fix(deps): update rust dependencies (non-major)

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Type	Update	Change
axum	dev-dependencies	patch	0.8.8 → 0.8.9
axum	dependencies	patch	0.8.8 → 0.8.9
clap	dependencies	patch	4.6.0 → 4.6.1
hmac	dev-dependencies	minor	0.12 → 0.13
hmac	dependencies	minor	0.12 → 0.13
insta (source)	dev-dependencies	minor	1.46.3 → 1.47.2
jsonschema	dependencies	minor	0.45 → 0.46
opentelemetry (source)	dependencies	minor	0.31 → 0.32
opentelemetry-otlp (source)	dependencies	minor	0.31 → 0.32
opentelemetry_sdk (source)	dependencies	minor	0.31 → 0.32
proptest (source)	dev-dependencies	minor	1.10.0 → 1.11.0
rand (source)	dependencies	minor	0.9 → 0.10
reqwest	dev-dependencies	patch	0.13.2 → 0.13.3
reqwest	dependencies	patch	0.13.2 → 0.13.3
serde_json	dev-dependencies	patch	1.0.149 → 1.0.150
serde_json	dependencies	patch	1.0.149 → 1.0.150
sha1	dependencies	minor	0.10 → 0.11
sha2	dev-dependencies	minor	0.10 → 0.11
sha2	dependencies	minor	0.10 → 0.11
sqlx	dependencies	minor	0.8 → 0.9
tokio (source)	dev-dependencies	minor	1.50.0 → 1.52.3
tokio (source)	dependencies	minor	1.50.0 → 1.52.3
tower-http	dependencies	patch	0.6.8 → 0.6.11
tracing-opentelemetry	dependencies	minor	0.32 → 0.33

---

Release Notes

tokio-rs/axum (axum)

v0.8.9

Compare Source

• added: WebSocketUpgrade::{requested_protocols, set_selected_protocol} for more flexible subprotocol selection (#​3597)
• changed: Update minimum rust version to 1.80 (#​3620)
• fixed: Set connect endpoint on correct field in MethodRouter (#​3656)
• fixed: Return specific error message when multipart body limit is exceeded (#​3611)

clap-rs/clap (clap)

v4.6.1

Compare Source

Fixes

• (derive) Ensure rebuilds happen when an read env variable is changed

RustCrypto/MACs (hmac)

v0.13.0

Compare Source

mitsuhiko/insta (insta)

v1.47.2

Compare Source

• Restore Send + Sync on Settings, Redactions, and Redaction by
  reverting the Arc to Rc change from 1.47.0, which was semver-breaking.
  #​873 #​874
• Add Send + Sync bounds to Comparator trait for consistency with
  Arc-based storage. #​872
• Add compile-time assertion to prevent future auto-trait regressions.

v1.47.1

Compare Source

• Revert sorting of sequences in sort_maps. The change in 1.47.0 sorted all
  Seq values (including Vec), not just non-deterministic collections like
  HashSet, which was a breaking change. #​876

v1.47.0

Compare Source

• Add Comparator trait for customizing how snapshot values are compared. #​872 (@​dstu)
• Sort sequences in sort_maps to fix non-deterministic HashSet snapshots. #​876
• Improve TOML serialization error message for unsupported types, suggesting assert_json_snapshot! or assert_yaml_snapshot! as alternatives. #​880
• Remove unnecessary Send + Sync bounds from Redaction, allowing non-Send closures in dynamic redactions. #​874
• Don't use Arc in Settings unnecessarily. #​873 (@​dstu)
• Upgrade console to 0.16 and MSRV to 1.66. #​885
• Upgrade toml-edit to 0.25. #​882 (@​alexanderkjall)

Stranger6667/jsonschema (jsonschema)

v0.46.5

Fixed

• Percent-encoded characters in $ref URI fragments (e.g. #/$defs/Request%20class) are now decoded when stored as schema_path.

v0.46.4

Fixed

• Panic in the regex engine when matching against patterns with very large {0,N} quantifiers.

v0.46.3

Fixed

• Memory not reclaimed when a Validator for a schema with recursive $ref or $dynamicRef is dropped. #​1125
• Compilation failure on wasm32-wasip1 and wasm32-unknown-emscripten targets.

v0.46.2

Fixed

• required not enforced when additionalProperties is a schema object and required lists exactly 2 keys.

v0.46.1

Fixed

• required not enforced when properties has 15 or more entries and required lists exactly 2 keys.

v0.46.0

Added

• ValidatorMap for validating instances against subschemas identified by URI-fragment JSON pointer. #​1075
• CLI: Accept multiple values after -i/--instance (e.g. jsonschema validate schema.json -i *.json). #​1085
• dereference function to recursively inline $ref references. #​422
• CLI: jsonschema dereference subcommand to dereference a schema from the command line.

Breaking Changes

• Registry construction now uses an explicit prepare step, and with_registry now borrows the prepared registry. ValidationOptions::with_resource and ValidationOptions::with_resources were removed in favor of building a Registry first. See the Migration Guide for the details.

