⬆️ Update Rust Crates

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
axum	dependencies	patch	0.8.8 → 0.8.9
clap	dependencies	patch	4.6.0 → 4.6.1
config	dependencies	patch	0.15.22 → 0.15.23
dashmap	dependencies	minor	6.1.0 → 6.2.1
hmac	dependencies	minor	0.12 → 0.13
jsonwebtoken	dependencies	minor	10.3.0 → 10.4.0
maxminddb	dependencies	minor	0.27 → 0.28
rand (source)	dependencies	patch	0.10.0 → 0.10.1
reqwest	dependencies	patch	0.13.2 → 0.13.4
serde_json	dependencies	patch	1.0.149 → 1.0.150
sha2	dependencies	minor	0.10 → 0.11
sqlx	dependencies	minor	0.8 → 0.9
tokio (source)	dependencies	minor	1.50.0 → 1.52.3
tower-http	dependencies	patch	0.6.8 → 0.6.11

---

Release Notes

tokio-rs/axum (axum)

v0.8.9

Compare Source

• added: WebSocketUpgrade::{requested_protocols, set_selected_protocol} for more flexible subprotocol selection (#​3597)
• changed: Update minimum rust version to 1.80 (#​3620)
• fixed: Set connect endpoint on correct field in MethodRouter (#​3656)
• fixed: Return specific error message when multipart body limit is exceeded (#​3611)

clap-rs/clap (clap)

v4.6.1

Compare Source

Fixes

• (derive) Ensure rebuilds happen when an read env variable is changed

rust-cli/config-rs (config)

v0.15.23

Compare Source

Fixes

• Environment::convert_case: correctly apply casing to each key segment

xacrimon/dashmap (dashmap)

v6.2.1

Compare Source

This is an interim maintenance release for the existing v6 branch before v7 can be released. This bumps the MSRV to 1.85 and updates dependencies to their latest versions.

RustCrypto/MACs (hmac)

v0.13.0

Compare Source

Keats/jsonwebtoken (jsonwebtoken)

v10.4.0

Compare Source

• Fix incorrect encoding for Ed25519 JWK thumbprints
• Make Algorithm.family public and add Validation.new_for_family
• EncodingKey and DecodingKey are now partially zeroized on drop (the intermediate PemEncodedKey isn't so far)

oschwald/maxminddb-rust (maxminddb)

v0.28.1

Compare Source

• Fixed: Databases with an impossible declared search tree size are now
  rejected during open/verify instead of causing runaway allocation
  during validation.
• Fixed: within() now rejects IPv6 CIDRs on IPv4-only databases instead
  of yielding unrelated networks.
• Fixed: Verification now rejects truncated scalar/string payloads instead
  of skipping past them and reporting the database as valid.
• Fixed: LookupResult::network() now uses the reader's measured IPv4
  subtree depth instead of assuming it always begins at bit 96.

v0.28.0

Compare Source

• Performance improvement: Faster search-tree traversal by dispatching
  on the database's record size to monomorphized node readers, replacing
  per-step branching on the record size.
• Performance improvement: Direct deserialization of scalars, sequences,
  maps, and structs through dedicated fast paths instead of routing
  through deserialize_any.
• Performance improvement: IPv4 and IPv6 lookups dispatch to dedicated
  paths, avoiding per-call address-kind checks on the hot path.
• Behavior change: Deserializing a database array into a tuple or
  tuple struct now returns a decoding error when the lengths do not
  match. Previously the mismatch was silently ignored.
• Fixed: A corrupt data pointer that would underflow during resolution
  now returns an InvalidDatabase error instead of panicking.

rust-random/rand (rand)

v0.10.1

Compare Source

This release includes a fix for a soundness bug; see #​1763.

