• Do more conservative URL normalization by @​c960657 in httprb/http#758
• Handle responses in the reverse order from the requests by @​souk4711 in httprb/http#766
• Add support for the PURGE HTTP method. by @​renchap in httprb/http#757
• Start 6.0.0 version by @​ixti in httprb/http#768
• SECURITY.md: use private vulnerability reporting feature by @​tarcieri in httprb/http#772
• Goodbye Hash rockets... by @​ixti in httprb/http#769
• Fixes comment typo in errors.rb by @​ajsharma in httprb/http#781
• Update base64 dependency version by @​SleepingInsomniac in httprb/http#780
• Add .retriable feature to Http - Rebased by @​tomprats in httprb/http#775
• Bump rubocop to v1.61 by @​tarcieri in httprb/http#788
• Drop depenency on base64 by @​Earlopain in httprb/http#778
• Add more granularity to ConnectionError through more specific error classes by @​omkarmoghe in httprb/http#783
• Cache header normalization to reduce object allocation by @​alexcwatt in httprb/http#789
• New feature: RaiseError by @​c960657 in httprb/http#792
• Correct typo in comments for retriable method by @​hakanensari in httprb/http#794
• Remove circular require by @​hakanensari in httprb/http#795
• Native llhttp for MRI by @​sebyx07 in httprb/http#800
• feat: introduce better error for wrong mime type by @​TheBlackArroVV in httprb/http#805
• chore: Cleanup and update gemspec by @​ixti in httprb/http#806
• fix: Simplify response and headers inspection by @​ixti in httprb/http#810
• feat: Add bin/console for development convenience by @​ixti in httprb/http#811
• Add ruby 3.4 support by @​ixti in httprb/http#808
• Introduce HTTP::Session for thread-safe request building by @​sferik in httprb/http#829
• Remove Headers::Mixin and [] / []= delegators from Request and Response by @​sferik in httprb/http#831
• Refactor cookie API by @​sferik in httprb/http#830
• Instrumentation hooks by @​sferik in httprb/http#832
• Add HTTP.base_uri by @​sferik in httprb/http#833

... (truncated)

Changelog

Sourced from http's changelog.

[6.0.2] - 2026-03-20

Fixed

• Fix RBS syntax error.

Changed

• Improve gem push workflow security and reliability.

[6.0.1] - 2026-03-16

Changed

• Exclude test files from gem package, reducing gem size by 50% (from 175 KB to 87 KB).

[6.0.0] - 2026-03-16

Changed

• Merged http-form_data gem into the main http gem. The HTTP::FormData module (including Part, File, Multipart, Urlencoded, and CompositeIO) is now shipped directly with http instead of being a separate dependency. The public API is unchanged.

Fixed

• Inflater no longer raises Zlib::BufError when a response declares Content-Encoding: gzip (or deflate) but the body is not valid compressed data. This commonly occurred when following redirects with auto_inflate enabled, because the redirect response had a Content-Encoding header but a non-compressed body. (#621)
• Persistent connections now auto-flush unread response bodies before sending the next request, instead of raising StateError. Bodies up to 1 MiB are drained transparently; larger bodies cause the connection to close and reopen. This prevents the silent body clobbering described in #371, where an unread response body would return "" after a subsequent request. (#371)
• Response#content_length now handles duplicate Content-Length headers per RFC 7230 Section 3.3.2. When all values are identical, they are collapsed into a single valid value. When values conflict, nil is returned instead of raising TypeError. (#566)
• HTTP 1xx informational responses (e.g. 100 Continue) are now transparently skipped, returning the final response. This was a regression introduced when the parser was migrated from http-parser to llhttp. (#667)
• Redirect loop detection now considers cookies, so a redirect back to the same URL with different cookies is no longer falsely detected as an endless loop. Fixes cookie-dependent redirect flows where a server sets a cookie on one hop and expects it on the next. (#544)
• Per-operation timeouts (HTTP.timeout(read: n, write: n, connect: n)) no longer default unspecified values to 0.25 seconds. Omitted timeouts now mean

... (truncated)

Commits

• d0886c9 Release v6.0.2
• 042606b Improve gem push workflow security and reliability
• 8e8eca9 Fix RBS syntax error
• 866cb87 Release v6.0.1
• 1ae2a60 Add mutant to default rake task and pass --since main flag
• c39f85f Reduce gem package size by excluding non-essential files
• 26f26c4 Switch gem release to OIDC API key role with JRuby support
• 5d1ff43 Release v6.0.0
• 1dbc20d Merge form_data into http
• e68bddc Override release task to skip gem push (handled by CI)
• Additional commits viewable in compare view