Performance

• Avoid registry clones and document clones during validator construction. This improves real-world schema compilation by roughly 10-20% in internal benchmarks.

v0.45.1

Fixed

• Incorrect handling of multipleOf validation for negative numeric instances.
• Incorrect handling of duration format when hours and seconds appear without minutes, or years and days without months.

open-telemetry/opentelemetry-rust (opentelemetry)

v0.32.0

Compare Source

Released 2026-May-08

• Added BoundCounter<T> and BoundHistogram<T> types that cache resolved
  aggregator references for a fixed attribute set. Created via Counter::bind()
  and Histogram::bind(), bound instruments bypass per-call attribute lookup,
  providing significant performance improvements for hot paths where the same
  attributes are used repeatedly. Both types implement Clone so a single bound
  state can be shared across threads or modules without re-binding. Also adds
  the SyncInstrument::bind() trait method and BoundSyncInstrument<T> trait
  for SDK implementors; the trait method has a no-op default so custom
  SyncInstrument impls degrade gracefully without panicking. Gated behind the
  experimental_metrics_bound_instruments feature flag.
• Add reserve method to opentelemetry::propagation::Injector to hint at the number of elements that will be added to avoid multiple resize operations of the underlying data structure. Has an empty default implementation.
• Breaking Removed the following public fields and methods from the SpanBuilder #​3227:
  • trace_id, span_id, end_time, status, sampling_result
  • with_trace_id, with_span_id, with_end_time, with_status, with_sampling_result
• Added #[must_use] attribute to opentelemetry::metrics::AsyncInstrumentBuilder to add compile time warning when .build() is not called on observable instrument builders, preventing silent failures where callbacks are never registered and metrics are never reported.
• Breaking Moved the following SDK sampling types from opentelemetry::trace to opentelemetry_sdk::trace #​3277:
  • SamplingDecision, SamplingResult
  • These types are SDK implementation details and should be imported from opentelemetry_sdk::trace instead.
• "spec_unstable_logs_enabled" feature flag is removed. The capability (and the
  backing specification) is now stable and is enabled by default.
  3278
• Remove the empty "message" field from tracing events emitted via the internal-logs feature
• Fix panic when calling Context::current() from Drop implementations triggered by ContextGuard cleanup (#​3262).

open-telemetry/opentelemetry-rust (opentelemetry-otlp)

v0.32.0

Compare Source

Released 2026-May-08

• Add tls-provider-agnostic feature flag for environments that require a custom crypto backend (e.g., OpenSSL for FIPS compliance). Enables TLS code paths without bundling ring or aws-lc-rs.
• Add build() directly on SpanExporterBuilder, MetricExporterBuilder, and LogExporterBuilder
  (before selecting a transport), which auto-selects the transport based on the
  OTEL_EXPORTER_OTLP_PROTOCOL environment variable or enabled features.
  #​3394
• Breaking Removed ExportConfig, HasExportConfig, with_export_config(), HasTonicConfig, HasHttpConfig, TonicConfig, and HttpConfig from public API.
  Use the public WithExportConfig, WithTonicConfig, and WithHttpConfig trait methods instead, which remain unchanged.
• The gRPC/tonic OTLP exporter's build method now returns an error for all signals (traces, metrics, logs) when
  an https:// endpoint is configured but no TLS feature (tls-ring or tls-aws-lc) is enabled, instead of
  silently sending unencrypted traffic. When a TLS feature is enabled and an https:// endpoint is used without
  an explicit .with_tls_config(), a default ClientTlsConfig is automatically applied.
  #​3182
• Prevent auth tokens from leaking in export error messages. gRPC and HTTP
  exporter errors no longer include potentially sensitive server responses
  (e.g., authentication tokens echoed back). Error messages returned to SDK
  processors contain only the gRPC status code or HTTP status code. Full
  details are logged at DEBUG level only.
  #​3021
• Surface pre-flight transport error details at ERROR level when grpc-tonic
  OTLP export fails due to a local misconfiguration. When the returned
  tonic::Status wraps a local transport error (invalid URL, connect failure,
  DNS), its source chain (e.g., "transport error: invalid URI") is appended
  to the returned error so SDK processors surface it at ERROR without
  requiring DEBUG logging. Server-returned gRPC status messages remain
  DEBUG-only to preserve the auth-token leak safeguards from
  #​3021.
  #​3331
• Add support for per-signal protocol environment variables:
  OTEL_EXPORTER_OTLP_TRACES_PROTOCOL, OTEL_EXPORTER_OTLP_METRICS_PROTOCOL,
  OTEL_EXPORTER_OTLP_LOGS_PROTOCOL. These allow configuring different transport protocols
  per signal type. Signal-specific vars take precedence over generic OTEL_EXPORTER_OTLP_PROTOCOL.
  The auto-select build() method on each exporter builder now respects the full priority chain:
  signal-specific env var > generic env var > feature-based default.
• Transport/protocol mismatch validation: HTTP transport returns InvalidConfig when gRPC protocol
  is requested; gRPC transport returns InvalidConfig when an HTTP protocol is requested.
• Breaking: Protocol::default() no longer consults the OTEL_EXPORTER_OTLP_PROTOCOL
  environment variable. It now returns only the feature-based default (http-json > http-proto >
  grpc-tonic). Protocol resolution from environment variables is handled internally by the
  exporter builders. Users who relied on Protocol::default() to read env vars should use
  Protocol::from_env() instead.
• Add support for OTEL_EXPORTER_OTLP_METRICS_TEMPORALITY_PREFERENCE environment variable
  to configure metrics temporality. Accepted values: cumulative (default), delta,
  lowmemory (case-insensitive). Programmatic .with_temporality() overrides the env var.
• Fix NoHttpClient error when multiple HTTP client features are enabled by using priority-based selection (reqwest-client > hyper-client > reqwest-blocking-client). #​2994
• Add partial success response handling for OTLP exporters (traces, metrics, logs) per OTLP spec. Exporters now log warnings when the server returns partial success responses with rejected items and error messages. #​865
• Refactor internal-logs feature in opentelemetry-otlp to reduce unnecessary dependencies3191
• Fixed [#​2777](https://github.com/open-telemetry/opentelemetry rust/issues/2777) to properly handle shutdown_with_timeout() when using grpc-tonic.
• Deprecate tls feature in favor of explicit tls-ring and tls-aws-lc features.
  Migration: Replace tls with tls-ring (or tls-aws-lc). Users of tls-roots or tls-webpki-roots must now also enable one of these.
• Prevent logging of header values in OTLP tonic exporter #​3465