Changes

• Document panic behavior of make_rng and add #[track_caller] (#​1761)
• Deprecate feature log (#​1763)

seanmonstar/reqwest (reqwest)

v0.13.4

Compare Source

• Add ClientBuilder::tls_sslkeylogfile(bool) option to allow using the related environment variable.
• Add ClientBuilder::http2_keep_alive_* options for the blocking client.
• Add TLS 1.3 support when using native-tls backend.
• Fix redirect handling to strip sensitive headers when the scheme changes.
• Fix HTTP/3 happy-eyeball connection creation.
• Upgrade hickory-resolver to 0.26.

v0.13.3

Compare Source

• Fix CertificateRevocationList parsing of PEM values.
• Fix logging in resolver to only show host, not full URL.
• Fix hickory-dns to fallback to a default if /etc/resolv.conf fails.
• Fix HTTP/3 to handle STOP_SENDING as not an error.
• Fix HTTP/3 pool to remove timed out QUIC connections.
• Fix HTTP/3 connection establishment picking IPv4 and IPv6.
• Upgrade rustls-platform-verifier.
• (wasm) Only use wasm-bindgen on unknown-* targets.

serde-rs/json (serde_json)

v1.0.150

Compare Source

• Reject non-string enum object keys (#​1324, thanks @​puneetdixit200)

RustCrypto/hashes (sha2)

v0.11.0

Compare Source

launchbadge/sqlx (sqlx)

v0.9.0

Compare Source

Important Announcements

New Github Organization

Shortly after this release is published, the SQLx repository will be transferred to a new GitHub organization:
https://github.com/transact-rs/

This is because SQLx has not been owned or maintained by LaunchBadge, LLC. for a few years now, and has since been
informally transferred to the collective ownership of its principal authors. Moving the repository to a new
organization makes this change more clear, and also allows for potentially inviting outside collaborators.

Cargo.lock Removed from Tracking

The Cargo.lock has been removed from tracking in Git. CI should now always test with the latest versions of
all dependencies by default, alongside our pass that checks with cargo generate-lockfile -Z minimal-versions.

This should eliminate the need for any PRs that update dependencies to also update Cargo.lock or
contend with an endless stream of merge conflicts against it.

N.B. cargo install --locked sqlx-cli will no longer work. However, cargo install sqlx-cli has always
used the latest dependencies by default, ignoring the lockfile, so most users should not be affected. For users
requiring reproducible builds, consider maintaining your own lockfile instead; historically, we only ran cargo update
sporadically, so relying on SQLx's lockfile offered few guarantees anyway.

See the manual page for cargo install for details.

Breaking

As per our MSRV policy, the supported Rust version for this release cycle is 1.94.0.

