deps(rust): bump the rust-dependencies group across 1 directory with 10 updates

[dependabot]

Bumps the rust-dependencies group with 10 updates in the / directory:

Package	From	To
pyo3	0.24.2	0.27.2
serde_json	1.0.148	1.0.149
bincode	1.3.3	3.0.0
reqwest	0.12.28	0.13.1
thiserror	1.0.69	2.0.17
dashmap	5.5.3	6.1.0
dirs	5.0.1	6.0.0
lz4_flex	0.11.5	0.12.0
tokio-test	0.4.4	0.4.5
criterion	0.5.1	0.8.1

Updates pyo3 from 0.24.2 to 0.27.2

Release notes

Sourced from pyo3's releases.

PyO3 0.27.2

This patch contains very minor fixes for the PyO3 0.27 series:

• Workaround a rustc 1.92+ crash compiling PyO3 with both debug assertions and optimizations enabled.
• Fix runtime crash when subclassing dicts on PyPy and GraalPy.

There are also a number of documentation improvements applied across the codebase.

Thank you to the following contributors for the improvements:

@​davidhewitt @​dependabot[bot] @​MusicalNinjaDad @​pkalivas @​tpoliaw @​Tpt

PyO3 0.27.1

This release fixes a clippy lint regression in PyO3 0.27.0, and exposes the PySendResult type (the return value from Bound<PyIterator>::send).

Thank you to the following contributors for the improvements:

@​alex @​davidhewitt @​reaperhulk @​tpoliaw

PyO3 0.27.0

This release is the first PyO3 release to be tested against Python 3.14.0 final. There are no significant changes to 3.14 support since PyO3 0.26 which was tested against the 3.14 release candidates.

Support for PyPy 3.9 and PyPy 3.10 (both no longer supported upstream) has been dropped.

The FromPyObject trait has been reworked in a similar fashion to the IntoPyObject trait introduced in PyO3 0.23. This has established a performant and flexible implementation of both these traits and no further changes to the traits are anticipated in the future. Thank you for the patience upgrading through these incremental improvements at the core of PyO3.

The .downcast() family of functions are now deprecated in favour of the .cast() family of functions, which are an incremental improvement to API usability and to error messages on failed conversions.

Operations on the PyCapsule type have been changed without deprecation to fix some issues with lifetimes of return values (in .name() and .reference() specifically). The capsule API now also encourages checking of capsule names, which is one of the few defences available to protect the validity of casting data read by the capsule API.

There are also many other incremental improvements, bug fixes and smaller features.

Please consult the migration guide for help upgrading.

Thank you to everyone who contributed code, documentation, design ideas, bug reports, and feedback. The following contributors' commits are included in this release:

@​alex @​altendky @​bazaah @​bschoenmaeckers @​crepererum @​davidhewitt

... (truncated)

Changelog

Sourced from pyo3's changelog.

[0.27.2] - 2025-11-30

Changed

• Disable subclassing PyDict on GraalPy (unsupported for now, may crash at runtime). #5653

Fixed

• Fix crash when compiling on Rust 1.92+ with both debug assertions and optimizations enabled. #5638
• Fix FFI definition of PyDictObject on PyPy. #5653

[0.27.1] - 2025-10-21

Fixed

• Fix clippy:declare_interior_mutable_const warning from #[pyfunction]. #5538
• Expose pyo3::types::PySendResult in public API. #5539

[0.27.0] - 2025-10-19

Packaging

• Extend range of supported versions of hashbrown optional dependency to include version 0.16. #5428
• Bump optional num-bigint dependency minimum version to 0.4.4. #5471
• Test against Python 3.14 final release. #5499
• Drop support for PyPy 3.9 and 3.10. #5516
• Provide a better error message when building an outdated PyO3 for a too-new Python version. #5519