open-telemetry/opentelemetry-rust (opentelemetry_sdk)

v0.32.0

Compare Source

Released 2026-May-08

• SimpleSpanProcessor now suppresses telemetry during export, preventing
  telemetry-induced-telemetry feedback loops. This aligns with the existing
  behavior in BatchSpanProcessor and SimpleLogProcessor.
• Removed SimpleConcurrentLogProcessor and the experimental_logs_concurrent_log_processor
  feature flag. The use cases it was designed for (ETW/user_events exporters) are
  better served by modeling those exporters as processors directly.
• Added Counter::bind() and Histogram::bind() SDK implementations that
  return pre-bound measurement handles (BoundCounter<T>, BoundHistogram<T>).
  Bound instruments resolve the attribute-to-aggregator mapping once at bind time
  and cache the result, eliminating per-call HashMap lookups. View attribute
  filtering is applied at bind time so the hot path stays free of per-call
  attribute processing. Bound and unbound recordings with the same (post-view)
  attribute set always aggregate into the same data point, including the empty
  attribute set. Bound entries are never evicted during delta collection while
  a handle exists — idle cycles produce no export but the tracker persists. If
  bind() is called at the cardinality limit, the handle binds directly to
  the overflow tracker — its writes stay on the same direct (no-lookup) hot
  path and consistently land in the otel.metric.overflow=true bucket for
  the lifetime of the handle. To recover a bound handle after delta collection
  frees space, drop the existing handle and call bind() again. Gated behind
  the experimental_metrics_bound_instruments feature flag. Benchmarks show
  ~28x speedup for counter operations and ~9x for histograms.
• Delta metrics collection now uses in-place eviction instead of draining the
  HashMap on every collect cycle. Stale attribute sets that received no measurements
  since the last collection are evicted. Note: recovery from cardinality overflow
  now requires 2 collect cycles — the first marks entries as stale, the second
  evicts them.
• Breaking The SDK testing feature is now runtime agnostic. #​3407
  • TokioSpanExporter and new_tokio_test_exporter have been renamed to TestSpanExporter and new_test_exporter.
  • The following transitive dependencies and features have been removed: tokio/rt, tokio/time, tokio/macros, tokio/rt-multi-thread, tokio-stream, experimental_async_runtime
• Store InstrumentationScope in Arc internally in SdkTracer, making tracer clones cheaper (Arc refcount increment instead of deep copy).
• Add 32-bit platform support by using portable-atomic for AtomicI64 and AtomicU64 in the metrics module. This enables compilation on 32-bit ARM targets (e.g., armv5te-unknown-linux-gnueabi, armv7-unknown-linux-gnueabihf).
• Aggregation enum and StreamBuilder::with_aggregation() are now stable and no longer require the spec_unstable_metrics_views feature flag.
• Fix service.name Resource attribute fallback to follow OpenTelemetry
  specification by using unknown_service:<process.executable.name> format when
  service name is not explicitly configured. Previously, it only used
  unknown_service.
• Fix SpanExporter::shutdown() default timeout from 5 nanoseconds to 5 seconds.
• Breaking SpanExporter trait methods shutdown, shutdown_with_timeout, and force_flush now take &self instead of &mut self for consistency with LogExporter and PushMetricExporter. Implementers using interior mutability (e.g., Mutex, AtomicBool) require no changes.
• Added Resource::get_ref(&self, key: &Key) -> Option<&Value> to allow retrieving a reference to a resource value without cloning.
• Breaking Removed the following public hidden methods from the SdkTracer #​3227:
  • id_generator, should_sample
• Breaking Moved the following SDK sampling types from opentelemetry::trace to opentelemetry_sdk::trace #​3277:
  • SamplingDecision, SamplingResult
  • These types are SDK implementation details and should be imported from opentelemetry_sdk::trace instead.
• StreamBuilder::build() now rejects usize::MAX as a cardinality limit
  with a validation error. #​3506
• Fix Histogram boundaries being ignored in the presence of views #​3312
• TracerProviderBuilder::with_sampler allows to pass boxed instance of ShouldSample [#​3313][3313]
• Fix ObservableCounter and ObservableUpDownCounter now correctly report only data points from the current measurement cycle, removing stale attribute combinations that are no longer observed. #​3248
• Fix panic when SpanProcessor::on_end calls Context::current() (#​3262).
  • Updated SpanProcessor::on_end documentation to clarify that Context::current() returns the parent context, not the span's context
• Fix traceparent headers with unknown flags (e.g. W3C random-trace-id flag 0x02) being incorrectly rejected. Unknown flags are now accepted and zeroed out as required by the W3C trace-context spec. #​3435
• Breaking InMemoryExporterError has been removed and replaced by OTelSdkError, and a new JaegerRemoteSamplerBuildError introduced to replace last uses of TraceError. #​3458
• "spec_unstable_logs_enabled" feature flag is removed. The capability (and the
  backing specification) is now stable and is enabled by default. #​3278

