Skip to content

chore(deps): bump reqwest from 0.12.9 to 0.12.15 in /src/user-management-service#423

Merged
jeastham1993 merged 2 commits intomainfrom
dependabot/cargo/src/user-management-service/reqwest-0.12.15
Aug 29, 2025
Merged

chore(deps): bump reqwest from 0.12.9 to 0.12.15 in /src/user-management-service#423
jeastham1993 merged 2 commits intomainfrom
dependabot/cargo/src/user-management-service/reqwest-0.12.15

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Aug 1, 2025
edited
Loading

Bumps reqwest from 0.12.9 to 0.12.15.

Release notes

Sourced from reqwest's releases.

v0.12.15

What's Changed

New Contributors

Full Changelog: seanmonstar/reqwest@v0.12.14...v0.12.15

v0.12.14

What's Changed

Full Changelog: seanmonstar/reqwest@v0.12.13...v0.12.14

v0.12.13

What's Changed

  • Add Form::into_reader() for blocking multipart forms.
  • Add Form::into_stream() for async multipart forms.
  • Add support for SOCKS4a proxies.
  • Fix decoding responses with multiple zstd frames.
  • Fix RequestBuilder::form() from overwriting a previously set Content-Type header, like the other builder methods.
  • Fix cloning of request timeout in blocking::Request.
  • Fix http3 synchronization of connection creation, reducing unneccesary extra connections.
  • Fix Windows system proxy to use ProxyOverride as a NO_PROXY value.
  • Fix blocking read to correctly reserve and zero read buffer.
  • (wasm) Add support for request timeouts.
  • (wasm) Fix Error::is_timeout() to return true when from a request timeout.

New Contributors

Thanks!

... (truncated)

Changelog

Sourced from reqwest's changelog.

v0.12.15

  • Fix Windows to support both ProxyOverride and NO_PROXY.
  • Fix http3 to support streaming response bodies.
  • Fix http3 dependency from public API misuse.

v0.12.14

  • Fix missing fetch_mode_no_cors(), marking as deprecated when not on WASM.

v0.12.13

  • Add Form::into_reader() for blocking multipart forms.
  • Add Form::into_stream() for async multipart forms.
  • Add support for SOCKS4a proxies.
  • Fix decoding responses with multiple zstd frames.
  • Fix RequestBuilder::form() from overwriting a previously set Content-Type header, like the other builder methods.
  • Fix cloning of request timeout in blocking::Request.
  • Fix http3 synchronization of connection creation, reducing unneccesary extra connections.
  • Fix Windows system proxy to use ProxyOverride as a NO_PROXY value.
  • Fix blocking read to correctly reserve and zero read buffer.
  • (wasm) Add support for request timeouts.
  • (wasm) Fix Error::is_timeout() to return true when from a request timeout.

v0.12.12

  • (wasm) Fix compilation by not compiler tokio/time on WASM.

v0.12.11

  • Fix decompression returning an error when HTTP/2 ends with an empty data frame.

v0.12.10

  • Add ClientBuilder::connector_layer() to allow customizing the connector stack.
  • Add ClientBuilder::http2_max_header_list_size() option.
  • Fix propagating body size hint (content-length) information when wrapping bodies.
  • Fix decompression of chunked bodies so the connections can be reused more often.
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot
chore(deps): bump reqwest in /src/user-management-service
3db8be5 
Bumps [reqwest](https://github.com/seanmonstar/reqwest) from 0.12.9 to 0.12.15.
- [Release notes](https://github.com/seanmonstar/reqwest/releases)
- [Changelog](https://github.com/seanmonstar/reqwest/blob/master/CHANGELOG.md)
- [Commits](seanmonstar/reqwest@v0.12.9...v0.12.15)

---
updated-dependencies:
- dependency-name: reqwest
  dependency-version: 0.12.15
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file Rust labels Aug 1, 2025
@dependabot dependabot bot requested a review from jeastham1993 as a code owner August 1, 2025 12:58
@jeastham1993 jeastham1993 merged commit ab249e7 into main Aug 29, 2025
8 of 12 checks passed
@claude
Copy link
Copy Markdown

claude bot commented Aug 29, 2025
edited
Loading

Claude finished @dependabot[bot]'s task —— View job

PR Review: Reqwest Dependency Update

I've completed my review of this dependency update PR from reqwest 0.12.9 to 0.12.15 in the user-management-service.

Todo List:

  • Read repository setup instructions (CLAUDE.md files)
  • Analyze the dependency update changes in Cargo.lock
  • Review reqwest changelog for security and compatibility impacts
  • Provide comprehensive PR review feedback

Review Summary

Overall Assessment: ✅ APPROVED

This is a well-managed dependency update that addresses important security and stability issues with no breaking changes.

Code Quality and Best Practices

Excellent dependency management: This Dependabot-managed update follows proper semantic versioning and only updates patch versions (0.12.9 → 0.12.15), ensuring compatibility.

Proper workspace structure: The service uses Cargo workspaces appropriately, with reqwest specified in src/integration_tests/Cargo.toml:14 with appropriate feature flags.

Security Concerns

Security improvements: The update includes several important fixes:

  • HTTP/3 security fix: Addresses public API misuse in HTTP/3 implementation
  • Proxy handling improvements: Better Windows proxy support and NO_PROXY environment variable handling
  • Connection management: Reduced unnecessary HTTP/3 connections through better synchronization

Performance Considerations

Performance benefits:

  • HTTP/3 streaming: Fixed streaming response bodies for HTTP/3, improving performance for large responses
  • Connection efficiency: Reduced unnecessary extra HTTP/3 connections
  • Memory management: Fixed blocking read buffer allocation and zeroing

Compatibility Analysis

No breaking changes: All updates are patch releases (0.12.13, 0.12.14, 0.12.15) maintaining full API compatibility.

Feature consistency: The integration tests continue to use the same feature set:

reqwest = { version = "0.12", default-features = false, features = [
  "rustls-tls",
  "http2", 
  "json"
]}

Test Coverage

⚠️ Note on testing: Since this PR is already merged and only updates the lock file, no new tests were needed. The existing integration test suite in src/integration_tests/ will verify compatibility with the updated reqwest version.

Notable Fixes in This Update

v0.12.15:

  • HTTP/3 streaming response body support
  • Windows proxy override and NO_PROXY compatibility
  • HTTP/3 dependency API cleanup

v0.12.14:

  • Restored deprecated fetch_mode_no_cors() for backwards compatibility

v0.12.13:

  • SOCKS4a proxy support
  • Multiple zstd frame decoding fixes
  • Request timeout improvements
  • Form handling enhancements

Recommendations

  1. Monitor for issues: While this update addresses several bugs, keep an eye on HTTP/3 and proxy-related functionality if used in production
  2. Consider feature evaluation: The service could potentially benefit from new features like SOCKS4a proxy support if needed
  3. Dependency audit: Continue using Dependabot for regular security updates

Summary

This dependency update is excellent - it addresses multiple security and stability issues with zero breaking changes. The fixes for HTTP/3, proxy handling, and connection management make this a valuable update for the user-management-service.

@dependabot dependabot bot deleted the dependabot/cargo/src/user-management-service/reqwest-0.12.15 branch August 29, 2025 10:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jeastham1993 jeastham1993 Awaiting requested review from jeastham1993 jeastham1993 is a code owner

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file Rust

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jeastham1993