• [#​3383]: feat: create sqlx.toml format [[@​abonander]]
  • SQLx and sqlx-cli now support per-crate configuration files (sqlx.toml)
  • New functionality includes, but is not limited to:
    • Rename DATABASE_URL for a crate (for multi-database workspaces)
    • Set global type overrides for the macros (supporting custom types)
    • Rename or relocate the _sqlx_migrations table (for multiple crates using the same database)
    • Set characters to ignore when hashing migrations (e.g. ignore whitespace)
  • More to be implemented in future releases.
  • Enable feature sqlx-toml to use.
    • sqlx-cli has it enabled by default, but sqlx does not.
    • Default features of library crates can be hard to completely turn off because of feature unification,
      so it's better to keep the default feature set as limited as possible.
      This is something we learned the hard way.
  • Guide: see sqlx::_config module in documentation.
  • Reference: [Link]
  • Examples (written for Postgres but can be adapted to other databases; PRs welcome!):
    • Multiple databases using DATABASE_URL renaming and global type overrides: [Link]
    • Multi-tenant database using _sqlx_migrations renaming and multiple schemas: [Link]
    • Force use of chrono when time is enabled (e.g. when using tower-sessions-sqlx-store): [Link]
      • Forcing bigdecimal when rust_decimal is enabled is also shown, but problems with chrono/time are more common.
  • Breaking changes:
    • Significant changes to the Migrate trait
    • sqlx::migrate::resolve_blocking() is now #[doc(hidden)] and thus SemVer-exempt.
• [#​3486]: fix(logs): Correct spelling of aquired_after_secs tracing field [[@​iamjpotts]]
  • Breaking behavior change: implementations parsing tracing logs from SQLx will need to update the spelling.
• [#​3495]: feat(postgres): remove lifetime from PgAdvisoryLockGuard [[@​bonsairobo]]
• [#​3526]: Return &mut Self from the migrator set_ methods [[@​nipunn1313]]
  • Minor breaking change: Migrator::set_ignore_missing and set_locking now return &mut Self instead of &Self
    which may break code in rare circumstances.
• [#​3541]: Postgres: force generic plan for better nullability inference. [[@​joeydewaal]]
  • Breaking change: may alter the output of the query!() macros for certain queries in Postgres.
• [#​3613]: fix: RawSql lifetime issues [[@​abonander]]
  • Breaking change: adds DB type parameter to all methods of RawSql
• [#​3670]: Bump ipnetwork to v0.21.1 [[@​BeauGieskens]]
• [#​3674]: Implement Decode, Encode and Type for Box, Arc, Cow and Rc [[@​joeydewaal]]
  • Breaking change: impl Decode for Cow now always decodes Cow::Owned, lifetime is unlinked
  • See this discussion for motivation: #​3674 (comment)
• [#​3723]: Add SqlStr [[@​joeydewaal]]
  • Breaking change: all query*() functions now take impl SqlSafeStr
    which is only implemented for &'static str and AssertSqlSafe.
    For all others, wrap in AssertSqlSafe(<query>).
  • This, along with [#​3960], finally allows returning owned queries as the type will be Query<'static, DB>.
  • SqlSafeStr trait is deliberately similar to std::panic::UnwindSafe,
    serving as a speedbump to warn users about naïvely building queries with format!()
    while allowing a workaround for advanced usage that is easy to spot on code review.
• [#​3800]: Escape PostgreSQL Options [[@​V02460]]
  • Breaking behavior change: options passed to PgConnectOptions::options() are now automatically escaped.
    Manual escaping of options is no longer necessary and may cause incorrect behavior.
• [#​3821]: Groundwork for 0.9.0-alpha.1 [[@​abonander]]
  • Increased MSRV to 1.86 and set rust-version
  • Deleted deprecated combination runtime+TLS features (e.g. runtime-tokio-native-tls)
  • Deleted re-export of unstable TransactionManager trait in sqlx.
    • Not technically a breaking change because it's #[doc(hidden)],
      but it will break SeaORM if not proactively fixed.
• [#​3924]: breaking(mysql): assume all non-binary collations compatible with str [[@​abonander]]
  • Text (or text-like) columns which previously were inferred to be Vec<u8> will be inferred to be String
    (this should ultimately fix more code than it breaks).
  • SET NAMES utf8mb4 COLLATE utf8_general_ci is no longer sent by default; instead, SET NAMES utf8mb4 is sent to
    allow the server to select the appropriate default collation (since this is version- and configuration-dependent).
  • MySqlConnectOptions::charset() and ::collation() now imply ::set_names(true) because they don't do anything otherwise.
  • Setting charset doesn't change what's sent in the Protocol::HandshakeResponse41 packet as that normally only
    matters for error messages before SET NAMES is sent.
    The default collation if set_names = false is utf8mb4_general_ci.
  • See this comment for details.
  • Incidental breaking change: RawSql::fetch_optional() now returns sqlx::Result<Option<DB::Row>>
    instead of sqlx::Result<DB::Row>. Whoops.
• [#​3928]: breaking(sqlite): libsqlite3-sys versioning, feature flags, safety changes [[@​abonander]]
  • SemVer policy changes: libsqlite3-sys version is now specified using a range.
    The maximum of the range may now be increased in any backwards-compatible release.
    The minimum of the range may only be increased in major releases.
    If you have libsqlite3-sys in your dependencies, Cargo should choose a compatible version automatically.
    If otherwise unconstrained, Cargo should choose the latest version supported.
  • SQLite extension loading (including through the new sqlx-toml feature) is now unsafe.
  • Added new non-default features corresponding to conditionally compiled SQLite APIs:
    • sqlite-deserialize enabling SqliteConnection::serialize() and SqliteConnection::deserialize()
    • sqlite-load-extension enabling SqliteConnectOptions::extension() and ::extension_with_entrypoint()
    • sqlite-unlock-notify enables internal use of sqlite3_unlock_notify()
  • SqliteValue and SqliteValueRef changes:
    • The sqlite3_value* interface reserves the right to be stateful.
      Without protection, any call could theoretically invalidate values previously returned, leading to dangling pointers.
    • SqliteValue is now !Sync and SqliteValueRef is !Send to prevent data races from concurrent accesses.
      • Instead, clone or wrap the SqliteValue in Mutex, or convert the SqliteValueRef to an owned value.
    • SqliteValue and any derived SqliteValueRefs now internally track if that value has been used to decode a
      borrowed &[u8] or &str and errors if it's used to decode any other type.
    • This is not expected to affect the vast majority of usages, which should only decode a single type
      per SqliteValue/SqliteValueRef.
    • See new docs on SqliteValue for details.
• [#​3949]: Postgres: move PgLTree::from to From<Vec<PgLTreeLabel>> implementation [[@​JerryQ17]]
• [#​3957]: refactor(sqlite): do not borrow bound values, delete lifetime on SqliteArguments [[@​iamjpotts]]
• [#​3958]: refactor(any): Remove lifetime parameter from AnyArguments [[@​iamjpotts]]
• [#​3960]: refactor(core): Remove lifetime parameter from Arguments trait [[@​iamjpotts]]
• [#​3993]: Unescape PostgreSQL passfile password [[@​V02460]]
  • Previously, .pgpass file handling did not process backslash-escapes in the password part.
    Now it does, which may change what password is sent to the server.
• [#​4008]: make #[derive(sqlx::Type)] automatically generate impl PgHasArrayType by default for newtype structs [[@​papaj-na-wrotkach]]
  • Manual implementations of PgHasArrayType for newtypes will conflict with the generated one.
    Delete the manual impl or add #[sqlx(no_pg_array)] where conflicts occur.
• [#​4077]: breaking: make offline optional to allow building without serde [[@​CathalMullan]]
• [#​4094]: Bump bit-vec to v0.8 [[@​zennozenith]]
• [#​4142]: feat(mysql): add mysql-rsa feature for non-TLS RSA auth [[@​dertin]]
  • Connections requiring RSA password encryption now need to enable the mysql-rsa feature
    or an error will be generated at runtime. RSA encryption is only used for plaintext (non-TLS) connections.
• [#​4255]: breaking(any+mysql): correctly convert text and blob types to AnyTypeInfo [[@​abonander]]