proptest-rs/proptest (proptest)

v1.11.0

Compare Source

rust-random/rand (rand)

v0.10.1

Compare Source

This release includes a fix for a soundness bug; see #​1763.

Changes

• Document panic behavior of make_rng and add #[track_caller] (#​1761)
• Deprecate feature log (#​1763)

v0.10.0

Compare Source

Changes

• The dependency on rand_chacha has been replaced with a dependency on chacha20. This changes the implementation behind StdRng, but the output remains the same. There may be some API breakage when using the ChaCha-types directly as these are now the ones in chacha20 instead of rand_chacha (#​1642).
• Rename fns IndexedRandom::choose_multiple -> sample, choose_multiple_array -> sample_array, choose_multiple_weighted -> sample_weighted, struct SliceChooseIter -> IndexedSamples and fns IteratorRandom::choose_multiple -> sample, choose_multiple_fill -> sample_fill (#​1632)
• Use Edition 2024 and MSRV 1.85 (#​1653)
• Let Fill be implemented for element types, not sliceable types (#​1652)
• Fix OsError::raw_os_error on UEFI targets by returning Option<usize> (#​1665)
• Replace fn TryRngCore::read_adapter(..) -> RngReadAdapter with simpler struct RngReader (#​1669)
• Remove fns SeedableRng::from_os_rng, try_from_os_rng (#​1674)
• Remove Clone support for StdRng, ReseedingRng (#​1677)
• Use postcard instead of bincode to test the serde feature (#​1693)
• Avoid excessive allocation in IteratorRandom::sample when amount is much larger than iterator size (#​1695)
• Rename os_rng -> sys_rng, OsRng -> SysRng, OsError -> SysError (#​1697)
• Rename Rng -> RngExt as upstream rand_core has renamed RngCore -> Rng (#​1717)

Additions

• Add fns IndexedRandom::choose_iter, choose_weighted_iter (#​1632)
• Pub export Xoshiro128PlusPlus, Xoshiro256PlusPlus prngs (#​1649)
• Pub export ChaCha8Rng, ChaCha12Rng, ChaCha20Rng behind chacha feature (#​1659)
• Fn rand::make_rng() -> R where R: SeedableRng (#​1734)

Removals

• Removed ReseedingRng (#​1722)
• Removed unused feature "nightly" (#​1732)
• Removed feature small_rng (#​1732)

v0.9.4

Compare Source

Fixes

• Fix doc build (#​1766)

Full Changelog: rust-random/rand@0.9.3...0.9.4

v0.9.3

Compare Source

seanmonstar/reqwest (reqwest)

v0.13.3

Compare Source

• Fix CertificateRevocationList parsing of PEM values.
• Fix logging in resolver to only show host, not full URL.
• Fix hickory-dns to fallback to a default if /etc/resolv.conf fails.
• Fix HTTP/3 to handle STOP_SENDING as not an error.
• Fix HTTP/3 pool to remove timed out QUIC connections.
• Fix HTTP/3 connection establishment picking IPv4 and IPv6.
• Upgrade rustls-platform-verifier.
• (wasm) Only use wasm-bindgen on unknown-* targets.

serde-rs/json (serde_json)

v1.0.150

Compare Source

• Reject non-string enum object keys (#​1324, thanks @​puneetdixit200)

RustCrypto/hashes (sha1)

v0.11.0

Compare Source

launchbadge/sqlx (sqlx)

v0.9.0

Compare Source

Important Announcements

New Github Organization

Shortly after this release is published, the SQLx repository will be transferred to a new GitHub organization:
https://github.com/transact-rs/

This is because SQLx has not been owned or maintained by LaunchBadge, LLC. for a few years now, and has since been
informally transferred to the collective ownership of its principal authors. Moving the repository to a new
organization makes this change more clear, and also allows for potentially inviting outside collaborators.

Cargo.lock Removed from Tracking

The Cargo.lock has been removed from tracking in Git. CI should now always test with the latest versions of
all dependencies by default, alongside our pass that checks with cargo generate-lockfile -Z minimal-versions.

This should eliminate the need for any PRs that update dependencies to also update Cargo.lock or
contend with an endless stream of merge conflicts against it.

N.B. cargo install --locked sqlx-cli will no longer work. However, cargo install sqlx-cli has always
used the latest dependencies by default, ignoring the lockfile, so most users should not be affected. For users
requiring reproducible builds, consider maintaining your own lockfile instead; historically, we only ran cargo update
sporadically, so relying on SQLx's lockfile offered few guarantees anyway.

See [the manual page for cargo install][man-cargo-install] for details.

Breaking

As per our MSRV policy, the supported Rust version for this release cycle is 1.94.0.

• [[#​3383]]: feat: create sqlx.toml format [[@​abonander]]
  • SQLx and sqlx-cli now support per-crate configuration files (sqlx.toml)
  • New functionality includes, but is not limited to:
    • Rename DATABASE_URL for a crate (for multi-database workspaces)
    • Set global type overrides for the macros (supporting custom types)
    • Rename or relocate the _sqlx_migrations table (for multiple crates using the same database)
    • Set characters to ignore when hashing migrations (e.g. ignore whitespace)
  • More to be implemented in future releases.
  • Enable feature sqlx-toml to use.
    • sqlx-cli has it enabled by default, but sqlx does not.
    • Default features of library crates can be hard to completely turn off because of [feature unification],
      so it's better to keep the default feature set as limited as possible.
      [This is something we learned the hard way.][preferred-crates]
  • Guide: see sqlx::_config module in documentation.
  • Reference: [Link]
  • Examples (written for Postgres but can be adapted to other databases; PRs welcome!):
    • Multiple databases using DATABASE_URL renaming and global type overrides: [Link]
    • Multi-tenant database using _sqlx_migrations renaming and multiple schemas: [Link]
    • Force use of chrono when time is enabled (e.g. when using tower-sessions-sqlx-store): [[Link][preferred-crates]]
      • Forcing bigdecimal when rust_decimal is enabled is also shown, but problems with chrono/time are more common.
  • Breaking changes:
    • Significant changes to the Migrate trait
    • sqlx::migrate::resolve_blocking() is now #[doc(hidden)] and thus SemVer-exempt.
• [[#​3486]]: fix(logs): Correct spelling of aquired_after_secs tracing field [[@​iamjpotts]]
  • Breaking behavior change: implementations parsing tracing logs from SQLx will need to update the spelling.
• [[#​3495]]: feat(postgres): remove lifetime from PgAdvisoryLockGuard [[@​bonsairobo]]
• [[#​3526]]: Return &mut Self from the migrator set_ methods [[@​nipunn1313]]
  • Minor breaking change: Migrator::set_ignore_missing and set_locking now return &mut Self instead of &Self
    which may break code in rare circumstances.
• [[#​3541]]: Postgres: force generic plan for better nullability inference. [[@​joeydewaal]]
  • Breaking change: may alter the output of the query!() macros for certain queries in Postgres.
• [[#​3613]]: fix: RawSql lifetime issues [[@​abonander]]
  • Breaking change: adds DB type parameter to all methods of RawSql
• [[#​3670]]: Bump ipnetwork to v0.21.1 [[@​BeauGieskens]]
• [[#​3674]]: Implement Decode, Encode and Type for Box, Arc, Cow and Rc [[@​joeydewaal]]
  • Breaking change: impl Decode for Cow now always decodes Cow::Owned, lifetime is unlinked
  • See this discussion for motivation: #​3674 (comment)
• [[#​3723]]: Add SqlStr [[@​joeydewaal]]
  • Breaking change: all query*() functions now take impl SqlSafeStr
    which is only implemented for &'static str and AssertSqlSafe.
    For all others, wrap in AssertSqlSafe(<query>).
  • This, along with [[#​3960]], finally allows returning owned queries as the type will be Query<'static, DB>.
  • SqlSafeStr trait is deliberately similar to std::panic::UnwindSafe,
    serving as a speedbump to warn users about naïvely building queries with format!()
    while allowing a workaround for advanced usage that is easy to spot on code review.
• [[#​3800]]: Escape PostgreSQL Options [[@​V02460]]
  • Breaking behavior change: options passed to PgConnectOptions::options() are now automatically escaped.
    Manual escaping of options is no longer necessary and may cause incorrect behavior.
• [[#​3821]]: Groundwork for 0.9.0-alpha.1 [[@​abonander]]
