chore(deps): bump the cargo-workspace group across 1 directory with 9 updates

[dependabot]

Bumps the cargo-workspace group with 8 updates in the / directory:

Package	From	To
serde_json	1.0.149	1.0.150
serde_yml	0.0.12	0.0.13
reqwest	0.13.3	0.13.4
tauri	2.11.0	2.11.2
assert_cmd	2.2.1	2.2.2
deno_core	0.400.0	0.402.0
tokio	1.52.1	1.52.3
git2	0.19.0	0.21.0

Updates serde_json from 1.0.149 to 1.0.150

Release notes

Sourced from serde_json's releases.

v1.0.150

• Reject non-string enum object keys (#1324, thanks @​puneetdixit200)

Commits

• a1ae73a Release 1.0.150
• 1a360b0 Merge pull request #1324 from puneetdixit200/reject-non-string-enum-keys
• 2037b63 Reject non-string enum object keys
• 5d30df6 Resolve manual_assert_eq pedantic clippy lint
• dc8003a Raise required compiler for preserve_order feature to 1.85
• a42fa98 Unpin CI miri toolchain
• 684a60e Pin CI miri to nightly-2026-02-11
• 7c7da33 Raise required compiler to Rust 1.71
• acf4850 Simplify Number::is_f64
• 6b8ceab Resolve unnecessary_map_or clippy lint
• Additional commits viewable in compare view

Updates serde_yml from 0.0.12 to 0.0.13

Release notes

Sourced from serde_yml's releases.

v0.0.13 — Final release (deprecation shim, RUSTSEC-2025-0068 fixed)

⚠️ Final release — serde_yml is deprecated

This is the final maintenance release of serde_yml. The crate is no longer under active development. 0.0.13 is a thin compatibility shim that lets existing call sites keep compiling while you migrate to one of the maintained alternatives listed below.

If you are reading this because cargo audit flagged your build, upgrading to 0.0.13 resolves RUSTSEC-2025-0068 structurally — see Security below.

---

TL;DR

  # Cargo.toml
- serde_yml = "0.0"
+ serde_yml = "0.0.13"

Your existing call sites compile unchanged. The compiler now emits a #[deprecated] warning at every use serde_yml::* import pointing at the migration guide. The C-FFI libyml parser is no longer in your dependency graph.

When you're ready to fully migrate, see the migration guide.

---

Security: RUSTSEC-2025-0068 fixed

RUSTSEC-2025-0068 (also GHSA-hhw4-xg65-fp2x) flagged every serde_yml ≤ 0.0.12 as unsound — the serde_yml::ser::Serializer.emitter field could cause a segmentation fault via the C-FFI libyaml parser.

0.0.13 removes the vulnerable surface entirely:

• The C-FFI libyml dependency is gone from the graph.
• serde_yml::ser::Serializer is now a re-export of a pure-Rust unit struct (pub struct Serializer;) with no emitter field — code that referenced .emitter no longer compiles, which is the desired outcome.
• The backend (noyalib) enforces #![forbid(unsafe_code)] workspace-wide.

Verification:

cargo update -p serde_yml --precise 0.0.13
cargo tree -p serde_yml | grep libyml   # → no output

The RustSec advisory database PR adding patched = ["^0.0.13"] is pending review at rustsec/advisory-db#2915. Until it merges, cargo audit may still warn against 0.0.13 — the 0.0.13 release itself ships .cargo/audit.toml + deny.toml ignore entries so the self-referential warning doesn't block your own CI.

---

Maintained alternatives

Three crates are realistic destinations. Pick the one that fits.

