deps(deps): bump the rust-minor-patch group across 1 directory with 16 updates

[dependabot]

Bumps the rust-minor-patch group with 16 updates in the / directory:

Package	From	To
tokio	1.51.0	1.52.3
serde_json	1.0.149	1.0.150
metrics	0.24.3	0.24.6
metrics-exporter-prometheus	0.18.1	0.18.3
axum	0.8.8	0.8.9
axum-extra	0.12.5	0.12.6
tonic	0.14.5	0.14.6
tonic-build	0.14.5	0.14.6
tower-http	0.6.8	0.6.11
clap	4.6.0	4.6.1
rand	0.10.0	0.10.1
jsonwebtoken	10.3.0	10.4.0
uuid	1.23.0	1.23.1
webauthn-rs	0.5.4	0.5.5
lettre	0.11.21	0.11.22
rustls	0.23.37	0.23.40

Updates tokio from 1.51.0 to 1.52.3

Release notes

Sourced from tokio's releases.

Tokio v1.52.3

1.52.3 (May 8th, 2026)

Fixed

• sync: fix underflow in mpsc channel len() (#8062)
• sync: notify receivers in mpsc OwnedPermit::release() method (#8075)
• sync: require that an RwLock has max_readers != 0 (#8076)
• sync: return Empty from try_recv() when mpsc is closed with outstanding permits (#8074)

#8062: tokio-rs/tokio#8062 #8074: tokio-rs/tokio#8074 #8075: tokio-rs/tokio#8075 #8076: tokio-rs/tokio#8076

Tokio v1.52.2

1.52.2 (May 4th, 2026)

This release reverts the LIFO slot stealing change introduced in 1.51.0 (#7431), due to [its performance impact]#8065. (#8100)

#7431: tokio-rs/tokio#7431 #8065: tokio-rs/tokio#8065 #8100: tokio-rs/tokio#8100

Tokio v1.52.1

1.52.1 (April 16th, 2026)

Fixed

• runtime: revert #7757 to fix [a regression]#8056 that causes spawn_blocking to hang (#8057)

#7757: tokio-rs/tokio#7757 #8056: tokio-rs/tokio#8056 #8057: tokio-rs/tokio#8057

Tokio v1.52.0

1.52.0 (April 14th, 2026)

Added

• io: AioSource::register_borrowed for I/O safety support (#7992)
• net: add try_io function to unix::pipe sender and receiver types (#8030)

Added (unstable)

• runtime: Builder::enable_eager_driver_handoff setting enable eager hand off of the I/O and time drivers before polling tasks (#8010)
• taskdump: add trace_with() for customized task dumps (#8025)
• taskdump: allow impl FnMut() in trace_with instead of just fn() (#8040)
• fs: support io_uring in AsyncRead for File (#7907)

... (truncated)

Commits

• d875691 chore: prepare Tokio v1.52.3 (#8130)
• e1aebb0 Merge 'tokio-1.51.3' into 'tokio-1.52.x' (#8129)
• fd63094 chore: prepare Tokio v1.51.3 (#8127)
• 8c600d0 Merge 'tokio-1.47.5' into 'tokio-1.51.x' (#8123)
• 11bfc13 chore: prepare Tokio v1.47.5 (#8122)
• f085b62 sync: notify receivers in mpsc OwnedPermit::release() method (#8075)
• 30d25cc sync: require that an RwLock has max_readers != 0 (#8076)
• 9fccf53 sync: return Empty from try_recv() when mpsc is closed with outstanding p...
• ebf61b4 sync: fix underflow in mpsc channel len() (#8062)
• 4abe9d7 chore: prepare Tokio v1.52.2 (#8115)
• Additional commits viewable in compare view

Updates serde_json from 1.0.149 to 1.0.150

Release notes

Sourced from serde_json's releases.

v1.0.150

• Reject non-string enum object keys (#1324, thanks @​puneetdixit200)

Commits

• a1ae73a Release 1.0.150
• 1a360b0 Merge pull request #1324 from puneetdixit200/reject-non-string-enum-keys
• 2037b63 Reject non-string enum object keys
• 5d30df6 Resolve manual_assert_eq pedantic clippy lint
• dc8003a Raise required compiler for preserve_order feature to 1.85
• a42fa98 Unpin CI miri toolchain
• 684a60e Pin CI miri to nightly-2026-02-11
• 7c7da33 Raise required compiler to Rust 1.71
• acf4850 Simplify Number::is_f64
• 6b8ceab Resolve unnecessary_map_or clippy lint
• Additional commits viewable in compare view

Updates metrics from 0.24.3 to 0.24.6

Commits

• 23cc597 chore: Release
• 78ebfc3 revert: defer version bumps to cargo-release
• 8d7f5ea update CHANGELOG for metrics
• cd5b9a3 chore(metrics): update doc comments for macros for consistency
• 9cf1f73 fix(metrics): resolve hash mismatch between pre-computed and on-demand key ha...
• 2bfe3ba enhancement(metrics): allow specifying description and unit in registration m...
• dae3a67 chore: Release
• 6dddb64 update CHANGELOG for metrics-exporter-dogstatsd
• 9e387a4 chore: Release
• f21d811 update CHANGELOG for metrics-exporter-prometheus
• Additional commits viewable in compare view

Updates metrics-exporter-prometheus from 0.18.1 to 0.18.3

Commits

• 9e387a4 chore: Release
• f21d811 update CHANGELOG for metrics-exporter-prometheus
• 34af5ea chore: Release
• 6f33477 update CHANGELOG for metrics-util
• 01dab26 fix: bump metrics dep to avoid breakage
• ecbc010 chore: slight tweak to follow-up PR message after release
• 50fcd63 chore: Release
• 815f5e9 update CHANGELOG for metrics
• 401a16c fix(perf): ensure hash_label properly hashes both the key and value (#690)
• e8e2538 chore(dev): add Claude skill for simplifying the release process
• Additional commits viewable in compare view

Updates axum from 0.8.8 to 0.8.9

Release notes

Sourced from axum's releases.

axum-v0.8.9

• added: WebSocketUpgrade::{requested_protocols, set_selected_protocol} for more flexible subprotocol selection (#3597)
• changed: Update minimum rust version to 1.80 (#3620)
• fixed: Set connect endpoint on correct field in MethodRouter (#3656)
• fixed: Return specific error message when multipart body limit is exceeded (#3611)

#3597: tokio-rs/axum#3597 #3620: tokio-rs/axum#3620 #3656: tokio-rs/axum#3656 #3611: tokio-rs/axum#3611

Commits

• c59208c revert axum-core changelog changes
• 99068f5 Revert "Fix IntoResponse for tuples overriding error response codes (#3603)"
• 23d7098 Revert "axum-core 0.5.6"
• e8a39ad axum-macros 0.5.1
• 6e9a249 axum-extra 0.12.6
• 0ec9041 axum 0.8.9
• c3fcebb axum-core 0.5.6
• a8790fc update release notes
• 26ba7bb docs: consolidate state management docs in crate root (#3683)
• 9fc59ef Update to tokio-tungstenite 0.29 (#3689)
• Additional commits viewable in compare view

Updates axum-extra from 0.12.5 to 0.12.6

Release notes

Sourced from axum-extra's releases.

axum-extra-v0.12.6

• fixed: Escape backslashes and double quotes in Content-Disposition filenames to prevent header parameter injection in Attachment and FileStream (#3664)
• vpath! macro now stops the compilation if your path is using deprecated path variables in the old 107 format, such as :var and *var. the only allowed way now is {var}. (#3618)
• fixed: Return specific error message when multipart body limit is exceeded (#3611)

#3664: tokio-rs/axum#3664 #3618: tokio-rs/axum#3618 #3611: tokio-rs/axum#3611

Commits

• c59208c revert axum-core changelog changes
• 99068f5 Revert "Fix IntoResponse for tuples overriding error response codes (#3603)"
• 23d7098 Revert "axum-core 0.5.6"
• e8a39ad axum-macros 0.5.1
• 6e9a249 axum-extra 0.12.6
• 0ec9041 axum 0.8.9
• c3fcebb axum-core 0.5.6
• a8790fc update release notes
• 26ba7bb docs: consolidate state management docs in crate root (#3683)
• 9fc59ef Update to tokio-tungstenite 0.29 (#3689)
• Additional commits viewable in compare view

Updates tonic from 0.14.5 to 0.14.6

Release notes

Sourced from tonic's releases.

tonic-build-v0.14.6

Other

• update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-health-v0.14.6

Other

• update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-prost-build-v0.14.6

Other

• Support well known types resolved by prost to their rust counterparts (#2544)
• update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-prost-v0.14.6

Other

• update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-reflection-v0.14.6

Other

• fix panic when client drops connection early (#2596)
• update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-types-v0.14.6

Other

• update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-v0.14.6

Added

• (transport/channel) expose ServerCertVerifier API (#2612)

Fixed

• map no trailers ok status to unknown (#2543)

Other

• add max_frame_size to client Endpoint (#2592)
• Allow setting the HTTP/2 client header table size (#2582)
• update rust edition and version to 2024 and 1.88, respectively (#2525)

tonic-web-v0.14.6

Other

... (truncated)

Commits

• 6cb6056 chore: release v0.14.6 (#2624)
• efde924 grpc: change helloworld example to pass request as a view (#2632)
• d47b001 transport: add max_frame_size to client Endpoint (#2592)
• 02c01c7 Allow setting the HTTP/2 client header table size (#2582)
• 3185354 examples: add grpc version of helloworld (#2630)
• f585303 fix(grpc): Fix grpc-google build (#2628)
• ff7bcbb feat(grpc): Google call credentials (#2610)
• f93037b feat(tonic-xds): make XdsChannelGrpc Sync (#2627)
• d834beb grpc: Update Status to be a Result<> and make StatusErr which holds non-OK co...
• 2392224 grpc: add route_guide example and make minor tweaks to the generated code API...
• Additional commits viewable in compare view

Updates tonic-build from 0.14.5 to 0.14.6

Release notes

Sourced from tonic-build's releases.

tonic-build-v0.14.6

Other

• update rust edition and version to 2024 and 1.88, respectively (#2525)

Commits

• 6cb6056 chore: release v0.14.6 (#2624)
• efde924 grpc: change helloworld example to pass request as a view (#2632)
• d47b001 transport: add max_frame_size to client Endpoint (#2592)
• 02c01c7 Allow setting the HTTP/2 client header table size (#2582)
• 3185354 examples: add grpc version of helloworld (#2630)
• f585303 fix(grpc): Fix grpc-google build (#2628)
• ff7bcbb feat(grpc): Google call credentials (#2610)
• f93037b feat(tonic-xds): make XdsChannelGrpc Sync (#2627)
• d834beb grpc: Update Status to be a Result<> and make StatusErr which holds non-OK co...
• 2392224 grpc: add route_guide example and make minor tweaks to the generated code API...
• Additional commits viewable in compare view

Updates tower-http from 0.6.8 to 0.6.11

Release notes

Sourced from tower-http's releases.

tower-http-0.6.11

Added

• set-header: add SetMultipleResponseHeadersLayer and SetMultipleResponseHeader for setting multiple response headers at once. Supports overriding, appending, and if_not_present modes. Header values can be fixed or computed dynamically via closures (#672)

  use http::{Response, header::{self, HeaderValue}};
  use http_body::Body as _;
  use tower_http::set_header::response::SetMultipleResponseHeadersLayer;
  let layer = SetMultipleResponseHeadersLayer::overriding(vec![
  (header::X_FRAME_OPTIONS, HeaderValue::from_static("DENY")).into(),
  (header::CONTENT_LENGTH, |res: &Response<MyBody>| {
  res.body().size_hint().exact()
  .map(|size| HeaderValue::from_str(&size.to_string()).unwrap())
  }).into(),
  ]);

• set-header: add SetMultipleRequestHeadersLayer and SetMultipleRequestHeaders for setting multiple request headers at once, mirroring the response-side API (#677)

• classify: add From<i32> and From<NonZeroI32> impls for GrpcCode. Unrecognized status codes map to GrpcCode::Unknown (#506)

Changed

• compression: compress application/grpc-web responses. Previously all application/grpc* content types were excluded from compression; now only application/grpc (non-web) is excluded (#408)

Fixed

• fs: fix ServeDir returning 500 instead of 405 for non-GET/HEAD requests when call_fallback_on_method_not_allowed is enabled but no fallback service is configured (#587)
• fs: remove duplicate cfg attribute on is_reserved_dos_name (#675)

#408: tower-rs/tower-http#408 #506: tower-rs/tower-http#506 #587: tower-rs/tower-http#587 #672: tower-rs/tower-http#672 #675: tower-rs/tower-http#675 #677: tower-rs/tower-http#677

All PRs

• ci: fix flaky encoding test, add nightly stress test job by @​jlizen in tower-rs/tower-http#670

... (truncated)

Commits

• 1d082ef v0.6.11
• 9c3117d feat: set multiple request header (#677)
• 667e7c7 Remove duplicate cfg attribute for is_reserved_dos_name (#675)
• 7551a9b feat(set_header): refactor and improve multiple header middleware (#672)
• 991e9ee add From<i32> impl for GrpcCode (#506)
• 3962dba Do compress grpc-web responses (#408)
• f0b3bb6 Fix serve_dir method not allowed handling when no fallback is configured (#587)
• d1a571b ci: use static timeout in stress-test workflow (#671)
• 309555a ci: fix flaky encoding test, add nightly stress test job (#670)
• 4532fc2 v0.6.10
• Additional commits viewable in compare view

Updates clap from 4.6.0 to 4.6.1

Release notes

Sourced from clap's releases.

v4.6.1

[4.6.1] - 2026-04-15

Fixes

• (derive) Ensure rebuilds happen when an read env variable is changed

Changelog

Sourced from clap's changelog.

[4.6.1] - 2026-04-15

Fixes

• (derive) Ensure rebuilds happen when an read env variable is changed

Commits

• 1420275 chore: Release
• d2c817d docs: Update changelog
• f88c94e Merge pull request #6341 from epage/sep
• acbb822 fix(complete): Reduce risk of conflict with actual subcommands
• a49fadb refactor(complete): Pull out subcommand separator
• ddc008b Merge pull request #6332 from epage/update
• 497dc50 chore: Update compatible dependencies
• dca2326 Merge pull request #6331 from clap-rs/renovate/j178-prek-action-2.x
• 54bdaa3 chore(deps): Update j178/prek-action action to v2
• f0d30d9 chore: Release
• Additional commits viewable in compare view

Updates rand from 0.10.0 to 0.10.1

Changelog

Sourced from rand's changelog.

[0.10.1] — 2026-02-11

This release includes a fix for a soundness bug; see #1763.

Changes

• Document panic behavior of make_rng and add #[track_caller] (#1761)
• Deprecate feature log (#1763)

#1761: rust-random/rand#1761 #1763: rust-random/rand#1763

Commits

• 27ff4cb Prepare v0.10.1: deprecate feature log (#1763)
• 98d0638 make_rng: document panic and add #[track_caller] (#1761)
• 54e5eaa Fix doc error (#1758)
• 1ce4c08 Bump itoa from 1.0.17 to 1.0.18 in the all-deps group (#1756)
• ccb734b docs: fix typo in doc comment (#1754)
• 357eb7d Bump libc from 0.2.182 to 0.2.183 in the all-deps group (#1753)
• 5e77fe5 Fix trait references in documentation (#1752)
• da89185 Bump the all-deps group with 3 updates (#1751)
• 50516ff Bump the all-deps group with 2 updates (#1749)
• fd71de9 Bump the all-deps group with 2 updates (#1747)
• Additional commits viewable in compare view

Updates jsonwebtoken from 10.3.0 to 10.4.0

Changelog

Sourced from jsonwebtoken's changelog.

10.4.0 (2026-05-11)

• Fix incorrect encoding for Ed25519 JWK thumbprints
• Make Algorithm.family public and add Validation.new_for_family
• EncodingKey and DecodingKey are now partially zeroized on drop (the intermediate PemEncodedKey isn't so far)

Commits

• 69a8fbf v10.4.0
• d18e40f Update changelog for 10.4.0 (#507)
• ddd2389 security: zeroize encoding and decoding keys (#483)
• 991e89a Fix more clippy complaints (#503)
• 75f2113 algorithms: expose AlgorithmFamily (#466)
• 0c5931a Fixup typo in the DecodingKey::from_ec_der method (#501)
• 8a80349 Small fixes (#498)
• 9934c7f Fix formatting in Ed25519 key serialization (#485)
• See full diff in compare view

Updates uuid from 1.23.0 to 1.23.1

Release notes

Sourced from uuid's releases.

v1.23.1

What's Changed

• Remove deprecated msrv feature from wasm-bindgen dependency by @​guybedford in uuid-rs/uuid#877
• fix: Timestamp::from_gregorian deprecation note by @​aznashwan in uuid-rs/uuid#878
• Prepare for 1.23.1 release by @​KodrAus in uuid-rs/uuid#879

New Contributors

• @​guybedford made their first contribution in uuid-rs/uuid#877
• @​aznashwan made their first contribution in uuid-rs/uuid#878

Full Changelog: uuid-rs/uuid@v1.23.0...v1.23.1

Commits

• ca0c85f Merge pull request #879 from uuid-rs/cargo/v1.23.1
• b4db015 prepare for 1.23.1 release
• 771069d Merge pull request #878 from aznashwan/fix-from-gregorian-deprecation-note
• 80994a2 fix: Timestamp::from_gregorian deprecation note
• 90c5be8 Merge pull request #877 from guybedford/remove-wasm-bindgen-msrv
• 8b8c4f4 Remove deprecated feature from wasm-bindgen dependency
• See full diff in compare view

Updates webauthn-rs from 0.5.4 to 0.5.5

Commits

• See full diff in compare view

Updates lettre from 0.11.21 to 0.11.22

Release notes

Sourced from lettre's releases.

v0.11.22 - update now if you're using Boring TLS

Security

• Fix inverted TLS hostname verification flag in boring-tls backend that silently disabled hostname verification f5efffc

Bug Fixes

• Cap read_response buffer to prevent unbounded memory growth #1143

Misc

• Upgrade rustls-platform-verifier to v0.7 #1136

Changelog

Sourced from lettre's changelog.

v0.11.22 (2026-05-14)

Security

• Fix inverted TLS hostname verification flag in boring-tls backend that silently disabled hostname verification (f5efffc)

Bug Fixes

• Cap read_response buffer to prevent unbounded memory growth (#1143)

Misc

• Upgrade rustls-platform-verifier to v0.7 (#1136)

#1136: lettre/lettre#1136 #1143: lettre/lettre#1143

Commits

• 9b88c4f Prepare v0.11.22
• f5efffc fix(transport-smtp): negate hostname-verify flag for boring-tls
• f62f304 fix(transport-smtp): cap read_response buffer
• fa402db build(deps): upgrade rustls-platform-verifier to v0.7
• See full diff in compare view

Updates rustls from 0.23.37 to 0.23.40

Commits

• b44c09f Prepare 0.23.40
• e7a555f Prefer Ord::max to core::cmp
• c0005be ech: base inner name padding on actual extension
• 4e49529 ech: test inner name padding
• 3e06ef1 ech: add both name and "gross" padding
• c574ffd ech: avoid short-lived allocation for padding
• 8bf935c ech: pop comment from match arm
• 9088004 ech: expand maximum_name_length to usize ASAP
• a612901 Default require_ems based on CryptoProvider FIPS status
• 0541605 Cargo: version 0.23.38 -> 0.23.39
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions