build(deps): bump the all group across 1 directory with 10 updates

[dependabot]

Bumps the all group with 10 updates in the / directory:

Package	From	To
serde_json	1.0.149	1.0.150
reqwest	0.13.3	0.13.4
quick-xml	0.40.0	0.40.1
aws-config	1.8.16	1.8.17
aws-sdk-bedrockruntime	1.130.0	1.131.0
aws-sdk-s3	1.132.0	1.133.0
kreuzberg	4.9.7	4.9.8
tar	0.4.45	0.4.46
rmcp	1.6.0	1.7.0
tikv-jemallocator	0.6.1	0.7.0

Updates serde_json from 1.0.149 to 1.0.150

Release notes

Sourced from serde_json's releases.

v1.0.150

• Reject non-string enum object keys (#1324, thanks @​puneetdixit200)

Commits

• a1ae73a Release 1.0.150
• 1a360b0 Merge pull request #1324 from puneetdixit200/reject-non-string-enum-keys
• 2037b63 Reject non-string enum object keys
• 5d30df6 Resolve manual_assert_eq pedantic clippy lint
• dc8003a Raise required compiler for preserve_order feature to 1.85
• a42fa98 Unpin CI miri toolchain
• 684a60e Pin CI miri to nightly-2026-02-11
• 7c7da33 Raise required compiler to Rust 1.71
• acf4850 Simplify Number::is_f64
• 6b8ceab Resolve unnecessary_map_or clippy lint
• Additional commits viewable in compare view

Updates reqwest from 0.13.3 to 0.13.4

Release notes

Sourced from reqwest's releases.

v0.13.4

tl;dr

• Add ClientBuilder::tls_sslkeylogfile(bool) option to allow using the related environment variable.
• Add ClientBuilder::http2_keep_alive_* options for the blocking client.
• Add TLS 1.3 support when using native-tls backend.
• Fix redirect handling to strip sensitive headers when the scheme changes.
• Fix HTTP/3 happy-eyeball connection creation.
• Upgrade hickory-resolver to 0.26.

What's Changed

• fix(tls): improve rustls-no-provider panic message and add module docs by @​smythg4 in seanmonstar/reqwest#3021
• fix: do not lose the url in error when decoding json by @​Dushistov in seanmonstar/reqwest#3026
• Add tls_sslkeylogfile builder method by @​passcod in seanmonstar/reqwest#2923
• fix(redirect): strip sensitive headers on scheme change across redirects by @​SAY-5 in seanmonstar/reqwest#3034
• chore: upgrade MSRV to 1.85 by @​seanmonstar in seanmonstar/reqwest#3038
• chore: clean up minimal-versions CI job by @​seanmonstar in seanmonstar/reqwest#3039
• fix(http3): use happy eyeballs for h3 connect by @​lyuzichong in seanmonstar/reqwest#3030
• fix: update hickory-resolver to 0.26 and adjust code accordingly by @​seanmonstar in seanmonstar/reqwest#3040
• fix: remove unwrap in hickory initialization by @​mat813 in seanmonstar/reqwest#3041
• feat(https): support TLS 1.3 as min version under native-tls 🎉 by @​AverageHelper in seanmonstar/reqwest#2975
• Expose keep alive configurations in blocking client by @​aeb-dev in seanmonstar/reqwest#3043
• Prepare v0.13.4 by @​seanmonstar in seanmonstar/reqwest#3046

New Contributors

• @​smythg4 made their first contribution in seanmonstar/reqwest#3021
• @​Dushistov made their first contribution in seanmonstar/reqwest#3026
• @​SAY-5 made their first contribution in seanmonstar/reqwest#3034
• @​mat813 made their first contribution in seanmonstar/reqwest#3041
• @​AverageHelper made their first contribution in seanmonstar/reqwest#2975
• @​aeb-dev made their first contribution in seanmonstar/reqwest#3043

Full Changelog: seanmonstar/reqwest@v0.13.3...v0.13.4

Changelog

Sourced from reqwest's changelog.

v0.13.4

• Add ClientBuilder::tls_sslkeylogfile(bool) option to allow using the related environment variable.
• Add ClientBuilder::http2_keep_alive_* options for the blocking client.
• Add TLS 1.3 support when using native-tls backend.
• Fix redirect handling to strip sensitive headers when the scheme changes.
• Fix HTTP/3 happy-eyeball connection creation.
• Upgrade hickory-resolver to 0.26.

Commits

• 11489b3 v0.13.4
• d31ffbb feat: Expose HTTP2 keep alive configurations in blocking client (#3043)
• 79ed0d7 feat: support TLS 1.3 as min version under native-tls 🎉 (#2975)
• fb7bf6a fix: remove unwrap in hickory initialization (#3041)
• 3da616f fix: update hickory-resolver to 0.26 and adjust code accordingly (#3040)
• c77e7b2 fix(http3): use happy eyeballs for h3 connect (#3030)
• 9cbb65b chore: clean up minimal-versions CI job (#3039)
• 17a7dc5 chore: upgrade MSRV to 1.85 (#3038)
• 03db63a fix(redirect): strip sensitive headers on scheme change across redirects (#3034)
• 4b813a8 feat: add tls_sslkeylogfile builder method (#2923)
• Additional commits viewable in compare view

Updates quick-xml from 0.40.0 to 0.40.1

Release notes

Sourced from quick-xml's releases.

v0.40.1 - Fix rarely possible serde deserialization panic

What's Changed

• #964: Fix unreachable!() panic in the serde deserializer when a DOCTYPE declaration appears between two text runs inside an element (e.g. <a>x<!DOCTYPE y>z</a>). The DOCTYPE used to break drain_text's consecutive-text merge, so two DeEvent::Text events reached read_text and tripped its "Cannot be two consequent Text events" invariant. DOCTYPE is now treated as transparent during text drain — it still goes through the entity resolver, but the surrounding text is merged into one run. Discovered via libFuzzer on a real-world SAML deserializer harness.

#964: tafia/quick-xml#964

New Contributors

• @​williamareynolds made their first contribution in tafia/quick-xml#964

Full Changelog: tafia/quick-xml@v0.40.0...v0.40.1

Changelog

Sourced from quick-xml's changelog.

0.40.1 -- 2026-05-15

Bug Fixes

• #964: Fix unreachable!() panic in the serde deserializer when a DOCTYPE declaration appears between two text runs inside an element (e.g. <a>x<!DOCTYPE y>z</a>). The DOCTYPE used to break drain_text's consecutive-text merge, so two DeEvent::Text events reached read_text and tripped its "Cannot be two consequent Text events" invariant. DOCTYPE is now treated as transparent during text drain — it still goes through the entity resolver, but the surrounding text is merged into one run. Discovered via libFuzzer on a real-world SAML deserializer harness.

#964: tafia/quick-xml#964

Misc Changes

Commits

• 9aaea92 Release 0.40.1
• ce488bc Merge pull request #964 from williamareynolds/fix/de-doctype-in-text-unreachable
• e00ae5c Fix unreachable!() panic when DOCTYPE appears between text runs in element co...
• See full diff in compare view

Updates aws-config from 1.8.16 to 1.8.17

Commits

• See full diff in compare view

Updates aws-sdk-bedrockruntime from 1.130.0 to 1.131.0

Commits

• See full diff in compare view

Updates aws-sdk-s3 from 1.132.0 to 1.133.0

Commits

• See full diff in compare view

Updates kreuzberg from 4.9.7 to 4.9.8

Release notes

Sourced from kreuzberg's releases.

v4.9.8

LTS patch release. Four targeted bug fixes plus dependency pinning so the branch builds against current crates.io releases.

Fixed

• #934: RTF hex byte escapes now honor \ansicpgNNNN, so CP1251 Cyrillic byte runs decode as readable text instead of Windows-1252 mojibake.
• #937: ExtractionConfig(cancel_token=…) raised TypeError: unexpected keyword argument 'cancel_token' from Python despite the type stub declaring the kwarg. The #[pyo3(signature = …)] on ExtractionConfig::__new__ did not list cancel_token and the constructor body hard-coded it to None. The kwarg is now accepted and threaded through to the underlying kreuzberg::CancellationToken. Post-construct attribute assignment (cfg.cancel_token = CancellationToken()) continues to work as before.
• #965: C# OcrConfig was missing the VlmConfig property and the LlmConfig type was undefined anywhere in the assembly, despite both being documented and present in the Rust core. Added LlmConfig (Model, ApiKey, BaseUrl, TimeoutSecs, MaxRetries, Temperature, MaxTokens) and OcrConfig.VlmConfig; registered LlmConfig in KreuzbergJsonContext so source-generated serialization works.
• #991: The musl CLI tarball (kreuzberg-cli-*-unknown-linux-musl.tar.gz) bundled libonnxruntime.so.1.24.4 but not its transitive deps (libprotobuf-lite.so.31, libre2.so.11, libabsl_log_internal_check_op.so.2508.0.0). The launcher invokes the musl loader with --library-path lib/, which replaces (not extends) the loader's search path, so the binary failed at startup on any host. docker/Dockerfile.musl-build now recursively ldd-walks every bundled .so, copies missing deps into lib/, and smoke-tests the loader against each — the build now fails if any unresolved dep remains.
• Build compatibility: pin tokenizers = "=0.22.2" (text-splitter 0.30 ChunkSizer impl + add_special_tokens signature broke at 0.23), pin v_htmlescape = "=0.15.8" (0.17 renamed escape fn to Escape struct), drop the removed ProcessConfig.extractions field, and migrate three #[ctor::ctor] sites to #[ctor::ctor(unsafe)] as required by ctor 0.5+.

Fixed (tooling)

• task update now runs scripts/ci/ruby/vendor-kreuzberg-core.py before upgrading the Ruby native crate, since that manifest's kreuzberg dep points at the on-demand-generated packages/ruby/vendor/kreuzberg/.
• task update no longer aborts on the informational mix hex.outdated step, which exits non-zero when any Elixir dep is outdated.
• .gitignore: ignore accidental Go build outputs under packages/go/v4/.

Changelog

Sourced from kreuzberg's changelog.

[4.9.8] - 2026-05-17

LTS patch release. Four targeted bug fixes plus dependency pinning so the branch builds against current crates.io releases.

Fixed

• #934: RTF hex byte escapes now honor \ansicpgNNNN, so CP1251 Cyrillic byte runs decode as readable text instead of Windows-1252 mojibake.
• #937: ExtractionConfig(cancel_token=…) raised TypeError: unexpected keyword argument 'cancel_token' from Python despite the type stub declaring the kwarg. The #[pyo3(signature = …)] on ExtractionConfig::__new__ did not list cancel_token and the constructor body hard-coded it to None. The kwarg is now accepted and threaded through to the underlying kreuzberg::CancellationToken. Post-construct attribute assignment (cfg.cancel_token = CancellationToken()) continues to work as before.
• #965: C# OcrConfig was missing the VlmConfig property and the LlmConfig type was undefined anywhere in the assembly, despite both being documented and present in the Rust core. Added LlmConfig (Model, ApiKey, BaseUrl, TimeoutSecs, MaxRetries, Temperature, MaxTokens) and OcrConfig.VlmConfig; registered LlmConfig in KreuzbergJsonContext so source-generated serialization works.
• #991: The musl CLI tarball (kreuzberg-cli-*-unknown-linux-musl.tar.gz) bundled libonnxruntime.so.1.24.4 but not its transitive deps (libprotobuf-lite.so.31, libre2.so.11, libabsl_log_internal_check_op.so.2508.0.0). The launcher invokes the musl loader with --library-path lib/, which replaces (not extends) the loader's search path, so the binary failed at startup on any host. docker/Dockerfile.musl-build now recursively ldd-walks every bundled .so, copies missing deps into lib/, and smoke-tests the loader against each — the build now fails if any unresolved dep remains.
• Build compatibility: pin tokenizers = "=0.22.2" (text-splitter 0.30 ChunkSizer impl + add_special_tokens signature broke at 0.23), pin v_htmlescape = "=0.15.8" (0.17 renamed escape fn to Escape struct), drop the removed ProcessConfig.extractions field, and migrate three #[ctor::ctor] sites to #[ctor::ctor(unsafe)] as required by ctor 0.5+.

Fixed (tooling)

• task update now runs scripts/ci/ruby/vendor-kreuzberg-core.py before upgrading the Ruby native crate, since that manifest's kreuzberg dep points at the on-demand-generated packages/ruby/vendor/kreuzberg/.
• task update no longer aborts on the informational mix hex.outdated step, which exits non-zero when any Elixir dep is outdated.
• .gitignore: ignore accidental Go build outputs under packages/go/v4/.

Commits

• eef687c fix: decode RTF hex escapes with declared ANSI codepage (#935)
• 874d3ff chore(release): cut v4.9.8 with #937, #965, #991 fixes and build green-up
• 9070bbc chore(publish): enable verbose output on PyPI publish step
• 45a5a84 chore(release): bump version to 4.9.7
• 1cf4df6 fix(elixir): re-track kreuzberg_rustler Cargo.lock for Hex publish
• 90c3bf4 fix(elixir): re-track kreuzberg_rustler Cargo.lock for Hex publish
• 56dbafe fix(elixir): re-track kreuzberg_rustler Cargo.lock for Hex publish
• ebb46e6 fix(publish): use full 40-char SHA for check-registry pin
• 38b74a4 fix(ruby): add missing acceleration field to OcrConfig initializer
• e119bc3 fix(publish): pin check-registry to alef-free af59fc0
• Additional commits viewable in compare view

Updates tar from 0.4.45 to 0.4.46

Release notes

Sourced from tar's releases.

0.4.46

Security

• archive: Fix another PAX header desync (GHSA-3cv2-h65g-fgmm) by @​cgwalters in composefs/tar-rs#454

See also GHSA-3cv2-h65g-fgmm

Other changes

• ci: Fix and re-enable reverse dependency testing by @​cgwalters in composefs/tar-rs#444
• Update astral-tokio-tar requirement from 0.5 to 0.6 by @​dependabot[bot] in composefs/tar-rs#446
• Update some links by @​atouchet in composefs/tar-rs#445
• Add support of absolute paths by @​zxvfc in composefs/tar-rs#426
• docs: Expand notes on concurrent mutations and following symlinks by @​cgwalters in composefs/tar-rs#453
• Update repo links by @​cgwalters in composefs/tar-rs#451
• ci: Add crates.io trusted publishing workflow by @​cgwalters in composefs/tar-rs#456
• Release 0.4.46 by @​cgwalters in composefs/tar-rs#455

New Contributors

• @​dependabot[bot] made their first contribution in composefs/tar-rs#446
• @​atouchet made their first contribution in composefs/tar-rs#445
• @​zxvfc made their first contribution in composefs/tar-rs#426

Full Changelog: composefs/tar-rs@0.4.45...0.4.46

Commits

• fc459c1 Release 0.4.46
• 43e05a8 ci: Add crates.io trusted publishing workflow
• bba5666 Update repo links
• cd94c46 docs: Document TOCTOU / concurrent-mutation threat model
• 1b4997c builder: Expand docs for follow_symlinks and append_dir_all
• bab14dd archive: Fix another PAX header desync (GHSA-3cv2-h65g-fgmm)
• 2349b49 Add support of absolute paths
• 39d0311 Update some links
• 59d803e Update astral-tokio-tar requirement from 0.5 to 0.6
• 8296b9a ci: Fix and re-enable reverse dependency testing (#444)
• See full diff in compare view

Updates rmcp from 1.6.0 to 1.7.0

Release notes

Sourced from rmcp's releases.

rmcp-macros-v1.7.0

Added

• add task-based stdio examples (#839)

rmcp-v1.7.0

Added

• add task-based stdio examples (#839)

Fixed

• (rmcp) flatten Resource variant of PromptMessageContent (#843)
• reply -32700 on stdio parse errors instead of closing (#833)

Other

• (rmcp) remove dependency on chrono default features (#829)
• Fix/issue 817 idle timeout log level (#824)

Commits

• 3529c36 chore: release v1.6.1 (#831)
• d695046 fix: enable task support on counter long_task example (#838)
• 5ccdfc0 feat: add task-based stdio examples (#839)
• d83b156 fix(rmcp): flatten Resource variant of PromptMessageContent (#843)
• 321ab14 fix: reply -32700 on stdio parse errors instead of closing (#833)
• 0f776ab chore(rmcp): remove dependency on chrono default features (#829)
• 3bf5298 ci: extend semver check to all features except local (#832)
• 88df9af chore(deps): update askama requirement from 0.15 to 0.16 (#830)
• 2f8d3b7 Fix/issue 817 idle timeout log level (#824)
• See full diff in compare view

Updates tikv-jemallocator from 0.6.1 to 0.7.0

Release notes

Sourced from tikv-jemallocator's releases.

0.7.0

• Reverse order of MAKEFLAGS priority (#152)
• Define ALIGNOF_MAX_ALIGN_T for riscv32 (#153)
• Remove build directory once build of jemalloc-sys finishes (#119)
• Fix cross-compile for tier-3 riscv64a23 target (#141)
• sys: support *-windows-gnullvm targets (#150)
• Propagate LDFLAGS, if present (#155)
• jemalloc-ctl: fix invalid update implementation
• add new free ffi
• Update jemalloc to 5.3.1 (#161)
• Add profiling_libunwind feature (#159)
• passthrough cc env/args using native cc features (#158)

Changelog

Sourced from tikv-jemallocator's changelog.

0.7.0 - 2026-05-25

• Reverse order of MAKEFLAGS priority (#152)
• Define ALIGNOF_MAX_ALIGN_T for riscv32 (#153)
• Remove build directory once build of jemalloc-sys finishes (#119)
• Fix cross-compile for tier-3 riscv64a23 target (#141)
• sys: support *-windows-gnullvm targets (#150)
• Propagate LDFLAGS, if present (#155)
• jemalloc-ctl: fix invalid update implementation
• add new free ffi
• Update jemalloc to 5.3.1 (#161)
• Add profiling_libunwind feature (#159)
• passthrough cc env/args using native cc features (#158)

Commits

• 0e91291 *: bump 0.7.0 (#164)
• e16f89e passthrough cc env/args using native cc features (#158)
• 3bc06e9 Add profiling_libunwind feature (#159)
• c7101ce Update jemalloc to 5.3.1
• 741a86b enable CI for nightly branch
• 7e5e78a add new free ffi
• 1809195 switch to facebook/jemalloc
• ccc2bfc jemalloc-ctl: fix invalid update implementation
• baae33d Upgrade from macos-13 to macos-15-intel
• 4400f09 Propagate LDFLAGS, if present
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.