Crate	Migration shape	Best fit

... (truncated)

Commits

• 2bdacd5 ci: commit Cargo.lock for reproducible audits
• 57983ac ci: ignore RUSTSEC-2025-0068 in cargo-audit / cargo-deny
• c236ddd style: apply rustfmt (max_width=72)
• 795e112 ci: include master in push triggers (default branch is master)
• 5497552 Deprecate serde_yml — 0.0.13 shim forwarding to noyalib (#52)
• ab3c49e Merge pull request #34 from horacimacias/master
• c7ba7ac Merge pull request #35 from lucasvr/lucas/anchors
• 140d00b Merge pull request #38 from nc7s/fix-cstr-pointer-type
• a19e5c2 Merge pull request #18 from Mingun/remove-duplicated-clone
• 6ffe205 fix: hard coded CStr pointer type, use ffi::c_char
• Additional commits viewable in compare view

Updates reqwest from 0.13.3 to 0.13.4

Release notes

Sourced from reqwest's releases.

v0.13.4

tl;dr

• Add ClientBuilder::tls_sslkeylogfile(bool) option to allow using the related environment variable.
• Add ClientBuilder::http2_keep_alive_* options for the blocking client.
• Add TLS 1.3 support when using native-tls backend.
• Fix redirect handling to strip sensitive headers when the scheme changes.
• Fix HTTP/3 happy-eyeball connection creation.
• Upgrade hickory-resolver to 0.26.

What's Changed

• fix(tls): improve rustls-no-provider panic message and add module docs by @​smythg4 in seanmonstar/reqwest#3021
• fix: do not lose the url in error when decoding json by @​Dushistov in seanmonstar/reqwest#3026
• Add tls_sslkeylogfile builder method by @​passcod in seanmonstar/reqwest#2923
• fix(redirect): strip sensitive headers on scheme change across redirects by @​SAY-5 in seanmonstar/reqwest#3034
• chore: upgrade MSRV to 1.85 by @​seanmonstar in seanmonstar/reqwest#3038
• chore: clean up minimal-versions CI job by @​seanmonstar in seanmonstar/reqwest#3039
• fix(http3): use happy eyeballs for h3 connect by @​lyuzichong in seanmonstar/reqwest#3030
• fix: update hickory-resolver to 0.26 and adjust code accordingly by @​seanmonstar in seanmonstar/reqwest#3040
• fix: remove unwrap in hickory initialization by @​mat813 in seanmonstar/reqwest#3041
• feat(https): support TLS 1.3 as min version under native-tls 🎉 by @​AverageHelper in seanmonstar/reqwest#2975
• Expose keep alive configurations in blocking client by @​aeb-dev in seanmonstar/reqwest#3043
• Prepare v0.13.4 by @​seanmonstar in seanmonstar/reqwest#3046

New Contributors

• @​smythg4 made their first contribution in seanmonstar/reqwest#3021
• @​Dushistov made their first contribution in seanmonstar/reqwest#3026
• @​SAY-5 made their first contribution in seanmonstar/reqwest#3034
• @​mat813 made their first contribution in seanmonstar/reqwest#3041
• @​AverageHelper made their first contribution in seanmonstar/reqwest#2975
• @​aeb-dev made their first contribution in seanmonstar/reqwest#3043

Full Changelog: seanmonstar/reqwest@v0.13.3...v0.13.4

Changelog

Sourced from reqwest's changelog.

v0.13.4

• Add ClientBuilder::tls_sslkeylogfile(bool) option to allow using the related environment variable.
• Add ClientBuilder::http2_keep_alive_* options for the blocking client.
• Add TLS 1.3 support when using native-tls backend.
• Fix redirect handling to strip sensitive headers when the scheme changes.
• Fix HTTP/3 happy-eyeball connection creation.
• Upgrade hickory-resolver to 0.26.

Commits

• 11489b3 v0.13.4
• d31ffbb feat: Expose HTTP2 keep alive configurations in blocking client (#3043)
• 79ed0d7 feat: support TLS 1.3 as min version under native-tls 🎉 (#2975)
• fb7bf6a fix: remove unwrap in hickory initialization (#3041)
• 3da616f fix: update hickory-resolver to 0.26 and adjust code accordingly (#3040)
• c77e7b2 fix(http3): use happy eyeballs for h3 connect (#3030)
• 9cbb65b chore: clean up minimal-versions CI job (#3039)
• 17a7dc5 chore: upgrade MSRV to 1.85 (#3038)
• 03db63a fix(redirect): strip sensitive headers on scheme change across redirects (#3034)
• 4b813a8 feat: add tls_sslkeylogfile builder method (#2923)
• Additional commits viewable in compare view