Added

• Add FromPyObjectOwned as convenient trait bound for FromPyObject when the data is not borrowed from Python. #4390
• Add Borrowed::extract, same as PyAnyMethods::extract, but does not restrict the lifetime by deref. #4390
• experimental-inspect: basic support for #[derive(IntoPyObject)] (no struct fields support yet). #5365
• experimental-inspect: support #[pyo3(get, set)] and #[pyclass(get_all, set_all)]. #5370
• Add PyTypeCheck::classinfo_object that returns an object that can be used as parameter in isinstance or issubclass. #5387
• Implement PyTypeInfo on datetime.* types even when the limited API is enabled. #5388
• Implement PyTypeInfo on PyIterator, PyMapping and PySequence. #5402
• Implement PyTypeInfo on PyCode when using the stable ABI. #5403
• Implement PyTypeInfo on PyWeakrefReference when using the stable ABI. #5404
• Add pyo3::sync::RwLockExt trait, analogous to pyo3::sync::MutexExt for readwrite locks. #5435
• Add PyString::from_bytes. #5437
• Implement AsRef<[u8]> for PyBytes. #5445
• Add CastError and CastIntoError. #5468
• Add PyCapsuleMethods::pointer_checked and PyCapsuleMethods::is_valid_checked. #5474
• Add Borrowed::cast, Borrowed::cast_exact and Borrowed::cast_unchecked. #5475
• Add conversions for jiff::civil::ISOWeekDate. #5478
• Add conversions for &Cstr, Cstring and Cow<Cstr>. #5482
• add #[pyclass(skip_from_py_object)] option, to opt-out of the FromPyObject: PyClass + Clone blanket impl. #5488
• Add PyErr::add_note. #5489
• Add FromPyObject impl for Cow<Path> & Cow<OsStr>. #5497

... (truncated)

Commits

• 117102d release: 0.27.2
• 2b1d6c5 fix FFI definition of PyDictObject on PyPy (#5653)
• 032d4d3 ci: add lychee cache (#5616)
• b4f78c0 fix rumdl formatting
• 0497d48 ci: remove old netlify build files (#5631)
• f3d6e05 Avoid introducing generic parameter with implied bounds from an associated ty...
• c8e6597 ci: pin mdbook to 0.4 for now, properly install mdbook-tabs (#5632)
• 30cca7e build(deps): bump actions/checkout from 5.0.0 to 5.0.1 (#5629)
• bb7bb94 Update PyIterator::send docs to match behaviour (#5593)
• 1acadc5 Add radiate to README examples section (#5561)
• Additional commits viewable in compare view

Updates serde_json from 1.0.148 to 1.0.149

Release notes

Sourced from serde_json's releases.

v1.0.149

• Align arbitrary_precision number strings with zmij's formatting (#1306, thanks @​b41sh)

Commits

• 4f6dbfa Release 1.0.149
• f3df680 Touch up PR 1306
• e16730f Merge pull request #1306 from b41sh/fix-float-number-display
• eeb2bcd Align arbitrary_precision number strings with zmij’s formatting
• See full diff in compare view

Updates bincode from 1.3.3 to 3.0.0

Commits

• See full diff in compare view

Updates reqwest from 0.12.28 to 0.13.1

Release notes

Sourced from reqwest's releases.

v0.13.1

What's Changed

• http3: depend on quinn/rustls-aws-lc-rs to avoid ring dependency by @​djc in seanmonstar/reqwest#2917
• fix rustls on android by @​seanmonstar in seanmonstar/reqwest#2918

Full Changelog: seanmonstar/reqwest@v0.13.0...v0.13.1

v0.13.0

Breaking changes

• rustls is now the default TLS backend, instead of native-tls.
• rustls crypto provider defaults to aws-lc instead of ring. (rustls-no-provider exists if you want a different crypto provider)
• rustls-tls has been renamed to rustls.
• rustls roots features removed, rustls-platform-verifier is used by default.
  • To use different roots, call tls_certs_only(your_roots).
• native-tls now includes ALPN. To disable, use native-tls-no-alpn.
• query and form are now crate features, disabled by default.
• Long-deprecated methods and crate features have been removed (such as trust-dns, which was renamed hickory-dns a while ago).
• Many TLS-related methods renamed to improve autocompletion and discovery, but previous name left in place with a "soft" deprecation. (just documented, no warnings)
  • For example, prefer tls_backend_rustls() over use_rustls_tls().

