build(deps): bump the prod-deps group across 1 directory with 7 updates

[dependabot]

Bumps the prod-deps group with 7 updates in the / directory:

Package	From	To
serde-saphyr	0.0.26	0.0.27
serde_json	1.0.149	1.0.150
minijinja	2.19.0	2.20.0
reqwest	0.13.3	0.13.4
rusqlite	0.39.0	0.40.0
http	1.4.0	1.4.1
pulldown-cmark	0.13.3	0.13.4

Updates serde-saphyr from 0.0.26 to 0.0.27

Release notes

Sourced from serde-saphyr's releases.

0.0.27 Comments

The major extension of this release is comments support.

The long existed wrapper Commented<..> was usable for serialization only until now. Since this release, Commented also captures a comment of the wrapped data structure:

struct DeploymentConfig {
    name: Commented<String>,
    image: Commented<String>,
    ports: Commented<Vec<Commented<u16>>>,
    labels: Commented<BTreeMap<String, Commented<String>>>,
}

would capture all comments for the elements of the structure, like

# deployment manifest
name: checkout
image: registry.example.com/checkout:v1 # container image to deploy
ports: # sequence of exposed ports
  - 80 # public HTTP
  - 443 # public HTTPS
labels: # mapping of Kubernetes labels
  app: checkout # stable app label
  tier: frontend # routing tier
"#;

while assigning them to the relevant YAML element. This became possible after migrating to granit parser 0.0.3, which now captures comments. Comments can be either on the right or above the item they describe.

This release also adds support for figment2 (figment is supported since v0.0.13).

Commits

• 4b76b5f Small adjustments in comment handling.
• 759ee8c Limit maximal number of comments in Budget.
• a4c8235 Bw/comments (#117)
• 299044d Bump garde from 0.22.1 to 0.23.0 (#119)
• d756075 Bump serde_json from 1.0.149 to 1.0.150 (#118)
• e7ede1e Improve the code quality and test coverage.
• b659f7f Merge remote-tracking branch 'origin/master'
• dd48554 Improve the code quality
• 8108fef Fix #115 : correct block-scalar auto-selection and indentation indicator (#116)
• fbf4c7c Serializer security hardening, thanks @​alurm
• Additional commits viewable in compare view

Updates serde_json from 1.0.149 to 1.0.150

Release notes

Sourced from serde_json's releases.

v1.0.150

• Reject non-string enum object keys (#1324, thanks @​puneetdixit200)

Commits

• a1ae73a Release 1.0.150
• 1a360b0 Merge pull request #1324 from puneetdixit200/reject-non-string-enum-keys
• 2037b63 Reject non-string enum object keys
• 5d30df6 Resolve manual_assert_eq pedantic clippy lint
• dc8003a Raise required compiler for preserve_order feature to 1.85
• a42fa98 Unpin CI miri toolchain
• 684a60e Pin CI miri to nightly-2026-02-11
• 7c7da33 Raise required compiler to Rust 1.71
• acf4850 Simplify Number::is_f64
• 6b8ceab Resolve unnecessary_map_or clippy lint
• Additional commits viewable in compare view

Updates minijinja from 2.19.0 to 2.20.0

Changelog

Sourced from minijinja's changelog.

2.20.0

• Added support for Jinja-style required blocks in Rust and Go, including scoped required parsing compatibility and validation that required blocks only contain whitespace or comments.
• Added support for chained comparisons (for example a < b < c) in Rust and Go to match Jinja/Python semantics.
• Fixed dotted integer lookup in the middle of attribute chains (for example foo.0.bar) for Jinja compatibility. #900
• Fixed compilation with multi_template disabled by gating block-only APIs behind the feature.

Commits

• 571e28a chore(release): 2.20.0
• 32a70a2 docs(changelog): update unreleased changes
• 8d5d304 fix(parser): support chained comparisons
• 685660b doc: Fix mention of add_test in docs (#898)
• 558a254 fix(lexer): support mid-chain dotted-integer attribute access (#900)
• a4860a0 fix(multi_template): gate block-only APIs behind feature
• 29ac0b2 feat(templates): add required block support
• See full diff in compare view

Updates reqwest from 0.13.3 to 0.13.4

Release notes

Sourced from reqwest's releases.

v0.13.4

tl;dr

• Add ClientBuilder::tls_sslkeylogfile(bool) option to allow using the related environment variable.
• Add ClientBuilder::http2_keep_alive_* options for the blocking client.
• Add TLS 1.3 support when using native-tls backend.
• Fix redirect handling to strip sensitive headers when the scheme changes.
• Fix HTTP/3 happy-eyeball connection creation.
• Upgrade hickory-resolver to 0.26.

