Bump the all group with 6 updates

[dependabot]

Bumps the all group with 6 updates:

Package	From	To
tokio	1.52.2	1.52.3
quick-xml	0.39.3	0.40.0
aws-sdk-s3	1.131.0	1.132.0
kreuzberg	4.9.4	4.9.7
clap_complete	4.6.3	4.6.5
assert_cmd	2.2.1	2.2.2

Updates tokio from 1.52.2 to 1.52.3

Release notes

Sourced from tokio's releases.

Tokio v1.52.3

1.52.3 (May 8th, 2026)

Fixed

• sync: fix underflow in mpsc channel len() (#8062)
• sync: notify receivers in mpsc OwnedPermit::release() method (#8075)
• sync: require that an RwLock has max_readers != 0 (#8076)
• sync: return Empty from try_recv() when mpsc is closed with outstanding permits (#8074)

#8062: tokio-rs/tokio#8062 #8074: tokio-rs/tokio#8074 #8075: tokio-rs/tokio#8075 #8076: tokio-rs/tokio#8076

Commits

• d875691 chore: prepare Tokio v1.52.3 (#8130)
• e1aebb0 Merge 'tokio-1.51.3' into 'tokio-1.52.x' (#8129)
• fd63094 chore: prepare Tokio v1.51.3 (#8127)
• 8c600d0 Merge 'tokio-1.47.5' into 'tokio-1.51.x' (#8123)
• 11bfc13 chore: prepare Tokio v1.47.5 (#8122)
• f085b62 sync: notify receivers in mpsc OwnedPermit::release() method (#8075)
• 30d25cc sync: require that an RwLock has max_readers != 0 (#8076)
• 9fccf53 sync: return Empty from try_recv() when mpsc is closed with outstanding p...
• ebf61b4 sync: fix underflow in mpsc channel len() (#8062)
• See full diff in compare view

Updates quick-xml from 0.39.3 to 0.40.0

Release notes

Sourced from quick-xml's releases.

v0.40.0 - UTF-16 and ISO-2022-JP encodings supported

What's Changed

MSRV bumped to 1.79.

Now quick-xml supports the UTF-16 and ISO-2022-JP encoded documents. See the new DecodingReader type.

New Features

• #956: Add DecodingReader, a BufRead adapter that auto-detects encoding from BOM or XML declaration and transcodes to UTF-8. Enabled by the encoding feature.

• #938: Add new enumeration XmlVersion and typified getter BytesDecl::xml_version().

• #938: Add new error variant IllFormedError::UnknownVersion.

• #371: Add new error variant EscapeError::TooManyNestedEntities.

• #371: Improved compliance with the XML attribute value normalization process by adding

  • Attribute::normalized_value()
  • Attribute::normalized_value_with()
  • Attribute::decoded_and_normalized_value()
  • Attribute::decoded_and_normalized_value_with()

  which ought to be used in place of deprecated

  • Attribute::unescape_value()
  • Attribute::unescape_value_with()
  • Attribute::decode_and_unescape_value()
  • Attribute::decode_and_unescape_value_with()

  Deprecated functions now behaves the same as newly added.

Bug Fixes

• #938: Use correct rules for EOL normalization in Deserializer when parse XML 1.0 documents. Previously XML 1.1. rules was applied.

Misc Changes

• #914: Remove deprecated .prefixes(), .resolve(), .resolve_attribute(), and .resolve_element() of NsReader. Use .resolver().<...> methods instead.
• #938: Now BytesText::xml_content, BytesCData::xml_content and BytesRef::xml_content accepts XmlVersion parameter to apply correct EOL normalization rules.
• #944: read_text() now returns BytesText which allows you to get the content with properly normalized EOLs. To get the previous behavior use .read_text().decode()?.
• #956: Bumped MSRV from 1.59 (Feb 2022) to 1.79 (June 2024)

#371: tafia/quick-xml#371 #914: tafia/quick-xml#914 #938: tafia/quick-xml#938 #944: tafia/quick-xml#944 #956: tafia/quick-xml#956

New Contributors

• @​dobermai made their first contribution in tafia/quick-xml#958

Full Changelog: tafia/quick-xml@v0.39.4...v0.40.0

v0.39.4 - Fix another panics when parse malformed DTD

... (truncated)

Changelog

Sourced from quick-xml's changelog.

