build(deps): bump the http group across 1 directory with 8 updates

[dependabot]

Bumps the http group with 8 updates in the / directory:

Package	From	To
hyper	0.14.32	1.9.0
tower-http	0.5.2	0.6.8
tower	0.3.1	0.5.3
tokio-tungstenite	0.26.2	0.29.0
axum-extra	0.10.3	0.12.6
rustls-cng	0.5.3	0.7.0
openssl-probe	0.1.6	0.2.1
openssl	0.10.79	0.10.80

Updates hyper from 0.14.32 to 1.9.0

Release notes

Sourced from hyper's releases.

v1.9.0

Features

• client:
  • expose HTTP/2 current max stream count (#4026) (d51cb715)
  • add HTTP/2 max_local_error_reset_streams option (#4021) (57787459)
• error: add 'Error::is_parse_version_h2' method (393c77c7)
• http1: add UpgradeableConnection::into_parts (e21205cf)

Bug Fixes

• ffi: validate null pointers before dereferencing in request/response functions (#4038 (28e73ccd)
• http1:
  • allow keep-alive for chunked requests with trailers (#4043) (7211ec25, closes #4044)
  • use case-insensitive matching for trailer fields (#4011) (3b344cac, closes #4010)
  • use httparse config for Servers (#4002) (bcb8ec57, closes #3923)
• http2:
  • cancel sending client request body on response future drop (#4042) (5b17a69e, closes #4040)
  • non-utf8 char in Connection header may cause panic when calling to_str (#4019) (c36ca8a5)

Refactors and chores

• docs(error): add more information about is_incomplete_message by @​seanmonstar in hyperium/hyper#3978
• Run cargo-audit in CI to check for known vulnerabilities in dependencies. by @​f0rki in hyperium/hyper#3246
• refactor(http1): simplify match of Token parse error by @​seanmonstar in hyperium/hyper#3981
• refactor(http1): use saturating_sub instead of manual impl by @​seanmonstar in hyperium/hyper#3983
• refactor(http1): replace many args of Chunked::step with struct by @​seanmonstar in hyperium/hyper#3982
• docs: fix comment in put_slice() by @​coryan in hyperium/hyper#3986
• test(lib): fix unused warnings due to feature gating test imports by @​seanmonstar in hyperium/hyper#3997
• docs: improve Read trait and ReadBufCursor documentation by @​majiayu000 in hyperium/hyper#4000
• fix: use h1 parser config when parsing server req by @​0xPoe in hyperium/hyper#4002
• test(server): fix flaky disable_keep_alive_mid_request by @​seanmonstar in hyperium/hyper#4009
• chore(ci): update to actions/checkout@v6 by @​tottoto in hyperium/hyper#4005
• chore(ci): update to cargo-check-external-types 0.4.0 by @​tottoto in hyperium/hyper#4006
• update copyright year to 2026 by @​jasmyhigh in hyperium/hyper#4007
• refactor: avoid unwrap examples by @​0xPoe in hyperium/hyper#4001
• fix(http1): use case-insensitive matching for trailer fields by @​HueCodes in hyperium/hyper#4011
• chore: convert bug report template to GitHub form by @​njg7194 in hyperium/hyper#4015
• chore(ci): force toml mode in yq selecting msrv by @​seanmonstar in hyperium/hyper#4020
• fix: non-utf8 char may cause panic when calling to_str by @​cuiweixie in hyperium/hyper#4019
• feat(http2/client): add max_local_error_reset_streams option by @​ffuugoo in hyperium/hyper#4021
• chore: drop pin-utils dependency by @​tottoto in hyperium/hyper#4023
• [minor] doc: Fix HTTP/2 max concurrent stream link by @​dentiny in hyperium/hyper#4037
• fix(ffi): validate null pointers before dereferencing in request/resp… by @​DhruvaD1 in hyperium/hyper#4038
• h2: expose current max stream count by @​howardjohn in hyperium/hyper#4026
• fix(http1): allow keep-alive for chunked requests with trailers by @​wi-adam in hyperium/hyper#4043
• fix(http2): cancel pipe_task and send RST_STREAM on response future drop by @​mmishra100 in hyperium/hyper#4042
• Add APIs to allow switching an HTTP1 connection to HTTP2 if H2 preface is seen by @​pborzenkov in hyperium/hyper#3996

... (truncated)

Changelog

Sourced from hyper's changelog.

v1.9.0 (2026-03-31)

Bug Fixes

• ffi: validate null pointers before dereferencing in request/response functions (#4038 (28e73ccd)
• http1:
  • allow keep-alive for chunked requests with trailers (#4043) (7211ec25, closes #4044)
  • use case-insensitive matching for trailer fields (#4011) (3b344cac, closes #4010)
  • use httparse config for Servers (#4002) (bcb8ec57, closes #3923)
• http2:
  • cancel sending client request body on response future drop (#4042) (5b17a69e, closes #4040)
  • non-utf8 char in Connection header may cause panic when calling to_str (#4019) (c36ca8a5)