Updates tauri from 2.11.0 to 2.11.2

Release notes

Sourced from tauri's releases.

tauri-cli v2.11.2

Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 1090 security advisories (from /home/runner/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (1088 crate dependencies)
Crate:     atk
Version:   0.18.2
Warning:   unmaintained
Title:     gtk-rs GTK3 bindings - no longer maintained
Date:      2024-03-04
ID:        RUSTSEC-2024-0413
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0413
Dependency tree:
atk 0.18.2
└── gtk 0.18.2
    ├── wry 0.55.0
    │   └── tauri-runtime-wry 2.11.2
    │       └── tauri 2.11.2
    │           ├── tauri-utils 2.9.2
    │           │   ├── tauri-schema-generator 0.0.0
    │           │   ├── tauri-runtime-wry 2.11.2
    │           │   ├── tauri-runtime 2.11.2
    │           │   │   ├── tauri-runtime-wry 2.11.2
    │           │   │   └── tauri 2.11.2
    │           │   ├── tauri-plugin 2.6.2
    │           │   │   ├── tauri-plugin-sample 0.1.0
    │           │   │   │   └── api 0.1.0
    │           │   │   └── tauri-plugin-log 2.6.0
    │           │   │       └── api 0.1.0
    │           │   ├── tauri-macros 2.6.2
    │           │   │   └── tauri 2.11.2
    │           │   ├── tauri-codegen 2.6.2
    │           │   │   ├── tauri-macros 2.6.2
    │           │   │   └── tauri-build 2.6.2
    │           │   │       ├── tauri-file-associations-demo 0.1.0
    │           │   │       ├── tauri 2.11.2
    │           │   │       ├── resources 0.1.0
    │           │   │       ├── bench_helloworld 0.1.0
    │           │   │       ├── bench_files_transfer 0.1.0
    │           │   │       ├── bench_cpu_intensive 0.1.0
    │           │   │       └── api 0.1.0
    │           │   ├── tauri-cli 2.11.2
    │           │   │   └── tauri-cli-node 0.0.0
    │           │   ├── tauri-bundler 2.9.2
    │           │   │   └── tauri-cli 2.11.2
    │           │   ├── tauri-build 2.6.2
</tr></table> 

... (truncated)

Commits

• 499df79 apply version updates (#15378)
• 20bb033 Revert "feat: add Windows VC runtime linking and bundling options (#15372)" (...
• b5b72ce fix(tauri-utils): preserve resource source file name when dest is empty (#15383)
• 3fd8ba2 fix: resources after empty directory not copied (#15388)
• 47e1b75 fix: set_as_windows_menu_for_nsapp command wrongly called `set_as_help_menu...
• eadd8f5 chore(deps-dev): bump svelte from 5.53.11 to 5.55.7 (#15382)
• 32d8166 feat: add Windows VC runtime linking and bundling options (#15372)
• b15b859 refactor: make error dialog take &'static str (#15369)
• 0e8e25f chore(deps): update dependency rollup to v4.60.3 (#15355)
• e5ae5b9 chore: fix changelog
• Additional commits viewable in compare view

Updates tauri-build from 2.6.0 to 2.6.2

Release notes

Sourced from tauri-build's releases.