Added

• [#​3641]: feat(Postgres): support nested domain types [[@​joeydewaal]]
• [#​3651]: Add PgBindIter for encoding and use it as the implementation encoding &[T] [[@​tylerhawkes]]
• [#​3675]: feat: implement Encode, Decode, Type for Arc<str> and Arc<[u8]> (and Rc equivalents) [[@​joeydewaal]]
• [#​3791]: Smol+async global executor 1.80 dev [[@​martin-kolarik]]
  • Adds runtime-smol and runtime-async-global-executor features to replace usages of the deprecated async-std crate.
• [#​3859]: Add more JsonRawValue encode/decode impls. [[@​Dirbaio]]
• [#​3881]: CLi: made cli-lib modules publicly available for other crates [[@​silvestrpredko]]
• [#​3889]: Compile-time support for external drivers [[@​bobozaur]]
• [#​3917]: feat(sqlx.toml): support SQLite extensions in macros and sqlx-cli [[@​djarb]]
• [#​3918]: Feature: Add exclusion violation error kind [[@​barskern]]
• [#​3971]: Allow single-field named structs to be transparent [[@​Xiretza]]
• [#​4015]: feat(sqlite): no_tx migration support [[@​AlexTMjugador]]
• [#​4020]: Add Migrator::with_migrations() constructor [[@​xb284524239]]
• [#​3846]: Add the possibility to skip migrations [[@​Dosenpfand]]
• [#​4107]: Add SQLite extension entrypoint config to sqlx.toml, update SQLite extension example [[@​supleed2]]
• [#​4118]: [postgres] Display line number in error message [[@​mousetail]]
• [#​4123]: feat: add Json::into_inner() [[@​chrxn1c]]
• [#​4153]: Add on unimplemented diagnostic to SqlStr [[@​joeydewaal]]
• [#​4167]: add sqlite serialize/deserialize example [[@​mattrighetti]]
• [#​4228]: sqlx-postgres: Make PgNotification struct clone [[@​michaelvanstraten]]

Changed

• [#​3525]: Remove unnecessary boxfutures [[@​joeydewaal]]
• [#​3867]: sqlx-postgres: Bump etcetera to 0.10.0 [[@​miniduikboot]]
• [#​3709]: chore: replace once_cell OnceCell/Lazy with std OnceLock/LazyLock [[@​paolobarbolini]]
• [#​3890]: feat: Unify Debug implementations across PgRow, MySqlRow and SqliteRow [[@​davidcornu]]
• [#​3911]: chore: upgrade async-io to v2.4.1 [[@​zebrapurring]]
• [#​3938]: Move QueryLogger back [[@​joeydewaal]]
• [#​3956]: chore(sqlite): Remove unused test of removed git2 feature [[@​iamjpotts]]
• [#​3962]: Give SQLX_OFFLINE_DIR from environment precedence in macros [[@​psionic-k]]
• [#​3968]: chore(ci): Add timeouts to ci jobs [[@​iamjpotts]]
• [#​4002]: sqlx-postgres(tests): cleanup 2 unit tests. [[@​joeydewaal]]
• [#​4022]: refactor: tweaks after #​3791 [[@​abonander]]
• [#​4257]: Prefer to give real data to .bind() in README.md [[@​sobolevn]]
• [#​4042]: Update to webpki-roots 1 [[@​tottoto]]
• [#​4072]: chore: update hashlink to v0.11.0 [[@​anmolitor]]
• [#​4143]: Bump whoami to v2 [[@​tisonkun]]
• [#​4161]: sqlx-sqlite: relax libsqlite3-sys constraint to allow 0.36.x [[@​darioAnongba]]
• [#​4173]: ci: check direct minimal versions [[@​ricochet]]
  • Note: reverted in 0.9.0 release but still listed for contributor credit. See end of PR thread for details.
• [#​4189]: Bump flume to 0.12.0 [[@​opoplawski]]
• [#​4223]: test(sqlite): add regression test for ORDER BY + LIMIT nullability (#​4147) [[@​barry3406]]
• [#​4230]: chore: Update to cargo_metadata 0.23 [[@​tottoto]]
• [#​4233]: Change reference to dotenvy [[@​graemer957]]
• [#​4235]: chore: Update to validator 0.20 [[@​tottoto]]
• [#​4253]: chore: update example to axum 0.8 [[@​tottoto]]
• Release PR:
  • Upgraded all Rust-Crypto crates, rand
  • Upgraded etcetera to 0.11.0
  • Increased max of libsqlite3-sys version range to <0.38.0

Fixed

• [#​3840]: Fix docs.rs build of sqlx-sqlite [[@​gferon]]
• [#​3848]: fix(macros): don't mutate environment variables [[@​joeydewaal]]
• [#​3856]: fix(macros): slightly improve unsupported type error message [[@​dyc3]]
• [#​3857]: fix(mysql): validate parameter count for prepared statements [[@​cvzx]]
• [#​3861]: Fix NoHostnameTlsVerifier for rustls 0.23.24 and above [[@​elichai]]
• [#​3863]: Use unnamed statement in pg when not persistent [[@​ThomWright]]
• [#​3874]: Further reduce dependency on futures and futures-util [[@​paolobarbolini]]
• [#​3886]: fix: use Executor::fetch in QueryAs::fetch [[@​bobozaur]]
• [#​3910]: feat(ok): add correct handling of ok packets in MYSQL implementation [[@​0xfourzerofour]]
• [#​3914]: fix: regenerate test certificates [[@​abonander]]
• [#​3915]: fix: spec_error is used by try_from derive [[@​saiintbrisson]]
• [#​3919]: fix[sqlx-postgres]: do a checked_mul to prevent panic'ing [[@​nhatcher-frequenz]]
• [#​3923]: sqlx-mysql: Fix bug in cleanup test db's. [[@​joeydewaal]]
• [#​3950]: chore: Fix warnings for custom postgres_## cfg flags [[@​iamjpotts]]
• [#​3952]: Pool.close: close all connections before returning [[@​jpmelos]]
• [#​3975]: fix documentation for rustls native root certificates [[@​2ndDerivative]]
• [#​3977]: refactor(ci): Use separate job for postgres ssl auth tests [[@​iamjpotts]]
• [#​3980]: Correctly ROLLBACK transaction when dropped during BEGIN. [[@​kevincox]]
• [#​3981]: SQLite: fix transaction level accounting with bad custom command. [[@​kevincox]]
• [#​3986]: chore(core): Fix docstring for Query::try_bind [[@​iamjpotts]]
• [#​3987]: chore(deps): Resolve deprecation warning for chrono Date and ymd methods [[@​iamjpotts]]
• [#​3988]: refactor(sqlite): Resolve duplicate test target warning for macros.rs [[@​iamjpotts]]
• [#​3989]: chore(deps): Set default-features=false on sqlx in workspace.dependencies [[@​iamjpotts]]
• [#​3991]: fix(sqlite): regression when decoding nulls [[@​abonander]]
• [#​4006]: PostgreSQL SASL – run SHA256 in a blocking executor [[@​ThomWright]]
• [#​4007]: fix(compose): use OS-assigned ports for all conatiners [[@​papaj-na-wrotkach]]
• [#​4009]: Drop cached db connections in macros upon hitting an error [[@​swlynch99]]
• [#​4024]: fix(sqlite) Migrate revert with no-transaction [[@​Dosenpfand]]
• [#​4027]: native tls handshake: build TlsConnector in blocking threadpool [[@​daviduebler]]
• [#​4053]: fix(macros): smarter .env loading, caching, and invalidation [[@​abonander]]
  • Additional credit to [[@​AlexTMjugador]] ([#​4018]) and [[@​Diggsey]] ([#​4039]) for their proposed solutions
    which served as a useful comparison.
• [#​4068]: Fix typo in migration example from 'uesrs' to 'users' [[@​squidpickles]]
• [#​4069]: fix some spelling issues [[@​joeydewaal]]
• [#​4086]: fix(mysql): Work around for Issue #​2206 (ColumnNotFound error when querying) [[@​duelafn]]
• [#​4088]: (Fix) Handle nullability of SQLite rowid alias columns [[@​Lege19]]
• [#​4100]: postgres: update pgpass path on windows [[@​joeydewaal]]
• [#​4134]: fix CI: replace removed macOS runner, deprecated use of Command::cargo_bin() [[@​abonander]]
• [#​4136]: Ensure Deterministic Migration Order [[@​aoengin]]
• [#​4158]: Fix panic in JSONB decoder on invalid version byte [[@​jrey8343]]
• [#​4165]: sqlx-postgres: fix correct operator precedence in byte length check [[@​cuiweixie]]
• [#​4171]: fix(postgres): remove home crate in favor of std::env::home_dir [[@​ricochet]]
• [#​4172]: fix(sqlx-cli): bump openssl minimum to 0.10.46 [[@​ricochet]]
• [#​4176]: fix(mysql): return error instead of panic on truncated OK packet [[@​cvzx]]
• [#​4199]: fix(postgres): make advisory lock cancel safe [[@​joeydewaal]]
• [#​4201]: Fix SCRAM password SASLprep [[@​var4yn]]
• [#​4202]: fix: replace from_utf8_unchecked with from_utf8_lossy in SqliteError [[@​joaquinhuigomez]]
• [#​4203]: fix: use sqlite3_value_text for REGEXP to match SQLite coercion [[@​joaquinhuigomez]]
• [#​4219]: sqlite: lossily coerce invalid UTF-8 in custom collation callback [[@​joaquinhuigomez]]
• [#​4221]: fix: replace from_utf8_unchecked with from_utf8 in SQLite column name handling [[@​barry3406]]
• [#​4226]: fix(postgres): use non-prepared statements for metadata queries [[@​abonander]]
• [#​4227]: fix(macros-core): update unstable proc_macro APIs for recent nightly [[@​barry3406]]
• [#​4234]: fix: Use correct path in error when failing to create tmp dir in prepare [[@​Miesvanderlippe]]
• [#​4245]: fix(mysql): repair caching_sha2_password fast-auth path [[@​altmannmarcelo]]
• [#​4251]: fix(tls): potential deadlock in StdSocket::poll_ready() [[@​abonander]]

tokio-rs/tokio (tokio)

v1.52.3: Tokio v1.52.3

Compare Source

1.52.3 (May 8th, 2026)