Features

• client:
  • expose HTTP/2 current max stream count (#4026) (d51cb715)
  • add HTTP/2 max_local_error_reset_streams option (#4021) (57787459)
• error: add 'Error::is_parse_version_h2' method (393c77c7)
• http1: add UpgradeableConnection::into_parts (e21205cf)

v1.8.1 (2025-11-13)

Bug Fixes

• http1: fix consuming extra CPU from previous change (#3977) (4492f31e)

v1.8.0 (2025-11-11)

Bug Fixes

• http1: fix rare missed write wakeup on connections (#3952) (2377b893)
• http2: fix internals of HTTP/2 CONNECT upgrades (#3967) (58e0e7dc, closes #3966)

Features

• rt: add Timer::now() method to allow overriding the instant returned (#3965) (5509ebe6)

Breaking Changes

• The HTTP/2 client connection no longer allows an executor that can not spawn itself.

... (truncated)

Commits

• 0d6c7d5 v1.9.0
• e21205c feat(http1): add UpgradeableConnection::into_parts
• 393c77c feat(error): add 'Error::is_parse_version_h2' method
• 5b17a69 fix(http2): cancel sending client request body on response future drop (#4042)
• 7211ec2 fix(http1): allow keep-alive for chunked requests with trailers (#4043)
• d51cb71 feat(client): expose HTTP/2 current max stream count (#4026)
• 28e73cc fix(ffi): validate null pointers before dereferencing in request/response fun...
• e13e783 docs(client): fix HTTP/2 max concurrent stream link to spec (#4037)
• 8ba9008 chore(dependencies): drop pin-utils dependency (#4023)
• 5778745 feat(client): add HTTP/2 max_local_error_reset_streams option (#4021)
• Additional commits viewable in compare view

Updates tower-http from 0.5.2 to 0.6.8

Release notes

Sourced from tower-http's releases.

tower-http-0.6.8

Fixed

• Disable multiple_members in Gzip decoder, since HTTP context only uses one member. (#621)

#621: tower-rs/tower-http#621

What's Changed

• Disable multiple_members option for gzip decoder by @​ducaale in tower-rs/tower-http#621
• ci: Pin tracing in MSRV job by @​ducaale in tower-rs/tower-http#622
• ci: Switch cargo-public-api-crates to cargo-check-external-types by @​tottoto in tower-rs/tower-http#613
• Remove deprecated annotations and Refactor From implementations by @​sinder38 in tower-rs/tower-http#608
• v0.6.8 by @​seanmonstar in tower-rs/tower-http#624

New Contributors

• @​sinder38 made their first contribution in tower-rs/tower-http#608

Full Changelog: tower-rs/tower-http@tower-http-0.6.7...tower-http-0.6.8

tower-http-0.6.7

Added

• TimeoutLayer::with_status_code(status) to define the status code returned when timeout is reached. (#599)

Deprecated

• auth::require_authorization is too basic for real-world. (#591)
• TimeoutLayer::new() should be replaced with TimeoutLayer::with_status_code(). (Previously was StatusCode::REQUEST_TIMEOUT) (#599)

Fixed

• on_eos is now called even for successful responses. (#580)
• ServeDir: call fallback when filename is invalid (#586)
• decompression will not fail when body is empty (#618)

#580: tower-rs/tower-http#580 #586: tower-rs/tower-http#586 #591: tower-rs/tower-http#591 #599: tower-rs/tower-http#599 #618: tower-rs/tower-http#618

New Contributors

• @​mladedav made their first contribution in tower-rs/tower-http#580
• @​aryaveersr made their first contribution in tower-rs/tower-http#586
• @​soerenmeier made their first contribution in tower-rs/tower-http#588

... (truncated)

Commits

• 33166c8 v0.6.8
• 6680160 Fix deprecated lints (#608)
• 81b8231 ci: Switch cargo-public-api-crates to cargo-check-external-types (#613)
• 1fb0144 ci: pin tracing in msrv job (#622)
• 1fe4c09 fix(decompression): disable multiple_members option for gzip decoder (#621)
• 3bf1ba7 v0.6.7
• 723ca9a fix(decompression): Suppress EOF errors caused by decompressing empty body (#...
• 8ab9f82 chore(ci): use newer cargo-public-api-crates job (#619)
• 7cfdf76 doc: Replace doc_auto_cfg with doc_cfg (#609)
• 50beeaf Add support for custom status code in TimeoutLayer (#599)
• Additional commits viewable in compare view

Updates tower from 0.3.1 to 0.5.3

Release notes

Sourced from tower's releases.