tauri-build v2.6.2

Fetching advisory database from `https://github.com/RustSec/advisory-db.git`
      Loaded 1090 security advisories (from /home/runner/.cargo/advisory-db)
    Updating crates.io index
    Scanning Cargo.lock for vulnerabilities (1088 crate dependencies)
Crate:     atk
Version:   0.18.2
Warning:   unmaintained
Title:     gtk-rs GTK3 bindings - no longer maintained
Date:      2024-03-04
ID:        RUSTSEC-2024-0413
URL:       https://rustsec.org/advisories/RUSTSEC-2024-0413
Dependency tree:
atk 0.18.2
└── gtk 0.18.2
    ├── wry 0.55.0
    │   └── tauri-runtime-wry 2.11.2
    │       └── tauri 2.11.2
    │           ├── tauri-utils 2.9.2
    │           │   ├── tauri-schema-generator 0.0.0
    │           │   ├── tauri-runtime-wry 2.11.2
    │           │   ├── tauri-runtime 2.11.2
    │           │   │   ├── tauri-runtime-wry 2.11.2
    │           │   │   └── tauri 2.11.2
    │           │   ├── tauri-plugin 2.6.2
    │           │   │   ├── tauri-plugin-sample 0.1.0
    │           │   │   │   └── api 0.1.0
    │           │   │   └── tauri-plugin-log 2.6.0
    │           │   │       └── api 0.1.0
    │           │   ├── tauri-macros 2.6.2
    │           │   │   └── tauri 2.11.2
    │           │   ├── tauri-codegen 2.6.2
    │           │   │   ├── tauri-macros 2.6.2
    │           │   │   └── tauri-build 2.6.2
    │           │   │       ├── tauri-file-associations-demo 0.1.0
    │           │   │       ├── tauri 2.11.2
    │           │   │       ├── resources 0.1.0
    │           │   │       ├── bench_helloworld 0.1.0
    │           │   │       ├── bench_files_transfer 0.1.0
    │           │   │       ├── bench_cpu_intensive 0.1.0
    │           │   │       └── api 0.1.0
    │           │   ├── tauri-cli 2.11.2
    │           │   │   └── tauri-cli-node 0.0.0
    │           │   ├── tauri-bundler 2.9.2
    │           │   │   └── tauri-cli 2.11.2
    │           │   ├── tauri-build 2.6.2
</tr></table> 

... (truncated)

Commits

• 499df79 apply version updates (#15378)
• 20bb033 Revert "feat: add Windows VC runtime linking and bundling options (#15372)" (...
• b5b72ce fix(tauri-utils): preserve resource source file name when dest is empty (#15383)
• 3fd8ba2 fix: resources after empty directory not copied (#15388)
• 47e1b75 fix: set_as_windows_menu_for_nsapp command wrongly called `set_as_help_menu...
• eadd8f5 chore(deps-dev): bump svelte from 5.53.11 to 5.55.7 (#15382)
• 32d8166 feat: add Windows VC runtime linking and bundling options (#15372)
• b15b859 refactor: make error dialog take &'static str (#15369)
• 0e8e25f chore(deps): update dependency rollup to v4.60.3 (#15355)
• e5ae5b9 chore: fix changelog
• Additional commits viewable in compare view

Updates assert_cmd from 2.2.1 to 2.2.2

Changelog

Sourced from assert_cmd's changelog.

[2.2.2] - 2026-05-11

Fixes

• Ensure #[track_caller] works for better panic messages

Commits

• feece89 chore: Release assert_cmd version 2.2.2
• 367cdf7 docs: Update changelog
• a98cc85 Merge pull request #289 from marcospb19/track_caller
• cd2e167 fix: .success() not reporting panic location
• 45a1c74 chore(deps): Update Prek to v0.3.13 (#293)
• f1d9b5b chore(deps): Update Prek to v0.3.12 (#292)
• 1d34bab Merge pull request #291 from epage/template
• d9a70ad style: Make clippy happy
• 4f5b5af chore: Update from _rust template
• 1e1d586 chore(renovate): Fix the tag
• Additional commits viewable in compare view

Updates deno_core from 0.400.0 to 0.402.0

Commits

• See full diff in compare view

Updates tokio from 1.52.1 to 1.52.3

Release notes

Sourced from tokio's releases.