Fixed

• sync: fix underflow in mpsc channel len() (#​8062)
• sync: notify receivers in mpsc OwnedPermit::release() method (#​8075)
• sync: require that an RwLock has max_readers != 0 (#​8076)
• sync: return Empty from try_recv() when mpsc is closed with outstanding permits (#​8074)

v1.52.2: Tokio v1.52.2

Compare Source

1.52.2 (May 4th, 2026)

This release reverts the LIFO slot stealing change introduced in 1.51.0 (#​7431), due to its performance impact. (#​8100)

v1.52.1: Tokio v1.52.1

Compare Source

1.52.1 (April 16th, 2026)

Fixed

• runtime: revert #​7757 to fix a regression that causes spawn_blocking to hang (#​8057)

v1.52.0: Tokio v1.52.0

Compare Source

1.52.0 (April 14th, 2026)

Added

• io: AioSource::register_borrowed for I/O safety support (#​7992)
• net: add try_io function to unix::pipe sender and receiver types (#​8030)

Added (unstable)

• runtime: Builder::enable_eager_driver_handoff setting enable eager hand off of the I/O and time drivers before polling tasks (#​8010)
• taskdump: add trace_with() for customized task dumps (#​8025)
• taskdump: allow impl FnMut() in trace_with instead of just fn() (#​8040)
• fs: support io_uring in AsyncRead for File (#​7907)

Changed

• runtime: improve spawn_blocking scalability with sharded queue (#​7757)
• runtime: use compare_exchange_weak() in worker queue (#​8028)

Fixed

• runtime: overflow second half of tasks when local queue is filled instead of first half (#​8029)

Documented

• docs: fix typo in oneshot::Sender::send docs (#​8026)
• docs: hide #[tokio::main] attribute in the docs of sync::watch (#​8035)
• net: add docs on ConnectionRefused errors with UDP sockets (#​7870)

v1.51.3: Tokio v1.51.3

Compare Source

1.51.3 (May 8th, 2026)

Fixed

• sync: fix underflow in mpsc channel len() (#​8062)
• sync: notify receivers in mpsc OwnedPermit::release() method (#​8075)
• sync: require that an RwLock has max_readers != 0 (#​8076)
• sync: return Empty from try_recv() when mpsc is closed with outstanding permits (#​8074)

v1.51.2: Tokio v1.51.1

Compare Source

1.51.2 (May 4th, 2026)

This release reverts the LIFO slot stealing change introduced in 1.51.0 (#​7431), due to its performance impact. (#​8100)

v1.51.1: Tokio v1.51.1

Compare Source

1.51.1 (April 8th, 2026)

Fixed

• sync: fix semaphore reopens after forget (#​8021)
• net: surface errors from SO_ERROR on recv for UDP sockets on Linux (#​8001)

Fixed (unstable)

• metrics: fix worker_local_schedule_count test (#​8008)
• rt: do not leak fd when cancelling io_uring open operation (#​7983)

v1.51.0: Tokio v1.51.0

Compare Source

1.51.0 (April 3rd, 2026)

Added

• net: implement get_peer_cred on Hurd (#​7989)
• runtime: add tokio::runtime::worker_index() (#​7921)
• runtime: add runtime name (#​7924)
• runtime: stabilize LocalRuntime (#​7557)
• wasm: add wasm32-wasip2 networking support (#​7933)

Changed

• runtime: steal tasks from the LIFO slot (#​7431)

