deps: bump lz4_flex from 0.12.1 to 0.13.0

[dependabot]

Bumps lz4_flex from 0.12.1 to 0.13.0.

Release notes

Sourced from lz4_flex's releases.

0.13.0

What's Changed

• add minimal security policy by @​Marcono1234 in PSeitz/lz4_flex#203
• Fix get_maximum_output_size overflow on 32-bit targets by @​dglittle in PSeitz/lz4_flex#205
• lz4_block exposes option to reuse compression dict by @​matthewfollegot in PSeitz/lz4_flex#207

New Contributors

• @​Marcono1234 made their first contribution in PSeitz/lz4_flex#203
• @​dglittle made their first contribution in PSeitz/lz4_flex#205
• @​matthewfollegot made their first contribution in PSeitz/lz4_flex#207

Full Changelog: PSeitz/lz4_flex@0.12.0...0.13.0

Changelog

Sourced from lz4_flex's changelog.

0.13.0 (2026-03-15)

Features

• Add option to reuse compression dict #207 (thanks @​matthewfollegot)

Fixes

• Fix handling of invalid match offsets during decompression #055502e (thanks @​Marcono1234)

Invalid match offsets (offset == 0) during decompression were not properly
handled, which could lead to invalid memory reads. This is a security fix
that was also backported to 0.12.1 and 0.11.6.

• Fix get_maximum_output_size overflow on 32-bit targets #205 (thanks @​dglittle)

Cast input_len to u64 before multiplying by 110, avoiding overflow on
32-bit targets (e.g. wasm32) where input_len * 110 overflows usize
when input_len > ~39MB.

Commits

• bfaae84 release 0.13.0
• 055502e fix handling of invalid match offsets during decompression
• 7191df8 make hashtable visibility crate public
• 1bdafca add doc comments
• c90fc91 lz4_block exposes option to reuse compression dict
• 22e77f9 Delete .github/workflows/typos.yml
• 2991a09 fix get_maximum_output_size overflow on 32-bit targets
• 7b5fb80 add minimal security policy
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: rust. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[nitecon]

Dependabot Review: lz4_flex 0.12.1 → 0.13.0

Overview

Minor version bump for the LZ4 compression dependency used in lnc-network (optional feature). Minimal diff — only lnc-network/Cargo.toml version spec and Cargo.lock updated.

Release Highlights

• Security fix: Invalid match offsets during decompression could lead to invalid memory reads (backported to 0.12.1/0.11.6)
• Bug fix: get_maximum_output_size overflow on 32-bit targets (wasm32)
• Feature: Option to reuse compression dict in lz4_block

Concerns

None. This is a low-risk minor bump with important security and correctness fixes. No breaking API changes — all 19 CI checks (Clippy, Clippy Strict, tests on Ubuntu + macOS, release builds, security audit, mechanical integrity, complexity analysis) passed cleanly.

Verdict

✅ Approved — auto-merge eligible. Minor version bump with security fixes, all checks green.

🤖 Reviewed by Eventic SRE Automation