Tokio v1.52.3

1.52.3 (May 8th, 2026)

Fixed

• sync: fix underflow in mpsc channel len() (#8062)
• sync: notify receivers in mpsc OwnedPermit::release() method (#8075)
• sync: require that an RwLock has max_readers != 0 (#8076)
• sync: return Empty from try_recv() when mpsc is closed with outstanding permits (#8074)

#8062: tokio-rs/tokio#8062 #8074: tokio-rs/tokio#8074 #8075: tokio-rs/tokio#8075 #8076: tokio-rs/tokio#8076

Tokio v1.52.2

1.52.2 (May 4th, 2026)

This release reverts the LIFO slot stealing change introduced in 1.51.0 (#7431), due to [its performance impact]#8065. (#8100)

#7431: tokio-rs/tokio#7431 #8065: tokio-rs/tokio#8065 #8100: tokio-rs/tokio#8100

Commits

• d875691 chore: prepare Tokio v1.52.3 (#8130)
• e1aebb0 Merge 'tokio-1.51.3' into 'tokio-1.52.x' (#8129)
• fd63094 chore: prepare Tokio v1.51.3 (#8127)
• 8c600d0 Merge 'tokio-1.47.5' into 'tokio-1.51.x' (#8123)
• 11bfc13 chore: prepare Tokio v1.47.5 (#8122)
• f085b62 sync: notify receivers in mpsc OwnedPermit::release() method (#8075)
• 30d25cc sync: require that an RwLock has max_readers != 0 (#8076)
• 9fccf53 sync: return Empty from try_recv() when mpsc is closed with outstanding p...
• ebf61b4 sync: fix underflow in mpsc channel len() (#8062)
• 4abe9d7 chore: prepare Tokio v1.52.2 (#8115)
• Additional commits viewable in compare view

Updates git2 from 0.19.0 to 0.21.0

Changelog

Sourced from git2's changelog.

0.21.0 - 2026-05-18

0.20.4...main

Added

• Added experimental SHA256 repository support behind the new unstable-sha256 Cargo feature, along with *_ext API variants that accept an ObjectFormat. #1206
• Added opts::set_cache_max_size() and opts::get_cached_memory(). #1188
• Added Repository::object_format() and a new ObjectFormat enum. #1204
• Added Repository::set_config(). #1208
• Added merge_file() along with MergeFileInput. #1210
• Added Repository::refdb_compress() for packing loose refs. #1221
• Added public Refdb type, along with Repository::refdb() and Repository::set_refdb(). Repository::refdb_compress() now delegates to Refdb::compress(). #1228
• Added Revspec::into_objects(). #1230
• Added BlameHunk::final_committer(), BlameHunk::orig_committer(), BlameHunk::summary(), and BlameHunk::summary_bytes(). #1231
• Implemented Clone for Reference. #1233
• Added Repository::author_from_env() and Repository::committer_from_env(). #1237
• Added impl From<Utf8Error> for Error. #1239

Changed

• ❗ The ssh, https, and cred Cargo features are no longer enabled by default. Previously default = ["ssh", "https"]; now default = []. Enable them explicitly if you rely on credential helpers or transport support. #1168
• ❗ CredentialHelper and the url dependency are now gated behind the new cred Cargo feature. Enabling ssh or https transitively enables cred. #1168
• ❗ Updated to the 2021 edition. #1173
• ❗ Many string accessors that previously returned Option<&str> now return Result<&str, Error> or Result<Option<&str>, Error>, so callers can distinguish a missing value from a non-UTF-8 one. #1241
• ❗ BlameHunk::final_signature, BlameHunk::final_committer, BlameHunk::orig_signature, and BlameHunk::orig_committer now return Option to avoid segfaults when signature information is missing. #1254
• Bumped requirement to libgit2-sys 0.18.4, which updates libgit2 to 1.9.3.

... (truncated)

Commits

• dffaf27 Merge pull request #1256 from weihanglo/changelog
• 84b9c76 docs: changelog for git2@0.21
• 8c6dc4a Merge pull request #1206 from weihanglo/sha256-git2
• 7bd145e fix: import ObjectFormat in one place
• fc8af6a test(oid): split _ext to test each format separately
• b9bde87 test: oid length sanity check
• 57a68e0 feat(oid): impl Display for ObjectFormat
• 7acee09 chore(ci): test git2 sha256 support
• bdf5b7b fix: init example with --object-format option
• 9fb4e6a refactor(util): drop unsafe from zeroed_raw_oid
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.