chore(deps): update lz4_flex requirement from 0.11 to 0.13

[dependabot]

Updates the requirements on lz4_flex to permit the latest version.

Release notes

Sourced from lz4_flex's releases.

0.13.0

What's Changed

• add minimal security policy by @​Marcono1234 in PSeitz/lz4_flex#203
• Fix get_maximum_output_size overflow on 32-bit targets by @​dglittle in PSeitz/lz4_flex#205
• lz4_block exposes option to reuse compression dict by @​matthewfollegot in PSeitz/lz4_flex#207

New Contributors

• @​Marcono1234 made their first contribution in PSeitz/lz4_flex#203
• @​dglittle made their first contribution in PSeitz/lz4_flex#205
• @​matthewfollegot made their first contribution in PSeitz/lz4_flex#207

Full Changelog: PSeitz/lz4_flex@0.12.0...0.13.0

Changelog

Sourced from lz4_flex's changelog.

0.13.0 (2026-03-15)

Features

• Add option to reuse compression dict #207 (thanks @​matthewfollegot)

Fixes

• Fix handling of invalid match offsets during decompression #055502e (thanks @​Marcono1234)

Invalid match offsets (offset == 0) during decompression were not properly
handled, which could lead to invalid memory reads. This is a security fix
that was also backported to 0.12.1 and 0.11.6.

• Fix get_maximum_output_size overflow on 32-bit targets #205 (thanks @​dglittle)

Cast input_len to u64 before multiplying by 110, avoiding overflow on
32-bit targets (e.g. wasm32) where input_len * 110 overflows usize
when input_len > ~39MB.

0.12.1 (2026-03-14)

Security Fix

• Fix handling of invalid match offsets during decompression #a0b9154 (thanks @​Marcono1234)

Invalid match offsets (offset == 0) during decompression were not properly
handled, which could lead to invalid memory reads on untrusted input.
Users on 0.12.x should upgrade to 0.12.1.

0.12.0 (2025-11-11)

• Fix integer overflows when decoding large payloads #192 (thanks @​teh-cmc)

This fixes an u32 integer overflow when decoding large payloads in the block format.
Note: The block format is not suitable for such large payloads, since it
keeps everything in memory. Consider using the frame format for large data.
This change also removes a unsafe fast-path for write_integer to simplify the code.

The performance impact is on incompressible data, which is already fast enough.

0.11.6 (2026-03-14)

Security Fix

• Fix handling of invalid match offsets during decompression #84cdafb (thanks @​Marcono1234)

Invalid match offsets (offset == 0) during decompression were not properly
handled, which could lead to invalid memory reads on untrusted input.
Users on 0.11.x should upgrade to 0.11.6.

... (truncated)

Commits

• bfaae84 release 0.13.0
• 055502e fix handling of invalid match offsets during decompression
• 7191df8 make hashtable visibility crate public
• 1bdafca add doc comments
• c90fc91 lz4_block exposes option to reuse compression dict
• 22e77f9 Delete .github/workflows/typos.yml
• 2991a09 fix get_maximum_output_size overflow on 32-bit targets
• 7b5fb80 add minimal security policy
• 975bfa7 bump version to 0.12.0
• 40d8110 update readme
• Additional commits viewable in compare view

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.