• a4757e3 [1.96] Bump cargo-util-schemas to 0.14.0 and cargo to 0.97.1 (#17046)
• d2a3284 [1.96] Bump cargo-util-schemas to 0.14.0 and cargo to 0.97.1
• 30a34c6 [1.96] Fix CVE-2026-5222 and CVE-2026-5223 (#17030)
• 312d557 CVE-2026-5223: prohibit unpacking symlinks and other unexpected entries
• 3c51f26 CVE-2026-5222: avoid stripping .git suffix when for non git registries
• bfa14ef Revert "feat: add frame-pointers profile option (#16742)" (#16998)
• c4c8f35 docs(semver-check): update diagnostics to Rust 1.95 (#16895)
• 11cbd64 Revert "feat: add frame-pointers profile option (#16742)"
• 9fb1715 [beta-1.96] Always take a shared lock on .cargo-lock (#16887)
• 964fcdb fix: Always take a shared lock on .cargo-lock
• Additional commits viewable in compare view

Sourced from reqwest's releases.

v0.13.4

tl;dr

• Add ClientBuilder::tls_sslkeylogfile(bool) option to allow using the related environment variable.
• Add ClientBuilder::http2_keep_alive_* options for the blocking client.
• Add TLS 1.3 support when using native-tls backend.
• Fix redirect handling to strip sensitive headers when the scheme changes.
• Fix HTTP/3 happy-eyeball connection creation.
• Upgrade hickory-resolver to 0.26.

What's Changed

• fix(tls): improve rustls-no-provider panic message and add module docs by @​smythg4 in seanmonstar/reqwest#3021
• fix: do not lose the url in error when decoding json by @​Dushistov in seanmonstar/reqwest#3026
• Add tls_sslkeylogfile builder method by @​passcod in seanmonstar/reqwest#2923
• fix(redirect): strip sensitive headers on scheme change across redirects by @​SAY-5 in seanmonstar/reqwest#3034
• chore: upgrade MSRV to 1.85 by @​seanmonstar in seanmonstar/reqwest#3038
• chore: clean up minimal-versions CI job by @​seanmonstar in seanmonstar/reqwest#3039
• fix(http3): use happy eyeballs for h3 connect by @​lyuzichong in seanmonstar/reqwest#3030
• fix: update hickory-resolver to 0.26 and adjust code accordingly by @​seanmonstar in seanmonstar/reqwest#3040
• fix: remove unwrap in hickory initialization by @​mat813 in seanmonstar/reqwest#3041
• feat(https): support TLS 1.3 as min version under native-tls 🎉 by @​AverageHelper in seanmonstar/reqwest#2975
• Expose keep alive configurations in blocking client by @​aeb-dev in seanmonstar/reqwest#3043
• Prepare v0.13.4 by @​seanmonstar in seanmonstar/reqwest#3046

New Contributors

• @​smythg4 made their first contribution in seanmonstar/reqwest#3021
• @​Dushistov made their first contribution in seanmonstar/reqwest#3026
• @​SAY-5 made their first contribution in seanmonstar/reqwest#3034
• @​mat813 made their first contribution in seanmonstar/reqwest#3041
• @​AverageHelper made their first contribution in seanmonstar/reqwest#2975
• @​aeb-dev made their first contribution in seanmonstar/reqwest#3043

Full Changelog: seanmonstar/reqwest@v0.13.3...v0.13.4

Sourced from reqwest's changelog.

v0.13.4

• Add ClientBuilder::tls_sslkeylogfile(bool) option to allow using the related environment variable.
• Add ClientBuilder::http2_keep_alive_* options for the blocking client.
• Add TLS 1.3 support when using native-tls backend.
• Fix redirect handling to strip sensitive headers when the scheme changes.
• Fix HTTP/3 happy-eyeball connection creation.
• Upgrade hickory-resolver to 0.26.

