chore(deps): bump the cargo group across 1 directory with 6 updates

[dependabot]

Bumps the cargo group with 5 updates in the / directory:

Package	From	To
tokio	1.33.0	1.38.2
rand	0.8.5	0.9.3
lz4_flex	0.10.0	0.11.6
bytes	1.11.0	1.11.1
rustix	0.38.9	0.38.25

Updates tokio from 1.33.0 to 1.38.2

Release notes

Sourced from tokio's releases.

Tokio v1.38.2

This release fixes a soundness issue in the broadcast channel. The channel accepts values that are Send but !Sync. Previously, the channel called clone() on these values without synchronizing. This release fixes the channel by synchronizing calls to .clone() (Thanks Austin Bonander for finding and reporting the issue).

Fixed

• sync: synchronize clone() call in broadcast channel (#7232)

#7232: tokio-rs/tokio#7232

Tokio v1.38.1

1.38.1 (July 16th, 2024)

This release fixes the bug identified as (#6682), which caused timers not to fire when they should.

Fixed

• time: update wake_up while holding all the locks of sharded time wheels (#6683)

#6682: tokio-rs/tokio#6682 #6683: tokio-rs/tokio#6683

Tokio v1.38.0

This release marks the beginning of stabilization for runtime metrics. It stabilizes RuntimeMetrics::worker_count. Future releases will continue to stabilize more metrics.

Added

• fs: add File::create_new (#6573)
• io: add copy_bidirectional_with_sizes (#6500)
• io: implement AsyncBufRead for Join (#6449)
• net: add Apple visionOS support (#6465)
• net: implement Clone for NamedPipeInfo (#6586)
• net: support QNX OS (#6421)
• sync: add Notify::notify_last (#6520)
• sync: add mpsc::Receiver::{capacity,max_capacity} (#6511)
• sync: add split method to the semaphore permit (#6472, #6478)
• task: add tokio::task::join_set::Builder::spawn_blocking (#6578)
• wasm: support rt-multi-thread with wasm32-wasi-preview1-threads (#6510)

Changed

• macros: make #[tokio::test] append #[test] at the end of the attribute list (#6497)
• metrics: fix blocking_threads count (#6551)
• metrics: stabilize RuntimeMetrics::worker_count (#6556)
• runtime: move task out of the lifo_slot in block_in_place (#6596)
• runtime: panic if global_queue_interval is zero (#6445)
• sync: always drop message in destructor for oneshot receiver (#6558)
• sync: instrument Semaphore for task dumps (#6499)

... (truncated)

Commits

• aa303bc chore: prepare Tokio v1.38.2 release
• 7b6ccb5 chore: backport CI fixes
• 4b174ce sync: fix cloning value when receiving from broadcast channel
• 9681ce2 chore: make 1.38 an LTS (#6706)
• 14b9f71 chore: release Tokio v1.38.1 (#6688)
• 24344df time: fix race condition leading to lost timers (#6683)
• 14c17fc chore: prepare Tokio v1.38.0 (#6601)
• 65cbf73 chore: prepare tokio-macros v2.3.0 (#6600)
• dbf93c7 sync: fix incorrect is_empty on mpsc block boundaries (#6603)
• 873cb8a runtime: move task out of the lifo_slot in block_in_place (#6596)
• Additional commits viewable in compare view

Updates rand from 0.8.5 to 0.9.3

Changelog

Sourced from rand's changelog.

[0.9.3] — 2026-02-11

This release back-ports a fix from v0.10. See also #1763.

Changes

• Deprecate feature log (#1764)
• Replace usages of doc_auto_cfg (#1764)

#1763: rust-random/rand#1763

[0.9.2] — 2025-07-20

Deprecated

• Deprecate rand::rngs::mock module and StepRng generator (#1634)

Additions

• Enable WeightedIndex<usize> (de)serialization (#1646)

[0.9.1] - 2025-04-17

Security and unsafe

• Revise "not a crypto library" policy again (#1565)
• Remove zerocopy dependency from rand (#1579)

Fixes

• Fix feature simd_support for recent nightly rust (#1586)

Changes

• Allow fn rand::seq::index::sample_weighted and fn IndexedRandom::choose_multiple_weighted to return fewer than amount results (#1623), reverting an undocumented change (#1382) to the previous release.