  • Increased MSRV to 1.86 and set rust-version
  • Deleted deprecated combination runtime+TLS features (e.g. runtime-tokio-native-tls)
  • Deleted re-export of unstable TransactionManager trait in sqlx.
    • Not technically a breaking change because it's #[doc(hidden)],
      but [it will break SeaORM][seaorm-2600] if not proactively fixed.
• [[#​3924]]: breaking(mysql): assume all non-binary collations compatible with str [[@​abonander]]
  • Text (or text-like) columns which previously were inferred to be Vec<u8> will be inferred to be String
    (this should ultimately fix more code than it breaks).
  • SET NAMES utf8mb4 COLLATE utf8_general_ci is no longer sent by default; instead, SET NAMES utf8mb4 is sent to
    allow the server to select the appropriate default collation (since this is version- and configuration-dependent).
  • MySqlConnectOptions::charset() and ::collation() now imply ::set_names(true) because they don't do anything otherwise.
  • Setting charset doesn't change what's sent in the Protocol::HandshakeResponse41 packet as that normally only
    matters for error messages before SET NAMES is sent.
    The default collation if set_names = false is utf8mb4_general_ci.
  • See this comment for details.
  • Incidental breaking change: RawSql::fetch_optional() now returns sqlx::Result<Option<DB::Row>>
    instead of sqlx::Result<DB::Row>. Whoops.
• [[#​3928]]: breaking(sqlite): libsqlite3-sys versioning, feature flags, safety changes [[@​abonander]]
  • SemVer policy changes: libsqlite3-sys version is now specified using a range.
    The maximum of the range may now be increased in any backwards-compatible release.
    The minimum of the range may only be increased in major releases.
    If you have libsqlite3-sys in your dependencies, Cargo should choose a compatible version automatically.
    If otherwise unconstrained, Cargo should choose the latest version supported.
  • SQLite extension loading (including through the new sqlx-toml feature) is now unsafe.
  • Added new non-default features corresponding to conditionally compiled SQLite APIs:
    • sqlite-deserialize enabling SqliteConnection::serialize() and SqliteConnection::deserialize()
    • sqlite-load-extension enabling SqliteConnectOptions::extension() and ::extension_with_entrypoint()
    • sqlite-unlock-notify enables internal use of sqlite3_unlock_notify()
  • SqliteValue and SqliteValueRef changes:
    • The sqlite3_value* interface reserves the right to be stateful.
      Without protection, any call could theoretically invalidate values previously returned, leading to dangling pointers.
    • SqliteValue is now !Sync and SqliteValueRef is !Send to prevent data races from concurrent accesses.
      • Instead, clone or wrap the SqliteValue in Mutex, or convert the SqliteValueRef to an owned value.
    • SqliteValue and any derived SqliteValueRefs now internally track if that value has been used to decode a
      borrowed &[u8] or &str and errors if it's used to decode any other type.
    • This is not expected to affect the vast majority of usages, which should only decode a single type
      per SqliteValue/SqliteValueRef.
    • See new docs on SqliteValue for details.
• [[#​3949]]: Postgres: move PgLTree::from to From<Vec<PgLTreeLabel>> implementation [[@​JerryQ17]]
• [[#​3957]]: refactor(sqlite): do not borrow bound values, delete lifetime on SqliteArguments [[@​iamjpotts]]
• [[#​3958]]: refactor(any): Remove lifetime parameter from AnyArguments [[@​iamjpotts]]
• [[#​3960]]: refactor(core): Remove lifetime parameter from Arguments trait [[@​iamjpotts]]
• [[#​3993]]: Unescape PostgreSQL passfile password [[@​V02460]]
  • Previously, .pgpass file handling did not process backslash-escapes in the password part.
    Now it does, which may change what password is sent to the server.
• [[#​4008]]: make #[derive(sqlx::Type)] automatically generate impl PgHasArrayType by default for newtype structs [[@​papaj-na-wrotkach]]
  • Manual implementations of PgHasArrayType for newtypes will conflict with the generated one.
    Delete the manual impl or add #[sqlx(no_pg_array)] where conflicts occur.
• [[#​4077]]: breaking: make offline optional to allow building without serde [[@​CathalMullan]]
• [[#​4094]]: Bump bit-vec to v0.8 [[@​zennozenith]]
• [[#​4142]]: feat(mysql): add mysql-rsa feature for non-TLS RSA auth [[@​dertin]]
  • Connections requiring RSA password encryption now need to enable the mysql-rsa feature
    or an error will be generated at runtime. RSA encryption is only used for plaintext (non-TLS) connections.
• [[#​4255]]: breaking(any+mysql): correctly convert text and blob types to AnyTypeInfo [[@​abonander]]

