Bump the cargo-dependencies group across 1 directory with 7 updates

[dependabot]

Bumps the cargo-dependencies group with 7 updates in the / directory:

Package	From	To
serde_json	1.0.149	1.0.150
sqlx	0.8.6	0.9.0
tower-http	0.6.10	0.6.11
http	1.4.0	1.4.1
aws-lc-rs	1.16.3	1.17.0
garde	0.22.1	0.23.0
mailcrab	1.6.5	1.7.0

Updates serde_json from 1.0.149 to 1.0.150

Release notes

Sourced from serde_json's releases.

v1.0.150

• Reject non-string enum object keys (#1324, thanks @​puneetdixit200)

Commits

• a1ae73a Release 1.0.150
• 1a360b0 Merge pull request #1324 from puneetdixit200/reject-non-string-enum-keys
• 2037b63 Reject non-string enum object keys
• 5d30df6 Resolve manual_assert_eq pedantic clippy lint
• dc8003a Raise required compiler for preserve_order feature to 1.85
• a42fa98 Unpin CI miri toolchain
• 684a60e Pin CI miri to nightly-2026-02-11
• 7c7da33 Raise required compiler to Rust 1.71
• acf4850 Simplify Number::is_f64
• 6b8ceab Resolve unnecessary_map_or clippy lint
• Additional commits viewable in compare view

Updates sqlx from 0.8.6 to 0.9.0

Changelog

Sourced from sqlx's changelog.

0.9.0 - 2026-05-06

Important Announcements

New Github Organization

Shortly after this release is published, the SQLx repository will be transferred to a new GitHub organization: https://github.com/transact-rs/

This is because SQLx has not been owned or maintained by LaunchBadge, LLC. for a few years now, and has since been informally transferred to the collective ownership of its principal authors. Moving the repository to a new organization makes this change more clear, and also allows for potentially inviting outside collaborators.

Cargo.lock Removed from Tracking

The Cargo.lock has been removed from tracking in Git. CI should now always test with the latest versions of all dependencies by default, alongside our pass that checks with cargo generate-lockfile -Z minimal-versions.

This should eliminate the need for any PRs that update dependencies to also update Cargo.lock or contend with an endless stream of merge conflicts against it.

N.B. cargo install --locked sqlx-cli will no longer work. However, cargo install sqlx-cli has always used the latest dependencies by default, ignoring the lockfile, so most users should not be affected. For users requiring reproducible builds, consider maintaining your own lockfile instead; historically, we only ran cargo update sporadically, so relying on SQLx's lockfile offered few guarantees anyway.

See [the manual page for cargo install][man-cargo-install] for details.

Breaking

As per our MSRV policy, the supported Rust version for this release cycle is 1.94.0.

• [#3383]: feat: create sqlx.toml format [[@​abonander]]
  • SQLx and sqlx-cli now support per-crate configuration files (sqlx.toml)
  • New functionality includes, but is not limited to:
    • Rename DATABASE_URL for a crate (for multi-database workspaces)
    • Set global type overrides for the macros (supporting custom types)
    • Rename or relocate the _sqlx_migrations table (for multiple crates using the same database)
    • Set characters to ignore when hashing migrations (e.g. ignore whitespace)
  • More to be implemented in future releases.
  • Enable feature sqlx-toml to use.
    • sqlx-cli has it enabled by default, but sqlx does not.
    • Default features of library crates can be hard to completely turn off because of [feature unification], so it's better to keep the default feature set as limited as possible. [This is something we learned the hard way.][preferred-crates]
  • Guide: see sqlx::_config module in documentation.
  • Reference: [Link]
  • Examples (written for Postgres but can be adapted to other databases; PRs welcome!):
    • Multiple databases using DATABASE_URL renaming and global type overrides: [Link]
    • Multi-tenant database using _sqlx_migrations renaming and multiple schemas: [Link]
    • Force use of chrono when time is enabled (e.g. when using tower-sessions-sqlx-store): [[Link][preferred-crates]]
      • Forcing bigdecimal when rust_decimal is enabled is also shown, but problems with chrono/time are more common.

... (truncated)

Commits

• 75bc048 Release 0.9.0 (#4256)
• 6956cef Prefer to give real data to .bind() in README.md (#4257)
• 45ba990 Add the possibility to skip migrations (#3846)
• 66533fa Ensure Deterministic Migration Order (#4136)
• db47fe3 ci: check direct minimal versions (#4173)
• 9ecb76d Unescape PostgreSQL passfile password (#3993)
• c0a3218 breaking(any+mysql): correctly convert text and blob types to AnyTypeInfo (...
• d82b781 test(sqlite): add regression test for ORDER BY + LIMIT nullability (#4223)
• b77ba16 chore: update to axum 0.8 (#4253)
• c0ec9c0 fix(tls): potential deadlock in StdSocket::poll_ready() (#4251)
• Additional commits viewable in compare view

Updates tower-http from 0.6.10 to 0.6.11

Release notes

Sourced from tower-http's releases.

tower-http-0.6.11

Added

• set-header: add SetMultipleResponseHeadersLayer and SetMultipleResponseHeader for setting multiple response headers at once. Supports overriding, appending, and if_not_present modes. Header values can be fixed or computed dynamically via closures (#672)

  use http::{Response, header::{self, HeaderValue}};
  use http_body::Body as _;
  use tower_http::set_header::response::SetMultipleResponseHeadersLayer;
  let layer = SetMultipleResponseHeadersLayer::overriding(vec![
  (header::X_FRAME_OPTIONS, HeaderValue::from_static("DENY")).into(),
  (header::CONTENT_LENGTH, |res: &Response<MyBody>| {
  res.body().size_hint().exact()
  .map(|size| HeaderValue::from_str(&size.to_string()).unwrap())
  }).into(),
  ]);

• set-header: add SetMultipleRequestHeadersLayer and SetMultipleRequestHeaders for setting multiple request headers at once, mirroring the response-side API (#677)

• classify: add From<i32> and From<NonZeroI32> impls for GrpcCode. Unrecognized status codes map to GrpcCode::Unknown (#506)

Changed

• compression: compress application/grpc-web responses. Previously all application/grpc* content types were excluded from compression; now only application/grpc (non-web) is excluded (#408)

Fixed

• fs: fix ServeDir returning 500 instead of 405 for non-GET/HEAD requests when call_fallback_on_method_not_allowed is enabled but no fallback service is configured (#587)
• fs: remove duplicate cfg attribute on is_reserved_dos_name (#675)

#408: tower-rs/tower-http#408 #506: tower-rs/tower-http#506 #587: tower-rs/tower-http#587 #672: tower-rs/tower-http#672 #675: tower-rs/tower-http#675 #677: tower-rs/tower-http#677

All PRs

• ci: fix flaky encoding test, add nightly stress test job by @​jlizen in tower-rs/tower-http#670

... (truncated)

Commits

• 1d082ef v0.6.11
• 9c3117d feat: set multiple request header (#677)
• 667e7c7 Remove duplicate cfg attribute for is_reserved_dos_name (#675)
• 7551a9b feat(set_header): refactor and improve multiple header middleware (#672)
• 991e9ee add From<i32> impl for GrpcCode (#506)
• 3962dba Do compress grpc-web responses (#408)
• f0b3bb6 Fix serve_dir method not allowed handling when no fallback is configured (#587)
• d1a571b ci: use static timeout in stress-test workflow (#671)
• 309555a ci: fix flaky encoding test, add nightly stress test job (#670)
• See full diff in compare view

Updates http from 1.4.0 to 1.4.1

Release notes

Sourced from http's releases.

v1.4.1

tl;dr

• Fix PathAndQuery::from_static() and from_shared() to reject inputs that do not start with /.
• Fix Extend for HeaderMap to clamp max size hint and not overflow.
• Fix header::IntoIter that could use-after-free if the generic value type could panic on drop.
• Fix header::{IterMut, ValuesIterMut} to not violate stacked borrows.

What's Changed

• chore(header): fix clippy::assign_op_pattern by @​rxc-amzn in hyperium/http#806
• ci: pin itoa in msrv job by @​seanmonstar in hyperium/http#813
• Remove unnecessary explicit lifetimes by @​jplatte in hyperium/http#815
• chore(ci): update to actions/checkout@v6 by @​tottoto in hyperium/http#819
• tests: update to rand 0.10 by @​tottoto in hyperium/http#818
• refactor: Remove usage of float instruction by @​AurelienFT in hyperium/http#823
• refactor(uri): consolidate PathAndQuery::from_shared and from_static by @​seanmonstar in hyperium/http#825
• fix(uri): reject Path::from_shared/from_static if doesn't start with slash by @​seanmonstar in hyperium/http#826
• Rephrase comment by @​daalfox in hyperium/http#827
• Fix typo in request builder docs by @​vleksis in hyperium/http#831
• fix: clamp Extend size hint so HeaderMap reserve cannot overflow by @​SAY-5 in hyperium/http#833
• fix(headers): fix stacked borrows for IterMut/ValuesIterMut by @​seanmonstar in hyperium/http#837
• fix(header): use a set_len guard in IntoIter drop by @​seanmonstar in hyperium/http#838

New Contributors

• @​rxc-amzn made their first contribution in hyperium/http#806
• @​AurelienFT made their first contribution in hyperium/http#823
• @​daalfox made their first contribution in hyperium/http#827
• @​vleksis made their first contribution in hyperium/http#831
• @​SAY-5 made their first contribution in hyperium/http#833

Full Changelog: hyperium/http@v1.4.0...v1.4.1

Changelog

Sourced from http's changelog.

1.4.1 (May 25, 2026)

• Fix PathAndQuery::from_static() and from_shared() to reject inputs that do not start with /.
• Fix Extend for HeaderMap to clamp max size hint and not overflow.
• Fix header::IntoIter that could use-after-free if the generic value type could panic on drop.
• Fix header::{IterMut, ValuesIterMut} to not violate stacked borrows.

Commits

• a24c968 v1.4.1
• bc3b044 fix(header): use a set_len guard in IntoIter drop (#838)
• 1b968dc fix(header): fix stacked borrows for IterMut/ValuesIterMut (#837)
• 6e2dd42 fix: clamp Extend size hint so HeaderMap reserve cannot overflow (#833)
• 68e0abb docs: fix typo in request builder docs (#831)
• 29dd307 docs(extensions): rephrase internal comment (#827)
• ae48fb5 fix(uri): reject Path::from_shared/from_static if doesn't start with slash (#...
• 1ad200e refactor(uri): consolidate PathAndQuery::from_shared and from_static (#825)
• d59d939 refactor: Remove usage of float instruction (#823)
• ed680c4 tests: update to rand 0.10 (#818)
• Additional commits viewable in compare view

Updates aws-lc-rs from 1.16.3 to 1.17.0

Release notes

Sourced from aws-lc-rs's releases.

aws-lc-rs v1.17.0

What's Changed

• Add opt-in legacy DES cipher support behind a legacy-des feature by @​qzh0223 in aws/aws-lc-rs#1109 and aws/aws-lc-rs#1122
  • Provides 2TDEA, 3TDEA, and single DES support. This is gated behind the legacy-des feature flag and intended only for interoperability with legacy systems.
• Add AsDer and ParsedPublicKey conversion for RSA PublicKeyComponents by @​MavenRain in aws/aws-lc-rs#1105
  • PublicKeyComponents<B> now implements AsDer<PublicKeyX509Der> and can be converted to ParsedPublicKey for use with signature verification APIs.
• Add LessSafeKey::open_in_place_separate_tag by @​wpt-oai in aws/aws-lc-rs#1116
  • Enables AEAD decryption when the authentication tag is stored separately from the ciphertext, complementing the existing seal_in_place_separate_tag.
• Add zig compiler support and CI coverage by @​justsmth in aws/aws-lc-rs#1103
  • Resolves long-standing issues with cross-compilation using cargo-zigbuild. The build script now correctly handles zig's compiler flags, and CI coverage has been added to prevent regressions.

Build Improvements

• Fix jitterentropy CFLAGS filtering for HOST_CFLAGS and TARGET_CFLAGS by @​justsmth in aws/aws-lc-rs#1106
  • Fixes build failures (e.g., FreeBSD qdrant) where optimization flags leaked into the jitterentropy compilation, which must be built without optimizations.
• Add ML-DSA x86_64 native assembly to CC builder scripts by @​jakemas in aws/aws-lc-rs#1110
• Fix support for building with MinGW on Windows 7 by @​justsmth in aws/aws-lc-rs#1120
  • Fixes the x86_64-win7-windows-gnu target by addressing MinGW-specific compatibility issues.

Issues Being Closed

• Add API to convert rsa::PublicKeyComponents into signature::ParsedPublicKey and/or DER encoded bytes -- aws/aws-lc-rs#1055
• The CPU Jitter RNG must not be compiled with optimizations (FreeBSD qdrant build failure) -- aws/aws-lc-rs#1097
• Windows 7 support for MinGW (x86_64-win7-windows-gnu target) -- aws/aws-lc-rs#1111
• -Wp,-U breaks cross-builds using zig cc -- aws/aws-lc-rs#993
• Failure to cross-compile for Windows on macOS with cargo-zigbuild -- aws/aws-lc-rs#512
• Zigbuild: Unable to build using cargo-zigbuild for arm targets -- aws/aws-lc-rs#931

Other Merged PRs

• Prepare aws-lc-sys v0.41.0 by @​justsmth in aws/aws-lc-rs#1117
• Bump actions/checkout from 4 to 6 by @​dependabot[bot] in aws/aws-lc-rs#1102
• Bump actions/dependency-review-action from 4 to 5 by @​dependabot[bot] in aws/aws-lc-rs#1118
• Fix nightly clippy warnings by @​justsmth in aws/aws-lc-rs#1112
• Prepare aws-lc-rs v1.17.0 by @​justsmth in aws/aws-lc-rs#1121
• Fix rustfmt by @​justsmth in aws/aws-lc-rs#1123

New Contributors

• @​jakemas made their first contribution in aws/aws-lc-rs#1110
• @​qzh0223 made their first contribution in aws/aws-lc-rs#1109
• @​MavenRain made their first contribution in aws/aws-lc-rs#1105
• @​wpt-oai made their first contribution in aws/aws-lc-rs#1116

Full Changelog: aws/aws-lc-rs@v1.16.3...v1.17.0

Commits

• 2201001 Fix rustfmt (#1123)
• 1ed08ba Add single DES support and rename legacy-3des feature to legacy-des (#1122)
• 889047e Prepare aws-lc-rs v1.17.0 (#1121)
• 4fdf672 fix: support building with MinGW on Windows 7 (#1120)
• 1cbe889 Adds LessSafeKey::open_in_place_separate_tag (#1116)
• ce8bccc Bump actions/dependency-review-action from 4 to 5 (#1118)
• aac6ebd Prepare aws lc sys 0.41.0 (#1117)
• 3cb6cfd Add AsDer and ParsedPublicKey conversion for RSA PublicKeyComponents (#1105)
• 54a222f Fix clippy warnings: inline format args, remove redundant borrows, use assert...
• c9c9bc6 Add opt-in 2TDEA and 3TDEA cipher support behind a legacy-3des feature (#1109)
• Additional commits viewable in compare view

Updates garde from 0.22.1 to 0.23.0

Release notes

Sourced from garde's releases.

v0.23.0

Internationalization (i18n)

Error messages may now be customized.

struct Czech;
impl I18n for Czech {
fn length_lower_than(&self, min: usize) -> Cow<'static, str> {
format!("musí obsahovat alespoň {min} znaků").into()
}
fn email_invalid(&amp;self, _reason: InvalidEmail) -&gt; Cow&lt;'static, str&gt; {
    format!(&quot;email je neplatný&quot;).into()
}
// etc.

}
#[derive(Validate)]
struct User {
#[garde(length(min = 3))]
name: String,
#[garde(email)]
email: String,
}
let user = User {
name: "Jan Novák".to_string(),
email: "invalid-email".to_string(),
};
let result = with_i18n(Czech, || user.validate());

The goal behind this feature is to support localization of error messages, but it can also be used to assign custom error messages in English to all errors produced by garde.

if(cond = <expr>, <rules>...)

Rules may now be nested within an if rule, which only validates if a given condition is true. The condition can refer to self and ctx as with any other rule.

struct Config {
    strict: bool,
}
#[derive(garde::Validate)]
#[garde(context(Config as ctx))]
struct User {
</tr></table>

... (truncated)

Commits

• 62b71b1 0.23.0
• edda2ec support pre-1.0 version bumps
• 8a2ad42 Merge pull request #183 from jprochazk/ci-exclude-ui-on-stable
• f8a75e1 Merge pull request #182 from jprochazk/fix-skip-tuple-variant-binding
• 6c4ff77 exclude pattern_mismatched_types test on stable instead of pinned
• 88694f4 fix(derive): bind all tuple variant fields so skipped fields don't shift bind...
• 7d4a538 Merge pull request #150 from jprochazk/i18n
• 7c33d10 fix wasm test
• 951940f impl
• 51f80cf Merge pull request #178 from jprochazk/toolchain
• Additional commits viewable in compare view

Updates mailcrab from 1.6.5 to 1.7.0

Release notes

Sourced from mailcrab's releases.

v1.7.0

Docker releases: https://hub.docker.com/repository/docker/marlonb/mailcrab/tags Run docker image using: docker run --rm -p 1080:1080 -p 1025:1025 marlonb/mailcrab:v1.7.0

Commits

• f631533 Bump version
• 3a09fb2 Improvements on #139 (#142)
• 9bae2b2 docs: Update Trunk documentation link in README (#141)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!