tower 0.5.3

Added

• builder: Add ServiceBuilder::boxed_clone_sync() helper (#804)

Fixed

• retry: Check that supplied jitter is not NaN (#843)

#804: tower-rs/tower#804 #843: tower-rs/tower#843

tower 0.5.2

Added

• util: Add BoxCloneSyncService which is a Clone + Send + Sync boxed Service (#777)
• util: Add BoxCloneSyncServiceLayer which is a Clone + Send + Sync boxed Layer (#802)

tower 0.5.1

• Fix minimum version of tower-layer dependency (#787)

#787: tower-rs/tower#787

tower 0.5.0

Fixed

• util: BoxService is now Sync (#702)

Changed

• util: Removed deprecated ServiceExt::ready_and method and ReadyAnd future (#652)
• retry: Breaking Change retry::Policy::retry now accepts &mut Req and &mut Res instead of the previous mutable versions. This increases the flexibility of the retry policy. To update, update your method signature to include mut for both parameters. (#584)
• retry: Breaking Change Change Policy to accept &mut self (#681)
• retry: Add generic backoff utilities (#685)
• retry: Add Budget trait. This allows end-users to implement their own budget and bucket implementations. (#703)
• reconnect: Breaking Change Remove unused generic parameter from Reconnect::new (#755)
• ready-cache: Allow iteration over ready services (#700)
• discover: Implement Clone for Change (#701)
• util: Add a BoxCloneServiceLayer (#708)
• rng: use a simpler random 2-sampler (#716)
• filter: Derive Clone for AsyncFilterLayer (#731)
• general: Update IndexMap (#741)
• MSRV: Increase MSRV to 1.63.0 (#741)

#702: tower-rs/tower#702 #652: tower-rs/tower#652 #584: tower-rs/tower#584 #681: tower-rs/tower#681

... (truncated)

Commits

• 4b0a6b0 tower v0.5.3
• 2c8524a tower v0.5.3
• 50fa4b6 ci: upgrade deny check to v2 (#847)
• 73febcd fix: Check that jitter is not NaN instead of finiteness (#843)
• 719ec03 chore: Disable unused futures feature (#838)
• 1992ebd chore(util): remove redundant ready! wrapping in poll implementations (#844)
• 21e01e9 docs: Resolve document warning (#841)
• d1b55be docs: Remove doc_auto_cfg config (#840)
• 9d876c0 ci: Update to actions/checkout v5 (#839)
• a1c277b docs: correct rng pre-requisite comment (#835)
• Additional commits viewable in compare view

Updates tokio-tungstenite from 0.26.2 to 0.29.0

Changelog

Sourced from tokio-tungstenite's changelog.

0.29.0

• Update tungstenite to 0.29.0. See tungstenite release.

0.28.0

• Update tungstenite to 0.28.0. See tungstenite release.

0.27.0

• See performance updates in tungstenite-rs.

Commits

• 7930ff2 Bump version
• 38d0465 Update Readme (#369)
• 35d110c Implement into_inner to get the underlying stream (#367)
• f3ae75d Update tungstenite version and fix bugs
• 25b544e Allow getting a reference to the shared inner stream (#363)
• e855f9e Fix errors in the examples caused by Utf8Error
• 21c5d19 Bump version
• fbd1471 Update performance notes in README
• See full diff in compare view

Updates axum-extra from 0.10.3 to 0.12.6

Release notes

Sourced from axum-extra's releases.

axum-extra-v0.12.6

• fixed: Escape backslashes and double quotes in Content-Disposition filenames to prevent header parameter injection in Attachment and FileStream (#3664)
• vpath! macro now stops the compilation if your path is using deprecated path variables in the old 107 format, such as :var and *var. the only allowed way now is {var}. (#3618)
• fixed: Return specific error message when multipart body limit is exceeded (#3611)

#3664: tokio-rs/axum#3664 #3618: tokio-rs/axum#3618 #3611: tokio-rs/axum#3611

axum-extra v0.12.3

• changed: Make the typed-routing feature enable the routing feature (#3514)
• changed: Add trailing newline to ErasedJson::pretty response bodies (#3526)
• fixed: Fix integer underflow in FileStream::try_range_response for empty files (#3566)

#3514: tokio-rs/axum#3514 #3526: tokio-rs/axum#3526 #3566: tokio-rs/axum#3566

axum-extra v0.12.2

• Make it easier to visually scan for default features (#3550)

#3550: tokio-rs/axum#3550

axum-extra v0.12.0

• breaking: Remove unused async-stream feature, which was accidentally introduced as an implicit feature through an optional dependency which was no longer being used (#3298)
• breaking: option_layer now maps the Response body type to axum::body::Body (#3469)
• breaking: Some new features are added which need to be opted in (#3485).
  • Cached extractor requires cached feature.
  • The handler utilities require handler feature.
  • The middleware utilities require middleware feature.
  • OptionalPath extractor requires optional-path feature.
  • The routing utilities require routing feature.
  • WithRejection extractor requires with-rejection feature.
• breaking: Upgraded prost dependency to v0.14. (#3517)