Added

• [[#​3641]]: feat(Postgres): support nested domain types [[@​joeydewaal]]
• [[#​3651]]: Add PgBindIter for encoding and use it as the implementation encoding &[T] [[@​tylerhawkes]]
• [[#​3675]]: feat: implement Encode, Decode, Type for Arc<str> and Arc<[u8]> (and Rc equivalents) [[@​joeydewaal]]
• [[#​3791]]: Smol+async global executor 1.80 dev [[@​martin-kolarik]]
  • Adds runtime-smol and runtime-async-global-executor features to replace usages of the deprecated async-std crate.
• [[#​3859]]: Add more JsonRawValue encode/decode impls. [[@​Dirbaio]]
• [[#​3881]]: CLi: made cli-lib modules publicly available for other crates [[@​silvestrpredko]]
• [[#​3889]]: Compile-time support for external drivers [[@​bobozaur]]
• [[#​3917]]: feat(sqlx.toml): support SQLite extensions in macros and sqlx-cli [[@​djarb]]
• [[#​3918]]: Feature: Add exclusion violation error kind [[@​barskern]]
• [[#​3971]]: Allow single-field named structs to be transparent [[@​Xiretza]]
• [[#​4015]]: feat(sqlite): no_tx migration support [[@​AlexTMjugador]]
• [[#​4020]]: Add Migrator::with_migrations() constructor [[@​xb284524239]]
• [[#​3846]]: Add the possibility to skip migrations [[@​Dosenpfand]]
• [[#​4107]]: Add SQLite extension entrypoint config to sqlx.toml, update SQLite extension example [[@​supleed2]]
• [[#​4118]]: [postgres] Display line number in error message [[@​mousetail]]
• [[#​4123]]: feat: add Json::into_inner() [[@​chrxn1c]]
• [[#​4153]]: Add on unimplemented diagnostic to SqlStr [[@​joeydewaal]]
• [[#​4167]]: add sqlite serialize/deserialize example [[@​mattrighetti]]
• [[#​4228]]: sqlx-postgres: Make PgNotification struct clone [[@​michaelvanstraten]]

Changed

• [[#​3525]]: Remove unnecessary boxfutures [[@​joeydewaal]]
• [[#​3867]]: sqlx-postgres: Bump etcetera to 0.10.0 [[@​miniduikboot]]
• [[#​3709]]: chore: replace once_cell OnceCell/Lazy with std OnceLock/LazyLock [[@​paolobarbolini]]
• [[#​3890]]: feat: Unify Debug implementations across PgRow, MySqlRow and SqliteRow [[@​davidcornu]]
• [[#​3911]]: chore: upgrade async-io to v2.4.1 [[@​zebrapurring]]
• [[#​3938]]: Move QueryLogger back [[@​joeydewaal]]
• [[#​3956]]: chore(sqlite): Remove unused test of removed git2 feature [[@​iamjpotts]]
• [[#​3962]]: Give SQLX_OFFLINE_DIR from environment precedence in macros [[@​psionic-k]]
• [[#​3968]]: chore(ci): Add timeouts to ci jobs [[@​iamjpotts]]
• [[#​4002]]: sqlx-postgres(tests): cleanup 2 unit tests. [[@​joeydewaal]]
• [[#​4022]]: refactor: tweaks after #​3791 [[@​abonander]]
• [[#​4257]]: Prefer to give real data to .bind() in README.md [[@​sobolevn]]
• [[#​4042]]: Update to webpki-roots 1 [[@​tottoto]]
• [[#​4072]]: chore: update hashlink to v0.11.0 [[@​anmolitor]]
• [[#​4143]]: Bump whoami to v2 [[@​tisonkun]]
• [[#​4161]]: sqlx-sqlite: relax libsqlite3-sys constraint to allow 0.36.x [[@​darioAnongba]]
• [[#​4173]]: ci: check direct minimal versions [[@​ricochet]]
  • Note: reverted in 0.9.0 release but still listed for contributor credit. See end of PR thread for details.
• [[#​4189]]: Bump flume to 0.12.0 [[@​opoplawski]]
• [[#​4223]]: test(sqlite): add regression test for ORDER BY + LIMIT nullability (#​4147) [[@​barry3406]]
• [[#​4230]]: chore: Update to cargo_metadata 0.23 [[@​tottoto]]
• [[#​4233]]: Change reference to dotenvy [[@​graemer957]]
• [[#​4235]]: chore: Update to validator 0.20 [[@​tottoto]]
• [[#​4253]]: chore: update example to axum 0.8 [[@​tottoto]]
• Release PR:
  • Upgraded all Rust-Crypto crates, rand
  • Upgraded etcetera to 0.11.0
  • Increased max of libsqlite3-sys version range to <0.38.0