Additions

• Add rand::distr::Alphabetic distribution. (#1587)
• Re-export rand_core (#1604)

[0.9.0] - 2025-01-27

Security and unsafe

• Policy: "rand is not a crypto library" (#1514)
• Remove fork-protection from ReseedingRng and ThreadRng. Instead, it is recommended to call ThreadRng::reseed on fork. (#1379)
• Use zerocopy to replace some unsafe code (#1349, #1393, #1446, #1502)

Dependencies

• Bump the MSRV to 1.63.0 (#1207, #1246, #1269, #1341, #1416, #1536); note that 1.60.0 may work for dependents when using --ignore-rust-version
• Update to rand_core v0.9.0 (#1558)

Features

• Support std feature without getrandom or rand_chacha (#1354)
• Enable feature small_rng by default (#1455)
• Remove implicit feature rand_chacha; use std_rng instead. (#1473)
• Rename feature serde1 to serde (#1477)
• Rename feature getrandom to os_rng (#1537)
• Add feature thread_rng (#1547)

API changes: rand_core traits

... (truncated)

Commits

• 1aeee9f Prepare v0.9.3: deprecate feature log (#1764)
• 98473ee Prepare rand 0.9.2 (#1648)
• 031a1f5 examples/print-next.rs (#1647)
• 6cb75ee Make UniformUsize serializable (#1646)
• 0c955c5 Add some tests for BlockRng, BlockRng64 and Xoshiro RNGs (#1639)
• 204084a Fix: Remove accidental editor swap file (#1636)
• 86262ac Deprecate rand::rngs::mock module and StepRng (#1634)
• a6e217f Update statrs link (#1630)
• db993ec Prepare rand v0.9.1 (#1629)
• 3057641 Remove zerocopy from rand (#1579)
• Additional commits viewable in compare view

Updates lz4_flex from 0.10.0 to 0.11.6

Release notes

Sourced from lz4_flex's releases.

0.11

Documentation

• Docs: add decompress block example

Fixes

• Handle empty input in Frame Format #120

Empty input was ignored previously and didn't write anything. Now an empty Frame is written. This improves compatibility with the reference implementation and some corner cases.

• Fix: Small dict leads to panic #133

compress_into_with_dict panicked when the dict passed was smaller than 4 bytes. A match has the minimum length of 4 bytes, smaller dicts will be ignored now.

Features

• [breaking] invert checked-decode to unchecked-decode #134

invert `checked-decode` feature flag to `unchecked-decode`
Previously setting `default-features=false` removed the bounds checks from the
`checked-decode` feature flag. `unchecked-decode` inverts this, so it will needs to be
deliberately deactivated.
To migrate, just remove the checked-decode feature flag.

• Allow to pass buffer larger than size #78

This removes an unnecessary check in the decompression, when the passed buffer is too big.

• Add auto_finish to FrameEncoder #95 #100

Empty input was ignored previously and didn't write anything. Now an empty Frame is written. This improves compatibility with the reference implementation and some corner cases.

• Autodetect frame blocksize #81

The default blocksize of FrameInfo is now auto instead of 64kb, it will detect the blocksize
depending of the size of the first write call. This increases
compression ratio and speed for use cases where the data is larger than
64kb.

• Add fluent API style contruction for FrameInfo #99 (thanks @​CosmicHorrorDev)

This adds in fluent API style construction for FrameInfo. Now you can do
let info = FrameInfo::new()
.block_size(BlockSize::Max1MB)
.content_checksum(true);

... (truncated)

Changelog

Sourced from lz4_flex's changelog.

0.11.6 (2026-03-14)

Security Fix

• Fix handling of invalid match offsets during decompression #84cdafb (thanks @​Marcono1234)

Invalid match offsets (offset == 0) during decompression were not properly
handled, which could lead to invalid memory reads on untrusted input.
Users on 0.11.x should upgrade to 0.11.6.