#3298: tokio-rs/axum#3298 #3469: tokio-rs/axum#3469 #3485: tokio-rs/axum#3485 #3517: tokio-rs/axum#3517

axum-extra v0.11.0

Yanked from crates.io due to unforeseen breaking change, see #3190 for details

---

• breaking: Remove unused async-stream feature, which was accidentally introduced as an implicit feature through an optional dependency which was no

... (truncated)

Commits

• c59208c revert axum-core changelog changes
• 99068f5 Revert "Fix IntoResponse for tuples overriding error response codes (#3603)"
• 23d7098 Revert "axum-core 0.5.6"
• e8a39ad axum-macros 0.5.1
• 6e9a249 axum-extra 0.12.6
• 0ec9041 axum 0.8.9
• c3fcebb axum-core 0.5.6
• a8790fc update release notes
• 26ba7bb docs: consolidate state management docs in crate root (#3683)
• 9fc59ef Update to tokio-tungstenite 0.29 (#3689)
• Additional commits viewable in compare view

Updates rustls-cng from 0.5.3 to 0.7.0

Commits

• 06fe2c0 Added Pkcs12Flags to control how to import chains from the PKCS#12
• 69b7699 CertContext: method to retrieve time when added to store
• 351916a Fixed compilation with Rust 1.84
• fa39ce2 Fixed clippy 1.88 warnings
• 46a3091 cargo fmt
• 1e6e64b Clippy fixes
• c96b7fa Removed unused early-data feature
• 0ae70b2 Added support for silent flag
• c377b43 address comments
• 5c3a9fb cargo fmt change
• Additional commits viewable in compare view

Updates openssl-probe from 0.1.6 to 0.2.1

Release notes

Sourced from openssl-probe's releases.

0.2.1

• Support for OpenHarmony.
• Corrections to crate metadata.

What's Changed

• feat: add openharmony platform preset certs folder by @​richerfu in rustls/openssl-probe#42
• docs: clarify lib description, update README by @​cpu in rustls/openssl-probe#47
• Prepare 0.2.1 by @​ctz in rustls/openssl-probe#46

0.2.0 is the first release after openssl-probe maintenance has been handed over to the rustls team. Thanks to @​alexcrichton for creating and maintaining it for the past 9 years. We're happy to address any feedback you have for this crate.

Breaking changes

• ProbeResult::cert_dir is now a Vec<PathBuf> rather than an Option<PathBuf>, allowing the library to yield multiple suggestions for directories which may contain certificate files.
• Rather than using a single list of locations for certificate files and certificate directories, openssl-probe now uses much shorter per-platform lists. This should make the API faster and make it less likely to accidentally pick up locations that are unidiomatic for the platform.
• Removed deprecated API

What's Changed

• Clean up deprecated API, module structure by @​djc in rustls/openssl-probe#40
• Per-platform candidates, multiple directories by @​djc in rustls/openssl-probe#41

Commits

• 9181752 Prepare 0.2.1
• 2a23322 docs: clarify lib description, update README
• 5e18d53 feat: add openharmony platform preset certs folder
• df769f4 Update repo URL in Cargo metadata
• cc52ac7 ci: check cargo-deny (and fix up SPDX metadata)
• 4cfa095 ci: check semver compatibility
• 04e7058 ci: check clippy
• fbce324 ci: check code formatting
• 11fba1b ci: setup duplicate workflow cancellation
• a44b6f1 ci: restrict workflow permissions
• Additional commits viewable in compare view

Updates openssl from 0.10.79 to 0.10.80

Release notes

Sourced from openssl's releases.

openssl-v0.10.80

What's Changed

• Prefer Homebrew openssl@4 and stop looking for openssl@1.1 by @​alex in rust-openssl/rust-openssl#2633
• Fix output buffer overflow in cipher_update_inplace for AES key-wrap-with-padding by @​alex in rust-openssl/rust-openssl#2638
• Release openssl 0.10.80 and openssl-sys 0.9.116 by @​alex in rust-openssl/rust-openssl#2639

Full Changelog: rust-openssl/rust-openssl@openssl-v0.10.79...openssl-v0.10.80

Commits

• 35be7ae Release openssl 0.10.80 and openssl-sys 0.9.116 (#2639)
• 19eceb2 Fix output buffer overflow in cipher_update_inplace for AES key-wrap-with-pad...
• b460eb3 Prefer Homebrew openssl@4 and stop looking for openssl@1.1 (#2633)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.