Pull Requests in General

• start 0.13 dev by @​seanmonstar in seanmonstar/reqwest#2894
• Make serde optional by introducing query, form features, and re-working WASM header parsing by @​CathalMullan in seanmonstar/reqwest#2858
• replace ClientBuilder::dns_resolver with dns_resolver2 by @​seanmonstar in seanmonstar/reqwest#2898
• feat: make Rustls the default TLS provider by @​calavera in seanmonstar/reqwest#2897
• feat: consolidate TLS options with rustls-platform-verifier by @​seanmonstar in seanmonstar/reqwest#2891
• remove long-deprecated methods: trust-dns and non-wasm-cors by @​seanmonstar in seanmonstar/reqwest#2899
• rename rustls-tls feature to just rustls by @​seanmonstar in seanmonstar/reqwest#2900
• remove deprecated features trust-dns and macos-system-configuration by @​seanmonstar in seanmonstar/reqwest#2901
• chore: separate rustls and rustls-no-provider features by @​seanmonstar in seanmonstar/reqwest#2903
• rustls: allow windows to use extra roots by @​seanmonstar in seanmonstar/reqwest#2904
• v0.13.0-rc.1 by @​seanmonstar in seanmonstar/reqwest#2905
• Enable ALPN by default in native-tls by @​ducaale in seanmonstar/reqwest#2907
• v0.13.0 by @​seanmonstar in seanmonstar/reqwest#2915

New Contributors

• @​CathalMullan made their first contribution in seanmonstar/reqwest#2858

Full Changelog: seanmonstar/reqwest@v0.12.28...v0.13.0

v0.13.0-rc.1

👀 Discussion here if you give it try, thanks!

Main breaking changes

• rustls is now default instead of native-tls
• rustls provider defaults to aws-lc instead of ring (rustls-no-provider exists if you want to enable a different one)
• rustls-tls renamed to rustls
• rustls roots features removed, platform-verifier is used instead

... (truncated)

Changelog

Sourced from reqwest's changelog.

v0.13.1

• Fixes compiling with rustls on Android targets.

v0.13.0

• Breaking changes:
  • rustls is now the default TLS backend, instead of native-tls.
  • rustls crypto provider defaults to aws-lc instead of ring. (rustls-no-provider exists if you want a different crypto provider)
  • rustls-tls has been renamed to rustls.
  • rustls roots features removed, rustls-platform-verifier is used by default.
    • To use different roots, call tls_certs_only(your_roots).
  • native-tls now includes ALPN. To disable, use native-tls-no-alpn.
  • query and form are now crate features, disabled by default.
  • Long-deprecated methods and crate features have been removed (such as trust-dns, which was renamed hickory-dns a while ago).
• Many TLS-related methods renamed to improve autocompletion and discovery, but previous name left in place with a "soft" deprecation. (just documented, no warnings)
  • For example, prefer tls_backend_rustls() over use_rustls_tls().

Commits

• 10fb98c v0.13.1
• 438098a chore: refer to h2 as dep:h2 (#2919)
• 43aac91 chore(ci): bump actions/checkout from 5 to 6 (#2864)
• 175f5b2 fix rustls on android (#2918)
• 1afe88e Depend on quinn/rustls-aws-lc-rs to avoid ring dependency (#2917)
• 62a80af v0.13.0
• e8d89f4 enable ALPN by default in native-tls (#2907)
• 9a9daa7 v0.13.0-rc.1
• d518e45 rustls: allow windows to use extra roots (#2904)
• 934bc84 chore: separate rustls and rustls-no-provider features (#2903)
• Additional commits viewable in compare view

Updates thiserror from 1.0.69 to 2.0.17

Release notes

Sourced from thiserror's releases.

2.0.17

• Use differently named __private module per patch release (#434)

2.0.16

• Add to "no-std" crates.io category (#429)

2.0.15

• Prevent Error::provide API becoming unavailable from a future new compiler lint (#427)

2.0.14

• Allow build-script cleanup failure with NFSv3 output directory to be non-fatal (#426)

2.0.13

• Documentation improvements

2.0.12

• Prevent elidable_lifetime_names pedantic clippy lint in generated impl (#413)

2.0.11

• Add feature gate to tests that use std (#409, #410, thanks @​Maytha8)

2.0.10

• Support errors containing a generic type parameter's associated type in a field (#408)

2.0.9

• Work around missing_inline_in_public_items clippy restriction being triggered in macro-generated code (#404)

2.0.8

• Improve support for macro-generated derive(Error) call sites (#399)

2.0.7

• Work around conflict with #[deny(clippy::allow_attributes)] (#397, thanks @​zertosh)

2.0.6

• Suppress deprecation warning on generated From impls (#396)

2.0.5

• Prevent deprecation warning on generated impl for deprecated type (#394)

2.0.4

• Eliminate needless_lifetimes clippy lint in generated From impls (#391, thanks @​matt-phylum)

2.0.3

• Support the same Path field being repeated in both Debug and Display representation in error message (#383)
• Improve error message when a format trait used in error message is not implemented by some field (#384)

2.0.2

• Fix hang on invalid input inside #[error(...)] attribute (#382)

2.0.1

... (truncated)

Commits

• 72ae716 Release 2.0.17
• 599fdce Merge pull request #434 from dtolnay/private
• 9ec05f6 Use differently named __private module per patch release
• d2c492b Raise minimum tested compiler to rust 1.76
• fc3ab95 Opt in to generate-macro-expansion when building on docs.rs
• 819fe29 Update ui test suite to nightly-2025-09-12
• 259f48c Enforce trybuild >= 1.0.108
• 470e6a6 Update ui test suite to nightly-2025-08-24
• 544e191 Update actions/checkout@v4 -> v5
• cbc1eba Delete duplicate cap-lints flag from build script
• Additional commits viewable in compare view

Updates dashmap from 5.5.3 to 6.1.0

Release notes

Sourced from dashmap's releases.

v6.1.0

• xacrimon/dashmap#308

v6.0.1

This is a patch release, now the main release for v6 as v6.0.0 was yanked shortly after release.

Thanks to @​JesusGuzmanJr for notifying me about a critical bug that was introduced so that I could resolve it: #304.

PRs for this release: #305 + xacrimon/dashmap@d5c8be6

v6.0.0

This release contains performance optimizations, most notably 10-40% gains on Apple Silicon but also 5-10% gains when measured in Intel Sapphire Rapids. This work was accomplished in:

• #303
• #287

Minor QoL improvements were made in:

• #302
• #300

Special to the following contributors for making this release possible:

• @​conradludgate
• @​arthurprs
• @​joshtriplett
• @​dtzxporter

v6.0.0-rc.1

This release contains performance optimizations, most notably 10-40% gains on Apple Silicon but also 5-10% gains when measured in Intel Sapphire Rapids. This work was accomplished in:

• #303
• #287

Minor QoL improvements were made in:

• #302
• #300

Special to the following contributors for making this release possible:

• @​conradludgate
• @​arthurprs
• @​joshtriplett
• @​dtzxporter

Commits

• f2d248e v6.1.0
• da6ac5e Add typesize::TypeSize implementation for DashMap/DashSet (#308)
• 633aadb v6.0.1
• d5c8be6 add shrink_to_fit test
• 488dbfa fix deadlock in shrink_to_fit (#305)
• 458238c v6.0.0
• 1e3df1a v6.0.0-rc.1
• bdb86b0 Merge branch 'arthurprs-small-optimizations'
• 4cdfc39 fix: merge errors
• 74b34f8 Merge branch 'small-optimizations' of github.com:arthurprs/dashmap into arthu...
• Additional commits viewable in compare view

Updates dirs from 5.0.1 to 6.0.0

Commits

• See full diff in compare view

Updates lz4_flex from 0.11.5 to 0.12.0

Release notes

Sourced from lz4_flex's releases.

0.12.0

What's Changed

• Fix integer overflows when decoding large payloads by @​teh-cmc in PSeitz/lz4_flex#192
• chore(readme): add python binding impl by @​LVivona in PSeitz/lz4_flex#190

New Contributors

• @​teh-cmc made their first contribution in PSeitz/lz4_flex#192
• @​LVivona made their first contribution in PSeitz/lz4_flex#190

Full Changelog: PSeitz/lz4_flex@0.11.5...0.12.0

Changelog

Sourced from lz4_flex's changelog.

0.12.0 (2025-11-11)

• Fix integer overflows when decoding large payloads #192 (thanks @​teh-cmc)

This fixes an u32 integer overflow when decoding large payloads in the block format.
Note: The block format is not suitable for such large payloads, since it
keeps everything in memory. Consider using the frame format for large data.
This change also removes a unsafe fast-path for write_integer to simplify the code.

The performance impact is on incompressible data, which is already fast enough.

Commits

• 975bfa7 bump version to 0.12.0
• 40d8110 update readme
• 642020e bump version to 0.12
• 5295b16 chore(readme): add python binding impl
• c1483c4 fix the issue
• b3c03be implement test demonstrating the issue
• a61ee5f remove unsafe write_integer which AFAICT is not used and broken
• ad71a31 fix illegal doc comment
• f1c070e clippy
• 1496be4 update binggan
• Additional commits viewable in compare view

Updates tokio-test from 0.4.4 to 0.4.5

Commits

• 41d1877 chore: prepare tokio-test 0.4.5 (#7831)
• 60b083b chore: prepare tokio-stream 0.1.18 (#7830)
• 9cc02cc chore: prepare tokio-util 0.7.18 (#7829)
• d2799d7 task: improve the docs of Builder::spawn_local (#7828)
• 4d4870f task: doc that task drops before JoinHandle completion (#7825)
• fdb1509 fs: check for io-uring opcode support (#7815)
• 426a562 rt: remove allow(dead_code) after JoinSet stabilization (#7826)
• e3b89bb chore: prepare Tokio v1.49.0 (#7824)
• 4f577b8 Merge 'tokio-1.47.3' into 'master'
• f320197 chore: prepare Tokio v1.47.3 (#7823)
• Additional commits viewable in compare view

Updates criterion from 0.5.1 to 0.8.1

Release notes

Sourced from criterion's releases.

criterion-plot-v0.8.1

Fixed

• Typo

criterion-v0.8.1

Fixed

• Homepage link

Other

• (deps) bump crate-ci/typos from 1.23.5 to 1.40.0
• (deps) bump jontze/action-mdbook from 3 to 4
• (deps) bump actions/checkout from 4 to 6

criterion-plot-v0.8.0

No release notes provided.

criterion-v0.8.0

BREAKING

• Drop async-std support

Changed

• Bump MSRV to 1.86, stable to 1.91.1

Added

• Add ability to plot throughput on summary page.
• Add support for reporting throughput in elements and bytes - Throughput::ElementsAndBytes allows the text summary to report throughput in both units simultaneously.
• Add alloca-based memory layout randomisation to mitigate memory effects on measurements.
• Add doc comment to benchmark runner in criterion_group macro (removes linter warnings)

Fixed

• Fix plotting NaN bug

Other

• Remove Master API Docs links temporarily while we restore the docs publishing.

criterion-plot-v0.7.0

No release notes provided.

Changelog

Sourced from criterion's changelog.

0.8.1 - 2025-12-07

Fixed

• Homepage link

Other

• (deps) bump crate-ci/typos from 1.23.5 to 1.40.0
• (deps) bump jontze/action-mdbook from 3 to 4
• (deps) bump actions/checkout from 4 to 6

0.8.0 - 2025-11-29

BREAKING

• Drop async-std support

Changed

• Bump MSRV to 1.86, stable to 1.91.1

Added

• Add ability to plot throughput on summary page.
• Add support for reporting throughput in elements and bytes - Throughput::ElementsAndBytes allows the text summary to report throughput in both units simultaneously.
• Add alloca-based memory layout randomisation to mitigate memory effects on measurements.
• Add doc comment to benchmark runner in criterion_group macro (removes linter warnings)

Fixed

• Fix plotting NaN bug

Other

• Remove Master API Docs links temporarily while we restore the docs publishing.

[0.7.0] - 2025-07-25

• Bump version of criterion-plot to align dependencies.

[0.6.0] - 2025-05-17

Changed

• MSRV bumped to 1.80
• The real_blackbox feature no longer has any impact. Criterion always uses std::hint::black_box() now. Users of criterion::black_box() should switch to std::hint::black_box().
• clap dependency unpinned.

Fixed

... (truncated)

Commits

• e4e06df chore: release v0.8.1
• aa548b9 fix: Homepage link
• 950c3b7 fix: Typo
• 7e3e50c chore(deps): bump crate-ci/typos from 1.23.5 to 1.40.0
• 391a99a chore(deps): bump jontze/action-mdbook from 3 to 4
• 8fb9a87 chore(deps): bump actions/checkout from 4 to 6
• b49ade7 chore: release v0.8.0
• c56485f docs: Mark Master API Docs links that need to be updated
• 86526a4 docs: Remove Master API Docs link temporarily
• 00a443f docs: Update README links
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, rust. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[Lenvanderhof]

Dependabot PR Review - CI Failing

Status: Cannot merge - CI is failing on all platforms

Root Cause: bincode 3.0 Breaking Change

The upgrade from bincode 1.3.3 to bincode 3.0.0 introduces a major breaking API change. Bincode 3.0 intentionally produces a compile-time error when used with code expecting the 1.x API:

error: https://xkcd.com/2347/
1 | compile_error!("https://xkcd.com/2347/");
error: could not compile `bincode` (lib) due to 1 previous error

This xkcd reference is a deliberate message from the bincode maintainers indicating that 3.x has a completely different serialization API and cannot be used as a drop-in replacement.

Dependency Analysis

Package	From	To	Status
bincode	1.3.3	3.0.0	BREAKING - Major API change
pyo3	0.24.2	0.27.2	Major (0.x semver)
thiserror	1.0.69	2.0.17	Major - Usually compatible
dashmap	5.5.3	6.1.0	Major
dirs	5.0.1	6.0.0	Major
reqwest	0.12.28	0.13.1	Major (0.x semver)
criterion	0.5.1	0.8.1	Minor (dev-dep)
lz4_flex	0.11.5	0.12.0	Minor
tokio-test	0.4.4	0.4.5	Patch (dev-dep)
serde_json	1.0.148	1.0.149	Patch

Recommended Actions

1. Option A (Quick fix): Split this PR - keep bincode at 1.x and merge the other 9 dependencies separately
2. Option B (Full upgrade): Update codebase to use bincode 3.x API, which involves:
   • Replacing bincode::serialize()/deserialize() with new derive-based API
   • Adding #[derive(bincode::Encode, bincode::Decode)] to types
   • Updating error handling

CI Results

• Build: FAILED (ubuntu, macos, windows)
• Clippy: FAILED
• Tests: FAILED
• Format: PASSED
• Security Audit: PASSED

---

Automated review by rust-engineer agent