• 11489b3 v0.13.4
• d31ffbb feat: Expose HTTP2 keep alive configurations in blocking client (#3043)
• 79ed0d7 feat: support TLS 1.3 as min version under native-tls 🎉 (#2975)
• fb7bf6a fix: remove unwrap in hickory initialization (#3041)
• 3da616f fix: update hickory-resolver to 0.26 and adjust code accordingly (#3040)
• c77e7b2 fix(http3): use happy eyeballs for h3 connect (#3030)
• 9cbb65b chore: clean up minimal-versions CI job (#3039)
• 17a7dc5 chore: upgrade MSRV to 1.85 (#3038)
• 03db63a fix(redirect): strip sensitive headers on scheme change across redirects (#3034)
• 4b813a8 feat: add tls_sslkeylogfile builder method (#2923)
• Additional commits viewable in compare view

Sourced from serde_json's releases.

v1.0.150

• Reject non-string enum object keys (#1324, thanks @​puneetdixit200)

• a1ae73a Release 1.0.150
• 1a360b0 Merge pull request #1324 from puneetdixit200/reject-non-string-enum-keys
• 2037b63 Reject non-string enum object keys
• 5d30df6 Resolve manual_assert_eq pedantic clippy lint
• dc8003a Raise required compiler for preserve_order feature to 1.85
• a42fa98 Unpin CI miri toolchain
• 684a60e Pin CI miri to nightly-2026-02-11
• 7c7da33 Raise required compiler to Rust 1.71
• acf4850 Simplify Number::is_f64
• 6b8ceab Resolve unnecessary_map_or clippy lint
• Additional commits viewable in compare view

Sourced from serde_with's releases.

serde_with v3.21.0

Security

• GHSA-7gcf-g7xr-8hxj: KeyValueMap serialization panics on empty sequence or map entries Bad or attacker controlled values could cause a panic while allocating too large values. Fixed in #966 by setting a maximum allocation size during the creation of collections like Vec or sets.

  Thanks to @​7thParkk for reporting the issue.

Added

• Add NoneAsZero adapter that maps Option<NonZero*> to a plain integer, encoding None as 0 by @​SAY-5 (#486)

Changed

• Re-enable link-to-definition on docs.rs (#964)

Fixed

• Fix some doc links to point to the correct types (#963)
• Re-enable unused_qualifications and fix the resulting findings by @​lms0806 (#962)

serde_with v3.20.0

Added

• Add support for base58 encoding, similar to the existing base64 setup by @​mitinarseny (#943)

Fixed

• Extend base64 with schemars support by @​mitinarseny (#9949)

• 0f4ca67 Update changelog for 3.21.0 (#967)
• 7654841 Update changelog for 3.21.0
• c8a1d82 Protect all collection creations against capacity overflow by using `size_hin...
• 6ad5fa5 Properly feature gate the vec_with_capacity_cautious function
• ef7d141 Protect all collection creations against capacity overflow by using `size_hin...
• a348da3 Add serde_as deserialize_as explain (#958)
• 2e5bc20 Bump the github-actions group with 3 updates (#965)
• 927a3d6 Bump the github-actions group with 3 updates
• 62d14ec Enable link-to-definition on docs.rs again, after the upstream issue was reso...
• 4584d94 Enable link-to-definition on docs.rs again, after the upstream issue was reso...
• Additional commits viewable in compare view

Sourced from shlex's changelog.

2.0.1

• Fixes a compile error when building the documentation.

2.0.0

• Breaking: Items that were marked as deprecated in 1.x have been removed: join, quote, bytes::join, and bytes::quote.
• Breaking: The DerefMut impl for Shlex has been removed since it was unsound. New unsafe APIs have been added in its place: Shlex::from_bytes, Shlex::as_bytes_mut.

• See full diff in compare view

Sourced from tar's releases.

0.4.46

Security

• archive: Fix another PAX header desync (GHSA-3cv2-h65g-fgmm) by @​cgwalters in composefs/tar-rs#454

See also GHSA-3cv2-h65g-fgmm

Other changes

• ci: Fix and re-enable reverse dependency testing by @​cgwalters in composefs/tar-rs#444
• Update astral-tokio-tar requirement from 0.5 to 0.6 by @​dependabot[bot] in composefs/tar-rs#446
• Update some links by @​atouchet in composefs/tar-rs#445
• Add support of absolute paths by @​zxvfc in composefs/tar-rs#426
• docs: Expand notes on concurrent mutations and following symlinks by @​cgwalters in composefs/tar-rs#453
• Update repo links by @​cgwalters in composefs/tar-rs#451
• ci: Add crates.io trusted publishing workflow by @​cgwalters in composefs/tar-rs#456
• Release 0.4.46 by @​cgwalters in composefs/tar-rs#455

New Contributors

• @​dependabot[bot] made their first contribution in composefs/tar-rs#446
• @​atouchet made their first contribution in composefs/tar-rs#445
• @​zxvfc made their first contribution in composefs/tar-rs#426

Full Changelog: composefs/tar-rs@0.4.45...0.4.46

• fc459c1 Release 0.4.46
• 43e05a8 ci: Add crates.io trusted publishing workflow
• bba5666 Update repo links
• cd94c46 docs: Document TOCTOU / concurrent-mutation threat model
• 1b4997c builder: Expand docs for follow_symlinks and append_dir_all
• bab14dd archive: Fix another PAX header desync (GHSA-3cv2-h65g-fgmm)
• 2349b49 Add support of absolute paths
• 39d0311 Update some links
• 59d803e Update astral-tokio-tar requirement from 0.5 to 0.6
• 8296b9a ci: Fix and re-enable reverse dependency testing (#444)
• See full diff in compare view

Sourced from which's releases.

8.0.3

What's Changed

• feat: use catch-all cfg for is_valid_executable on unsupported targets by @​pmikolajczyk41 in harryfei/which-rs#124

New Contributors

• @​pmikolajczyk41 made their first contribution in harryfei/which-rs#124

Full Changelog: harryfei/which-rs@8.0.2...8.0.3

Sourced from which's changelog.

8.0.3

• Add fallback implementation of is_valid_executable allowing which-rs to compile on targets which are not Unix, Windows, WASI, or Redox. Thanks @​pmikolajczyk41 for your contribution to which!

• 9b1ec59 bump version number, update changelog
• 6ddf6cf Implement is_valid_executable for other configurations (#124)
• See full diff in compare view

Sourced from tokio's releases.

Tokio v1.52.3

1.52.3 (May 8th, 2026)

Fixed

• sync: fix underflow in mpsc channel len() (#8062)
• sync: notify receivers in mpsc OwnedPermit::release() method (#8075)
• sync: require that an RwLock has max_readers != 0 (#8076)
• sync: return Empty from try_recv() when mpsc is closed with outstanding permits (#8074)

#8062: tokio-rs/tokio#8062 #8074: tokio-rs/tokio#8074 #8075: tokio-rs/tokio#8075 #8076: tokio-rs/tokio#8076

• d875691 chore: prepare Tokio v1.52.3 (#8130)
• e1aebb0 Merge 'tokio-1.51.3' into 'tokio-1.52.x' (#8129)
• fd63094 chore: prepare Tokio v1.51.3 (#8127)
• 8c600d0 Merge 'tokio-1.47.5' into 'tokio-1.51.x' (#8123)
• 11bfc13 chore: prepare Tokio v1.47.5 (#8122)
• f085b62 sync: notify receivers in mpsc OwnedPermit::release() method (#8075)
• 30d25cc sync: require that an RwLock has max_readers != 0 (#8076)
• 9fccf53 sync: return Empty from try_recv() when mpsc is closed with outstanding p...
• ebf61b4 sync: fix underflow in mpsc channel len() (#8062)
• See full diff in compare view

• c8c9355 chore: Release
• af74def docs: Update changelog
• c96f222 Merge pull request #6368 from truffle-dev/fix/fish-env-escaping
• 49a05cd fix(complete): Two-pass quote fish env-completer
• e791004 test(complete): Snapshot fish env quoting cases
• 87ec1ad chore: Release
• 78f2529 docs: Update changelog
• b61f270 Merge pull request #6369 from Metbcy/fix/zsh-completion-ordering
• 74c6666 fix(complete): Keep zsh candidate order
• d142d8f Merge pull request #6360 from epage/string
• Additional commits viewable in compare view

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions