Bump the cargo group across 1 directory with 4 updates

[dependabot]

Bumps the cargo group with 4 updates in the / directory: tracing-forest, zip, http and tower-http.

Updates tracing-forest from 0.1.6 to 0.2.0

Commits

• See full diff in compare view

Updates zip from 5.1.1 to 6.0.0

Release notes

Sourced from zip's releases.

v6.0.0

🐛 Bug Fixes

• panic when reading empty extended-timestamp field (#404) (#422)
• Restore original file timestamp when unzipping with chrono (#46)

⚙️ Miscellaneous Tasks

• Configure Amazon Q rules (#421)

Changelog

Sourced from zip's changelog.

6.0.0 - 2025-10-09

🚀 Features

• Add by_index_with_options(), which can be used to ignore encryption in a file's metadata (#439) and may be used for other file-specific overrides in the future.

⚙️ Miscellaneous Tasks

• [breaking] FileOptions::add_extra_data is now generic and accepts any AsRef<[u8]>. (#435)

Commits

• abfc23d feat: Upgrade [Extended]FileOptions::add_extra_data() data from Box<[u8]> to ...
• eb1b586 docs: Update zip_writer documentation example (#431)
• 26e6e08 feat: Add by_index_with_options() for ignoring encryption (#439)
• 165415d chore(deps): update nt-time requirement from 0.10.6 to 0.12.1 (#429)
• 1d5d4ed chore(deps): update lzma-rust2 requirement from 0.13 to 0.14 (#432)
• 72cce40 chore(deps): update nt-time requirement from 0.10.6 to 0.12.1 (#428)
• 2ef4d3e chore(deps): update nt-time requirement from 0.10.6 to 0.12.1 (#427)
• 9cf28cb test(ci): Fix: rename can't be skipped
• 5987cdd test(ci): Fix: need recursive rename
• 74f8a3c test(ci): Need to rename more files during fuzz runs
• Additional commits viewable in compare view

Updates http from 1.3.1 to 1.4.0

Release notes

Sourced from http's releases.

v1.4.0

Highlights

• Add StatusCode::EARLY_HINTS constant for 103 Early Hints.
• Make StatusCode::from_u16 now a const fn.
• Make Authority::from_static now a const fn.
• Make PathAndQuery::from_static now a const fn.
• MSRV increased to 1.57 (allows legible const fn panic messages).

What's Changed

• Updated Rand dependency to v0.9.1 by @​FarzadMohtasham in hyperium/http#763
• Fix compilation on latest nightly by @​akonradi-signal in hyperium/http#769
• Avoid unnecessary .expect()s for empty HeaderMap by @​akonradi-signal in hyperium/http#768
• feat: show types in Extensions debug output by @​crepererum in hyperium/http#773
• Docs: Clarify the HeaderMap documentaion by @​Sol-Ell in hyperium/http#774
• style: update format for tests by @​seanmonstar in hyperium/http#782
• Make StatusCode::from_u16 const by @​coolreader18 in hyperium/http#761
• docs: Fix typo 'an' to 'and' in http::status module documentation by @​zxzxovo in hyperium/http#784
• fix: Prevent panic in try_reserve/try_with_capacity on capacity overflow by @​AriajSarkar in hyperium/http#787
• fix: Add reserve() to Extend impl for (Option, T)) by @​AriajSarkar in hyperium/http#788
• chore: minor improvement for docs by @​claudecodering in hyperium/http#790
• chore: bump MSRV to 1.57 by @​seanmonstar in hyperium/http#793
• Add EARLY_HINTS status code by @​mdevino in hyperium/http#758
• refactor(header): use better panic message in const HeaderName and HeaderValue by @​seanmonstar in hyperium/http#797
• docs: remove unnecessary extern crate sentence by @​tottoto in hyperium/http#799
• chore(ci): update to actions/checkout@v5 by @​tottoto in hyperium/http#800
• feat(uri): make Authority/PathAndQuery::from_static const by @​WaterWhisperer in hyperium/http#786
• refactor(header): inline FNV hasher to reduce dependencies by @​seanmonstar in hyperium/http#796
• v1.4.0 by @​seanmonstar in hyperium/http#803

New Contributors

• @​FarzadMohtasham made their first contribution in hyperium/http#763
• @​akonradi-signal made their first contribution in hyperium/http#769
• @​crepererum made their first contribution in hyperium/http#773
• @​Sol-Ell made their first contribution in hyperium/http#774
• @​coolreader18 made their first contribution in hyperium/http#761
• @​zxzxovo made their first contribution in hyperium/http#784
• @​AriajSarkar made their first contribution in hyperium/http#787
• @​claudecodering made their first contribution in hyperium/http#790
• @​mdevino made their first contribution in hyperium/http#758
• @​WaterWhisperer made their first contribution in hyperium/http#786

Full Changelog: hyperium/http@v1.3.1...v1.4.0

Changelog

Sourced from http's changelog.

1.4.0 (November 24, 2025)

• Add StatusCode::EARLY_HINTS constant for 103 Early Hints.
• Make StatusCode::from_u16 now a const fn.
• Make Authority::from_static now a const fn.
• Make PathAndQuery::from_static now a const fn.
• MSRV increased to 1.57 (allows legible const fn panic messages).

Commits

• b9625d8 v1.4.0
• 50b009c refactor(header): inline FNV hasher to reduce dependencies (#796)
• b370d36 feat(uri): make Authority/PathAndQuery::from_static const (#786)
• 0d74251 chore(ci): update to actions/checkout@v5 (#800)
• a760767 docs: remove unnecessary extern crate sentence (#799)
• fb1d457 refactor(header): use better panic message in const HeaderName and HeaderValu...
• 20dbd6e feat(status): Add 103 EARLY_HINTS status code (#758)
• e7a7337 chore: bump MSRV to 1.57
• 1888e28 tests: downgrade rand back to 0.8 for now
• 918bbc3 chore: minor improvement for docs (#790)
• Additional commits viewable in compare view

Updates tower-http from 0.6.6 to 0.6.7

Release notes

Sourced from tower-http's releases.

tower-http-0.6.7

Added

• TimeoutLayer::with_status_code(status) to define the status code returned when timeout is reached. (#599)

Deprecated

• auth::require_authorization is too basic for real-world. (#591)
• TimeoutLayer::new() should be replaced with TimeoutLayer::with_status_code(). (Previously was StatusCode::REQUEST_TIMEOUT) (#599)

Fixed

• on_eos is now called even for successful responses. (#580)
• ServeDir: call fallback when filename is invalid (#586)
• decompression will not fail when body is empty (#618)

#580: tower-rs/tower-http#580 #586: tower-rs/tower-http#586 #591: tower-rs/tower-http#591 #599: tower-rs/tower-http#599 #618: tower-rs/tower-http#618

New Contributors

• @​mladedav made their first contribution in tower-rs/tower-http#580
• @​aryaveersr made their first contribution in tower-rs/tower-http#586
• @​soerenmeier made their first contribution in tower-rs/tower-http#588
• @​gjabell made their first contribution in tower-rs/tower-http#591
• @​FalkWoldmann made their first contribution in tower-rs/tower-http#599
• @​ducaale made their first contribution in tower-rs/tower-http#618

Full Changelog: tower-rs/tower-http@tower-http-0.6.6...tower-http-0.6.7

Commits

• 3bf1ba7 v0.6.7
• 723ca9a fix(decompression): Suppress EOF errors caused by decompressing empty body (#...
• 8ab9f82 chore(ci): use newer cargo-public-api-crates job (#619)
• 7cfdf76 doc: Replace doc_auto_cfg with doc_cfg (#609)
• 50beeaf Add support for custom status code in TimeoutLayer (#599)
• 35740de deps: Remove unnecessary dev-dependencies (#606)
• a7eefae ci: Re-enable ci on default branch (#605)
• 12a5b33 tests: Update to brotli 8 (#603)
• 0195198 ci: Update to actions/checkout v5 (#604)
• c757491 examples: Update to axum 0.8 (#602)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[Sebastian Thiel (Byron)]

I am leaving this to you Eliah Kagan (@EliahKagan) to look at, mainly because it says that it updates more than it actually does. What it does is fine, I think, it's just strange it doesn't seem to 'know' what it's doing. Otherwise I think the PR can be merged.

[Eliah Kagan (EliahKagan)]

I think these changes are okay, though I'll have Dependabot recreate the PR to see if anything more is available since it was opened, and also to see if Dependabot manages to describe its changes more accurately.

It's slightly convenient that it's not really updating tracing-forest, since it does't seem to have any release notes, changelogs, version tags, or informaton about breaking changes in commit messages, so I don't know where to look to review the effect of breaking changes. But one can find the relevant range of commits, so there is this full diff.

One occurrence of tracing-forest is in the top-level Cargo.toml. This supports the tracing feature of gitoxide-core. It is at 1.5, with the associated resolved version in Cargo.lock consistent with it, at 1.6. Dependabot claims it's upgrading tracing-forest from 1.6 to 2.0, which I think it wants to do (or cargo recommends it to do) because 2.0 is already separately listed there. But it can't just upgrade that, because 2.0 doesn't satisfy 1.5 in Cargo.toml. Why it's not trying to upgrade 1.5 to 2.0--or even all the way to 3.0, which is the actual current version--I don't know. What version should we be using?

I think that kind of thing happens fairly often with Dependabot on this repository. This is one of a few reasons I'd be interested to try out Renovate as an alternative here, though I can't be sure that it would work better.

---

The other thing we're seeing here is that it wants to downgrade resolved versions of windows-sys in Cargo.toml. I believe that always happens anytime cargo update has been run with the effect of upgrading windows-sys or various closely related packages; for some reason, Dependabot or whatever version and configuration of cargo it is using regards the earlier versions to be preferable. Maybe this is so fewer separate versions can be used, I don't know. But it's a long-standing difference between the effect of Dependabot and the effect of running cargo update locally (even when just trying to update a single direct dependency).

See #1938 comments for an example with windows-targets. That's the best I could find. Incidentally, I find searching for information in GitHub comments discussions extremely hard lately. I think in principle GitHub includes this in search results, but in practice that seems often not to be the case. Is there some way to export the entire history of all public issues and PRs in a repository, along with all their comments, both regular and review comments, so that I can search them locally? (This would be useful for other reasons too: preserving valuable knowledge, providing context to a locally runnng LLM, etc.)

[Eliah Kagan (EliahKagan)]

Dependabot (@dependabot) recreate

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.