Fixed

• [[#​3840]]: Fix docs.rs build of sqlx-sqlite [[@​gferon]]
• [[#​3848]]: fix(macros): don't mutate environment variables [[@​joeydewaal]]
• [[#​3856]]: fix(macros): slightly improve unsupported type error message [[@​dyc3]]
• [[#​3857]]: fix(mysql): validate parameter count for prepared statements [[@​cvzx]]
• [[#​3861]]: Fix NoHostnameTlsVerifier for rustls 0.23.24 and above [[@​elichai]]
• [[#​3863]]: Use unnamed statement in pg when not persistent [[@​ThomWright]]
• [[#​3874]]: Further reduce dependency on futures and futures-util [[@​paolobarbolini]]
• [[#​3886]]: fix: use Executor::fetch in QueryAs::fetch [[@​bobozaur]]
• [[#​3910]]: feat(ok): add correct handling of ok packets in MYSQL implementation [[@​0xfourzerofour]]
• [[#​3914]]: fix: regenerate test certificates [[@​abonander]]
• [[#​3915]]: fix: spec_error is used by try_from derive [[@​saiintbrisson]]
• [[#​3919]]: fix[sqlx-postgres]: do a checked_mul to prevent panic'ing [[@​nhatcher-frequenz]]
• [[#​3923]]: sqlx-mysql: Fix bug in cleanup test db's. [[@​joeydewaal]]
• [[#​3950]]: chore: Fix warnings for custom postgres_## cfg flags [[@​iamjpotts]]
• [[#​3952]]: Pool.close: close all connections before returning [[@​jpmelos]]
• [[#​3975]]: fix documentation for rustls native root certificates [[@​2ndDerivative]]
• [[#​3977]]: refactor(ci): Use separate job for postgres ssl auth tests [[@​iamjpotts]]
• [[#​3980]]: Correctly ROLLBACK transaction when dropped during BEGIN. [[@​kevincox]]
• [[#​3981]]: SQLite: fix transaction level accounting with bad custom command. [[@​kevincox]]
• [[#​3986]]: chore(core): Fix docstring for Query::try_bind [[@​iamjpotts]]
• [[#​3987]]: chore(deps): Resolve deprecation warning for chrono Date and ymd methods [[@​iamjpotts]]
• [[#​3988]]: refactor(sqlite): Resolve duplicate test target warning for macros.rs [[@​iamjpotts]]
• [[#​3989]]: chore(deps): Set default-features=false on sqlx in workspace.dependencies [[@​iamjpotts]]
• [[#​3991]]: fix(sqlite): regression when decoding nulls [[@​abonander]]
• [[#​4006]]: PostgreSQL SASL – run SHA256 in a blocking executor [[@​ThomWright]]
• [[#​4007]]: fix(compose): use OS-assigned ports for all conatiners [[@​papaj-na-wrotkach]]
• [[#​4009]]: Drop cached db connections in macros upon hitting an error [[@​swlynch99]]
• [[#​4024]]: fix(sqlite) Migrate revert with no-transaction [[@​Dosenpfand]]
• [[#​4027]]: native tls handshake: build TlsConnector in blocking threadpool [[@​daviduebler]]
• [[#​4053]]: fix(macros): smarter .env loading, caching, and invalidation [[@​abonander]]
  • Additional credit to [[@​AlexTMjugador]] ([[#​4018]]) and [[@​Diggsey]] ([[#​4039]]) for their proposed solutions
    which served as a useful comparison.
• [[#​4068]]: Fix typo in migration example from 'uesrs' to 'users' [[@​squidpickles]]
• [[#​4069]]: fix some spelling issues [[@​joeydewaal]]
• [[#​4086]]: fix(mysql): Work around for Issue #​2206 (ColumnNotFound error when querying) [[@​duelafn]]
• [[#​4088]]: (Fix) Handle nullability of SQLite rowid alias columns [[@​Lege19]]
• [[#​4100]]: postgres: update pgpass path on windows [[@​joeydewaal]]
• [[#​4134]]: fix CI: replace removed macOS runner, deprecated use of Command::cargo_bin() [[@​abonander]]
• [[#​4136]]: Ensure Deterministic Migration Order [[@​aoengin]]
• [[#​4158]]: Fix panic in JSONB decoder on invalid version byte [[@​jrey8343]]
• [[#​4165]]: sqlx-postgres: fix correct operator precedence in byte length check [[@​cuiweixie]]
• [[#​4171]]: fix(postgres): remove home crate in favor of std::env::home_dir [[@​ricochet]]
• [[#​4172]]: fix(sqlx-cli): bump openssl minimum to 0.10.46 [[@​ricochet]]
• [[#​4176]]: fix(mysql): return error instead of panic on truncated OK packet [[@​cvzx]]
• [[#​4199]]: fix(postgres): make advisory lock cancel safe [[@​joeydewaal]]
• [[#​4201]]: Fix SCRAM password SASLprep [[@​var4yn]]
• [[#​4202]]: fix: replace from_utf8_unchecked with from_utf8_lossy in SqliteError [[@​joaquinhuigomez]]
• [[#​4203]]: fix: use sqlite3_value_text for REGEXP to match SQLite coercion [[[@​joaqui

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[recuu-pfeg]

sha1/sha2 0.11 has breaking API changes in HMAC (Mac trait). Needs code updates in src/verify.rs. Will address after v0.6.0 release.