What's Changed

• fix(tls): improve rustls-no-provider panic message and add module docs by @​smythg4 in seanmonstar/reqwest#3021
• fix: do not lose the url in error when decoding json by @​Dushistov in seanmonstar/reqwest#3026
• Add tls_sslkeylogfile builder method by @​passcod in seanmonstar/reqwest#2923
• fix(redirect): strip sensitive headers on scheme change across redirects by @​SAY-5 in seanmonstar/reqwest#3034
• chore: upgrade MSRV to 1.85 by @​seanmonstar in seanmonstar/reqwest#3038
• chore: clean up minimal-versions CI job by @​seanmonstar in seanmonstar/reqwest#3039
• fix(http3): use happy eyeballs for h3 connect by @​lyuzichong in seanmonstar/reqwest#3030
• fix: update hickory-resolver to 0.26 and adjust code accordingly by @​seanmonstar in seanmonstar/reqwest#3040
• fix: remove unwrap in hickory initialization by @​mat813 in seanmonstar/reqwest#3041
• feat(https): support TLS 1.3 as min version under native-tls 🎉 by @​AverageHelper in seanmonstar/reqwest#2975
• Expose keep alive configurations in blocking client by @​aeb-dev in seanmonstar/reqwest#3043
• Prepare v0.13.4 by @​seanmonstar in seanmonstar/reqwest#3046

New Contributors

• @​smythg4 made their first contribution in seanmonstar/reqwest#3021
• @​Dushistov made their first contribution in seanmonstar/reqwest#3026
• @​SAY-5 made their first contribution in seanmonstar/reqwest#3034
• @​mat813 made their first contribution in seanmonstar/reqwest#3041
• @​AverageHelper made their first contribution in seanmonstar/reqwest#2975
• @​aeb-dev made their first contribution in seanmonstar/reqwest#3043

Full Changelog: seanmonstar/reqwest@v0.13.3...v0.13.4

Changelog

Sourced from reqwest's changelog.

v0.13.4

• Add ClientBuilder::tls_sslkeylogfile(bool) option to allow using the related environment variable.
• Add ClientBuilder::http2_keep_alive_* options for the blocking client.
• Add TLS 1.3 support when using native-tls backend.
• Fix redirect handling to strip sensitive headers when the scheme changes.
• Fix HTTP/3 happy-eyeball connection creation.
• Upgrade hickory-resolver to 0.26.

Commits

• 11489b3 v0.13.4
• d31ffbb feat: Expose HTTP2 keep alive configurations in blocking client (#3043)
• 79ed0d7 feat: support TLS 1.3 as min version under native-tls 🎉 (#2975)
• fb7bf6a fix: remove unwrap in hickory initialization (#3041)
• 3da616f fix: update hickory-resolver to 0.26 and adjust code accordingly (#3040)
• c77e7b2 fix(http3): use happy eyeballs for h3 connect (#3030)
• 9cbb65b chore: clean up minimal-versions CI job (#3039)
• 17a7dc5 chore: upgrade MSRV to 1.85 (#3038)
• 03db63a fix(redirect): strip sensitive headers on scheme change across redirects (#3034)
• 4b813a8 feat: add tls_sslkeylogfile builder method (#2923)
• Additional commits viewable in compare view

Updates rusqlite from 0.39.0 to 0.40.0

Release notes

Sourced from rusqlite's releases.

0.40.0

What's Changed

• Breaking changes: Replace VTab macros by constructors #1823
• Breaking changes: Fix VTab::best_index #1824
• Asserts on VTab::connect aux and args #1825
• Breaking changes: Fix VTab::connect / create #1826
• Breaking changes: Allow opting out of using sqlite-wasm-rs on wasm32-unknown-unknown #1828, #1829
• Derive Default for SeriesTabCursor/ArrayTabCursor #1830
• Update link to pre-update hook #1831
• Breaking changes: Fix VTab::connect #1832
• impl From for FromSqlError #1833
• Breaking changes: Fix vtab::dequote #1835
• Bump bundled SQLCipher to version 4.14.0 #1837
• sqlite3_set_errmsg #1752
• Bump sqlite3-parser version #1838
• Fix UB in ToSqlOutput::from_rc #1839
• Ensure miri doesn't complain #1840
• Bump to actions/checkout@v6 #1842
• Add support to UtcDateTime #1843, #1844
• Bump bundled SQLite version to 3.53.1 #1848
• Replace some cfg(not by cfg_select #1850

Full Changelog: rusqlite/rusqlite@v0.39.0...v0.40.0

Commits

• f2bc708 Prepare next release
• 863a5d2 Merge pull request #1850 from gwenn/cfg_select
• 38bef55 Replace some cfg(not by cfg_select
• 73c360d Merge pull request #1848 from gwenn/3.53.1
• 7747d9b Bump bundled SQLite version to 3.53.1
• 2bb1bca Merge pull request #1844 from rusqlite/utc_datetime
• 4ce8860 Add support to UtcDateTime
• 6151b2f Merge pull request #1842 from gwenn/actions
• 67e3104 Bump to actions/checkout@v6
• 63181d4 Merge pull request #1840 from gwenn/miri
• Additional commits viewable in compare view

Updates http from 1.4.0 to 1.4.1

Release notes

Sourced from http's releases.

v1.4.1

tl;dr

• Fix PathAndQuery::from_static() and from_shared() to reject inputs that do not start with /.
• Fix Extend for HeaderMap to clamp max size hint and not overflow.
• Fix header::IntoIter that could use-after-free if the generic value type could panic on drop.
• Fix header::{IterMut, ValuesIterMut} to not violate stacked borrows.

What's Changed

• chore(header): fix clippy::assign_op_pattern by @​rxc-amzn in hyperium/http#806
• ci: pin itoa in msrv job by @​seanmonstar in hyperium/http#813
• Remove unnecessary explicit lifetimes by @​jplatte in hyperium/http#815
• chore(ci): update to actions/checkout@v6 by @​tottoto in hyperium/http#819
• tests: update to rand 0.10 by @​tottoto in hyperium/http#818
• refactor: Remove usage of float instruction by @​AurelienFT in hyperium/http#823
• refactor(uri): consolidate PathAndQuery::from_shared and from_static by @​seanmonstar in hyperium/http#825
• fix(uri): reject Path::from_shared/from_static if doesn't start with slash by @​seanmonstar in hyperium/http#826
• Rephrase comment by @​daalfox in hyperium/http#827
• Fix typo in request builder docs by @​vleksis in hyperium/http#831
• fix: clamp Extend size hint so HeaderMap reserve cannot overflow by @​SAY-5 in hyperium/http#833
• fix(headers): fix stacked borrows for IterMut/ValuesIterMut by @​seanmonstar in hyperium/http#837
• fix(header): use a set_len guard in IntoIter drop by @​seanmonstar in hyperium/http#838

New Contributors

• @​rxc-amzn made their first contribution in hyperium/http#806
• @​AurelienFT made their first contribution in hyperium/http#823
• @​daalfox made their first contribution in hyperium/http#827
• @​vleksis made their first contribution in hyperium/http#831
• @​SAY-5 made their first contribution in hyperium/http#833

Full Changelog: hyperium/http@v1.4.0...v1.4.1

Changelog

Sourced from http's changelog.

1.4.1 (May 25, 2026)

• Fix PathAndQuery::from_static() and from_shared() to reject inputs that do not start with /.
• Fix Extend for HeaderMap to clamp max size hint and not overflow.
• Fix header::IntoIter that could use-after-free if the generic value type could panic on drop.
• Fix header::{IterMut, ValuesIterMut} to not violate stacked borrows.

Commits

• a24c968 v1.4.1
• bc3b044 fix(header): use a set_len guard in IntoIter drop (#838)
• 1b968dc fix(header): fix stacked borrows for IterMut/ValuesIterMut (#837)
• 6e2dd42 fix: clamp Extend size hint so HeaderMap reserve cannot overflow (#833)
• 68e0abb docs: fix typo in request builder docs (#831)
• 29dd307 docs(extensions): rephrase internal comment (#827)
• ae48fb5 fix(uri): reject Path::from_shared/from_static if doesn't start with slash (#...
• 1ad200e refactor(uri): consolidate PathAndQuery::from_shared and from_static (#825)
• d59d939 refactor: Remove usage of float instruction (#823)
• ed680c4 tests: update to rand 0.10 (#818)
• Additional commits viewable in compare view

Updates pulldown-cmark from 0.13.3 to 0.13.4

Release notes

Sourced from pulldown-cmark's releases.

0.13.4

Fix panic in specific cases with TightParagraph.

What's Changed

• fix: panic in parser iterator for TightParagraph in some cases by @​Martin1887 in pulldown-cmark/pulldown-cmark#1096

Full Changelog: pulldown-cmark/pulldown-cmark@v0.13.3...v0.13.4

Commits

• 38e4d08 chore: cargo update
• 9c61031 chore: bump pulldown-cmark version to 0.13.4
• 709268f Merge pull request #1096 from pulldown-cmark/fix-1095
• c1d4450 Add test case from 1097
• 6fea453 fix: panic in parser iterator for TightParagraph in some cases
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Looks like these dependencies are updatable in another way, so this is no longer needed.