0.11.5 (2025-06-19)

• Fix incorrect rust-version field name in Cargo.toml #187

0.11.4 (2025-06-14)

• Upgrade to twox-hash 2.0#175
• Better no_std compatibility #180

0.11.3 (2024-03-30)

• Fix support for --deny=unsafe_code compilation #152
• make get_maximum_output_size const #153

0.11.2 (2024-01-11)

• Include license file in the published crate

0.11.1 (2023-06-19)

• [breaking] remove unchecked-decode Remove unchecked-decode feature-flag, because of feature unification: https://doc.rust-lang.org/cargo/reference/features.html#feature-unification

0.11.0 (2023-06-18)

Documentation

• Docs: add decompress block example

Fixes

• Handle empty input in Frame Format #120

Empty input was ignored previously and didn't write anything. Now an empty Frame is written. This improves compatibility with the reference implementation and some corner cases.

• Fix: Small dict leads to panic #133

</tr></table> 

... (truncated)

Commits

• 6460047 bump version to 0.11.6
• 84cdafb fix handling of invalid match offsets during decompression
• 4c4ba15 bump version
• 42886de fix incorrect rust-version field name
• cc09800 release 0.11.4
• a889e29 docs: Update badge for docs.rs
• 612704f Upgrade to twox-hash 2.0
• e52bceb set rust version
• 5d67d30 Use core instead of std Error
• 7520de7 clippy
• Additional commits viewable in compare view

Updates bytes from 1.11.0 to 1.11.1

Release notes

Sourced from bytes's releases.

Bytes v1.11.1

1.11.1 (February 3rd, 2026)

• Fix integer overflow in BytesMut::reserve

Changelog

Sourced from bytes's changelog.

1.11.1 (February 3rd, 2026)

• Fix integer overflow in BytesMut::reserve

Commits

• 417dccd Release bytes v1.11.1 (#820)
• d0293b0 Merge commit from fork
• See full diff in compare view

Updates mio from 0.8.8 to 0.8.11

Changelog

Sourced from mio's changelog.

0.8.11

• Fix receiving IOCP events after deregistering a Windows named pipe (tokio-rs/mio#1760, backport pr: tokio-rs/mio#1761).

0.8.10

Added

• Solaris support (tokio-rs/mio#1724).

0.8.9

Added

• ESP-IDF framework support (tokio-rs/mio#1692).
• AIX operating system support (tokio-rs/mio#1704).
• Vita support (tokio-rs/mio#1721).
• {UnixListener,UnixStream}:bind_addr (tokio-rs/mio#1630).
• mio_unsupported_force_poll_poll and mio_unsupported_force_waker_pipe unsupported configuration flags to force a specific poll or waker implementation (tokio-rs/mio#1684, tokio-rs/mio#1685, tokio-rs/mio#1692).

Fixed

• The pipe(2) based waker (swapped file descriptors) (tokio-rs/mio#1722).
• The duplicate waker check to work correctly with cloned Registrys. (tokio-rs/mio#1706).

Commits

• 0328bde Release v0.8.11
• 7084498 Fix warnings
• 90d4fe0 named-pipes: fix receiving IOCP events after deregister
• c710a30 Add v0.8.x to the CI
• c29e21c Release v0.8.10
• f6a20da Add Solaris operating system support (#1724)
• e80c3b2 Release v0.8.9
• 862786b Fix importing of IoSourceState
• 4034872 Add support for vita target
• 8eb4010 Fix receiver and sender fd in pipe based waker
• Additional commits viewable in compare view

Updates rustix from 0.38.9 to 0.38.25

Commits

• 496792e chore: Release rustix version 0.38.25
• af0a837 On Linux, require Linux >= 3.2. (#927)
• 5ee3917 chore: Release rustix version 0.38.24
• ca03130 Ignore a null AT_BASE value. (#934)
• d482974 chore: Release rustix version 0.38.23
• 5a598d5 Fix more missing cfg(feature = "process"). (#932)
• 9dcd60a fix: sched_getcpu missing feature "process" (#931)
• 58238c7 chore: Release rustix version 0.38.22
• ee297a1 Miscellaneous clippy fixes. (#928)
• b28c5a8 Miscellaneous documentation cleanups. (#929)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[dependabot]

Superseded by #20.