0.40.0 -- 2026-05-11

MSRV bumped to 1.79.

Now quick-xml supports the UTF-16 encoded documents. See the new DecodingReader type.

New Features

• #956: Add DecodingReader, a BufRead adapter that auto-detects encoding from BOM or XML declaration and transcodes to UTF-8. Enabled by the encoding feature.

• #938: Add new enumeration XmlVersion and typified getter BytesDecl::xml_version().

• #938: Add new error variant IllFormedError::UnknownVersion.

• #371: Add new error variant EscapeError::TooManyNestedEntities.

• #371: Improved compliance with the XML attribute value normalization process by adding

  • Attribute::normalized_value()
  • Attribute::normalized_value_with()
  • Attribute::decoded_and_normalized_value()
  • Attribute::decoded_and_normalized_value_with()

  which ought to be used in place of deprecated

  • Attribute::unescape_value()
  • Attribute::unescape_value_with()
  • Attribute::decode_and_unescape_value()
  • Attribute::decode_and_unescape_value_with()

  Deprecated functions now behaves the same as newly added.

Bug Fixes

• #938: Use correct rules for EOL normalization in Deserializer when parse XML 1.0 documents. Previously XML 1.1. rules was applied.

Misc Changes

• #914: Remove deprecated .prefixes(), .resolve(), .resolve_attribute(), and .resolve_element() of NsReader. Use .resolver().<...> methods instead.
• #938: Now BytesText::xml_content, BytesCData::xml_content and BytesRef::xml_content accepts XmlVersion parameter to apply correct EOL normalization rules.
• #944: read_text() now returns BytesText which allows you to get the content with properly normalized EOLs. To get the previous behavior use .read_text().decode()?.
• #956: Bumped MSRV from 1.59 (Feb 2022) to 1.79 (June 2024)

#371: tafia/quick-xml#371 #914: tafia/quick-xml#914 #938: tafia/quick-xml#938 #944: tafia/quick-xml#944 #956: tafia/quick-xml#956

0.39.4 -- 2026-05-08

... (truncated)

Commits

• 2778564 Release 0.40.0
• 393db03 Merge pull request #962 from Mingun/prepare-0.40
• a27709a Fix misprint in code example
• 0c0c914 Make some functions const and enable clippy::missing_const_for_fn lint
• bf4ffe5 Fix clippy warning: use .first() instead of .get(0)
• d69baad Fix clippy warning: remove unnecessary after 241f01e20ff679e9248f2ae424c9ba82...
• 8e0ae4f Fix clippy warning: use strip_prefix instead of manual stripping
• b795a5d Remove outdated documentation line that accidentally remained after 99d2870a3...
• 94e61ed Merge pull request #956 from dralley/decode
• b918b0b Expand tests using DecodingReader
• Additional commits viewable in compare view

Updates aws-sdk-s3 from 1.131.0 to 1.132.0

Commits

• See full diff in compare view

Updates kreuzberg from 4.9.4 to 4.9.7

Release notes

Sourced from kreuzberg's releases.

v4.9.7

Full Changelog: kreuzberg-dev/kreuzberg@v4.9.6...v4.9.7

v4.9.6

Full Changelog: kreuzberg-dev/kreuzberg@v4.9.5...v4.9.6

v4.9.5

Fixed

• #790: Fix GPU acceleration — kreuzberg now bundles CPU-only ONNX Runtime by default (zero-config). When a GPU execution provider (cuda, tensorrt, coreml) is explicitly requested via AccelerationConfig but unavailable, kreuzberg returns an error with setup instructions instead of silently falling back to CPU. Auto mode gracefully falls back to CPU with an info log. For GPU support, set ORT_DYLIB_PATH to a GPU-enabled ONNX Runtime.
• #791: Fix DOCX OCR extraction — OCR now runs on embedded images before document rendering, and OCR text is injected into the rendered output. Previously, OCR results were discarded and replaced with placeholder text.
• #783: PaddleOCR backend not utilizing GPU (CUDA) despite AccelerationConfig — AccelerationConfig from ExtractionConfig was never reaching PaddleOCR ONNX sessions, silently falling back to CPU. Acceleration is now propagated through OcrConfig to all OCR call sites (image extractor, PDF OCR).
• #779: Expose PaddleOcrConfig in Python bindings and update OcrConfig for backward compatibility.
• #792: Fix Ruby gem packaging — exclude staged libpdfium.dylib from gem artifacts by narrowing the native extension glob to only include the compiled kreuzberg_rb.* extension.

Added

• GPU CI workflow (ci-gpu.yaml) targeting self-hosted GPU runners with NVIDIA GPUs.
• Comprehensive GPU integration tests covering all ORT-accelerated paths: PaddleOCR (det/cls/rec), layout detection (RT-DETR), embeddings, document orientation detection, and end-to-end extraction.

Changelog

Sourced from kreuzberg's changelog.

[4.9.7] - 2026-05-08

LTS patch release. Publish-pipeline fixes only — no library code changes.

Fixed

• Hex package build: re-track packages/elixir/native/kreuzberg_rustler/Cargo.lock. mix.exs declares it in the files: allowlist; commit c29420511 had untracked it on the assumption that the workspace Cargo.lock was authoritative, but Hex packages ship without workspace context and need their own lockfile for reproducible NIF builds.
• macOS arm64 wheel build: disable sccache for the native wheel Setup Rust toolchain (native) and PyO3/maturin-action. The hosted sccache backend was returning Mismatch of client/server versions? from sccache --show-stats in the post-step, marking jobs as failed even when wheels built successfully.

[4.9.6] - 2026-05-07

LTS patch release. Bug fixes backported from main (v5 development). The chore/v4.9-lts branch is now the long-lived line for the 4.9.x series.

Fixed

• #789, #800: max_images_per_page cap now enforced in extract_images_from_pdf itself — previously only the structure pipeline honoured it, so PDFs with thousands of image objects per page hung indefinitely. Image decoding is also moved off the async executor via spawn_blocking so extraction_timeout_secs can fire while images are processing.
• #838: OCR elements are now propagated through the extraction pipeline.
• #839: extraction_timeout_secs is now enforced in single-file extraction paths (previously the timeout was only applied to multi-file batch flows).
• #836: PDF image data no longer leaks into structured output when image extraction is disabled.
• #797: Preset-only chunking config no longer auto-injects an EmbeddingConfig — every chunk previously gained an unwanted .embedding field. Explicit embedding config still takes effect.
• #782: PDF heading and image-placeholder element classification corrected.
• #870: PSM defaults to SINGLE_BLOCK (6) on the WASM target (native default PSM_AUTO=3 unchanged).
• #872: HwpExtractor no longer claims the application/haansofthwpx MIME type — that format is ZIP-based XML and cannot be handled by the CFB-based HWP parser.
• Latex extractor uses the correct inject_placeholders: bool type from ImageExtractionConfig.
• extraction_timeout_secs enforcement is now correctly gated on the tokio-runtime feature.
• Email HTML body fallback: when mail_parser::Message::body_html() returns nothing, the EML extractor now walks message.parts for HTML subtype and as a final fallback scans raw bytes after the headers/body separator. clean_html_content also reorders to try regex stripping before the html-to-markdown converter (more lenient on malformed HTML). Previously, HTML-only emails that mail-parser failed to surface via body_html returned empty content. (Refs upstream 2ff490b4b; sender-format and Attachments-section hunks intentionally not backported.)
• Image decode pixel cap: all four call sites that pass attacker-controlled bytes to image::load_from_memory (layout-detection, generic image metadata, PDF→PNG TATR loop, doc-orientation auto-rotate) now go through decode_with_pixel_cap which probes header dimensions cheaply and rejects images above 64 MP. A crafted 20000x20000 PNG previously triggered multi-GB allocations; now it returns a clean error. (Refs upstream 346d45557.)
• CLI --log-level no longer panics on malformed input: replaces EnvFilter::new(level) with EnvFilter::try_new(level).unwrap_or_else(|_| EnvFilter::new("info")). (Refs upstream 346d45557.)
• Markdown rendering: collapse runs of 3+ consecutive newlines to exactly 2 — comrak emits an extra blank line after lists when followed by a code block or table, which violated MD012. (Refs upstream c01edcebb.)
• WASI SDK v33+ build compatibility: kreuzberg-tesseract/build.rs now adds the noeh/ subdirectory of the WASI sysroot to the rustc link-search path. WASI SDK v33+ moved libc++.a/libc++abi.a there; without the addition the linker failed on v33+. Older WASI SDKs lacking that directory are unaffected. (Refs upstream 2712f86c3.)
• MCP file_configs schema: emits {"type":"array","items":{"anyOf":[{"type":"null"},{"type":"object"}]}} instead of schemars' default {"items":true}. The default is valid JSON Schema 2019-09+ but Moonshot AI / Kimi rejects it. Runtime deserialization is unchanged. (Refs upstream 8e18ebc83.)

API surface

• kreuzberg::pdf::extract_images_from_pdf, extract_images_from_pdf_with_password, and PdfImageExtractor::{extract_images, get_image_count, extract_images_from_page} gain a required max_images_per_page: Option<u32> parameter. Pass None to preserve previous unbounded behaviour. (See #789, #800.)

Not backported from main

The following fixes on main could not be applied to v4.9.x because they build on v5 architecture (SecurityBudget, image_kind classification, restructured pdf::structure):

• #834 (DOCX inject_placeholders/OCR pipeline integration) — depends on SecurityBudget.
• #799 (Form XObject image extraction) — full v5 rewrite of pdf::images.
• #824 (image extraction across XObject references) — full v5 rewrite of pdf::images.

---

[4.9.5] - 2026-04-23

... (truncated)

Commits

• 51eef40 chore(release): bump version to 4.9.7
• 59b52af fix(elixir): re-track kreuzberg_rustler Cargo.lock for Hex publish
• 23e112d fix(elixir): re-track kreuzberg_rustler Cargo.lock for Hex publish
• bfc2113 fix(elixir): re-track kreuzberg_rustler Cargo.lock for Hex publish
• a7d0a22 fix(publish): use full 40-char SHA for check-registry pin
• 7ae47af fix(ruby): add missing acceleration field to OcrConfig initializer
• 6ebd8d5 fix(publish): pin check-registry to alef-free af59fc0
• 81f8fb8 fix(pipeline): make run_pipeline doc mutable only when ocr feature active
• 702674f fix(ci): use GitHub App token in release-on-tag so publish cascades
• a1af147 fix(ci): build kreuzberg-ffi with embeddings feature for C tests
• Additional commits viewable in compare view

Updates clap_complete from 4.6.3 to 4.6.5

Commits

• c8c9355 chore: Release
• af74def docs: Update changelog
• c96f222 Merge pull request #6368 from truffle-dev/fix/fish-env-escaping
• 49a05cd fix(complete): Two-pass quote fish env-completer
• e791004 test(complete): Snapshot fish env quoting cases
• 87ec1ad chore: Release
• 78f2529 docs: Update changelog
• b61f270 Merge pull request #6369 from Metbcy/fix/zsh-completion-ordering
• 74c6666 fix(complete): Keep zsh candidate order
• d142d8f Merge pull request #6360 from epage/string
• Additional commits viewable in compare view

Updates assert_cmd from 2.2.1 to 2.2.2

Changelog

Sourced from assert_cmd's changelog.

[2.2.2] - 2026-05-11

Fixes

• Ensure #[track_caller] works for better panic messages

Commits

• feece89 chore: Release assert_cmd version 2.2.2
• 367cdf7 docs: Update changelog
• a98cc85 Merge pull request #289 from marcospb19/track_caller
• cd2e167 fix: .success() not reporting panic location
• 45a1c74 chore(deps): Update Prek to v0.3.13 (#293)
• f1d9b5b chore(deps): Update Prek to v0.3.12 (#292)
• 1d34bab Merge pull request #291 from epage/template
• d9a70ad style: Make clippy happy
• 4f5b5af chore: Update from _rust template
• 1e1d586 chore(renovate): Fix the tag
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.