Fixed

• docs: do not show "Available on non-loom only." doc label (#​7977)
• macros: improve overall macro hygiene (#​7997)
• sync: fix notify_waiters priority in Notify (#​7996)
• sync: fix panic in Chan::recv_many when called with non-empty vector on closed channel (#​7991)

tower-rs/tower-http (tower-http)

v0.6.11

Compare Source

Added

• set-header: add SetMultipleResponseHeadersLayer and
  SetMultipleResponseHeader for setting multiple response headers at once.
  Supports overriding, appending, and if_not_present modes. Header
  values can be fixed or computed dynamically via closures (#​672)

  use http::{Response, header::{self, HeaderValue}};
  use http_body::Body as _;
  use tower_http::set_header::response::SetMultipleResponseHeadersLayer;
  
  let layer = SetMultipleResponseHeadersLayer::overriding(vec![
      (header::X_FRAME_OPTIONS, HeaderValue::from_static("DENY")).into(),
      (header::CONTENT_LENGTH, |res: &Response<MyBody>| {
          res.body().size_hint().exact()
              .map(|size| HeaderValue::from_str(&size.to_string()).unwrap())
      }).into(),
  ]);

• set-header: add SetMultipleRequestHeadersLayer and
  SetMultipleRequestHeaders for setting multiple request headers at once,
  mirroring the response-side API (#​677)

• classify: add From<i32> and From<NonZeroI32> impls for GrpcCode.
  Unrecognized status codes map to GrpcCode::Unknown (#​506)

Changed

• compression: compress application/grpc-web responses. Previously all
  application/grpc* content types were excluded from compression; now only
  application/grpc (non-web) is excluded (#​408)

Fixed

• fs: fix ServeDir returning 500 instead of 405 for non-GET/HEAD requests
  when call_fallback_on_method_not_allowed is enabled but no fallback service
  is configured (#​587)
• fs: remove duplicate cfg attribute on is_reserved_dos_name (#​675)

All PRs

• ci: fix flaky encoding test, add nightly stress test job by @​jlizen in #​670
• ci: use static timeout in stress-test workflow by @​jlizen in #​671
• Fix serve_dir method not allowed handling when no fallback is configured by @​soerenmeier in #​587
• Do compress grpc-web responses by @​bouk in #​408
• add From impl for GrpcCode by @​gshipilov in #​506
• feat(set_header): refactor and improve multiple header middleware by @​seun-ja in #​672
• Remove duplicate cfg attribute for is_reserved_dos_name by @​GlenDC in #​675
• feat: set multiple request header by @​seun-ja in #​677
• chore: release 0.6.11 by @​jlizen in #​673

New Contributors

• @​gshipilov made their first contribution in #​506
• @​seun-ja made their first contribution in #​672

Full Changelog: tower-rs/tower-http@tower-http-0.6.10...tower-http-0.6.11

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --package axum@0.8.8 --precise 0.8.9
    Updating crates.io index
error: failed to select a version for `sqlx`.
    ... required by package `lynx v0.1.0 (/tmp/renovate/repos/github/BTreeMap/Lynx)`
versions that meet the requirements `^0.9` are: 0.9.0

package `lynx` depends on `sqlx` with feature `runtime-tokio-rustls` but `sqlx` does not have that feature.
 available features: _rt-async-global-executor, _rt-async-std, _rt-smol, _rt-tokio, _sqlite, _unstable-all-types, _unstable-docs, all-databases, any, bigdecimal, bit-vec, bstr, chrono, default, derive, ipnet, ipnetwork, json, mac_address, macros, migrate, mysql, mysql-rsa, postgres, regexp, runtime-async-global-executor, runtime-async-std, runtime-smol, runtime-tokio, rust_decimal, sqlite, sqlite-bundled, sqlite-deserialize, sqlite-load-extension, sqlite-preupdate-hook, sqlite-unbundled, sqlite-unlock-notify, sqlx-macros, sqlx-mysql, sqlx-postgres, sqlx-sqlite, sqlx-toml, time, tls-native-tls, tls-none, tls-rustls, tls-rustls-aws-lc-rs, tls-rustls-ring, tls-rustls-ring-native-roots, tls-rustls-ring-webpki, uuid


failed to select a version for `sqlx` which could resolve this conflict