deps: Update dependency reqwest to v0.13.3

[ffortier]

This PR contains the following updates:

Package	Type	Update	Change
reqwest		minor	=0.12.28 → =0.13.3
reqwest	crate_spec	minor	=0.12.28 → =0.13.3

---

Release Notes

seanmonstar/reqwest (reqwest)

v0.13.3

Compare Source

• Fix CertificateRevocationList parsing of PEM values.
• Fix logging in resolver to only show host, not full URL.
• Fix hickory-dns to fallback to a default if /etc/resolv.conf fails.
• Fix HTTP/3 to handle STOP_SENDING as not an error.
• Fix HTTP/3 pool to remove timed out QUIC connections.
• Fix HTTP/3 connection establishment picking IPv4 and IPv6.
• Upgrade rustls-platform-verifier.
• (wasm) Only use wasm-bindgen on unknown-* targets.

v0.13.2

Compare Source

• Fix HTTP/2 and native-tls ALPN feature combinations.
• Fix HTTP/3 to send h3 ALPN.
• (wasm) fix RequestBuilder::json() from override previously set content-type.

v0.13.1

Compare Source

• Fixes compiling with rustls on Android targets.

v0.13.0

Compare Source

• Breaking changes:
  • rustls is now the default TLS backend, instead of native-tls.
  • rustls crypto provider defaults to aws-lc instead of ring. (rustls-no-provider exists if you want a different crypto provider)
  • rustls-tls has been renamed to rustls.
  • rustls roots features removed, rustls-platform-verifier is used by default.
    • To use different roots, call tls_certs_only(your_roots).
  • native-tls now includes ALPN. To disable, use native-tls-no-alpn.
  • query and form are now crate features, disabled by default.
  • Long-deprecated methods and crate features have been removed (such as trust-dns, which was renamed hickory-dns a while ago).
• Many TLS-related methods renamed to improve autocompletion and discovery, but previous name left in place with a "soft" deprecation. (just documented, no warnings)
  • For example, prefer tls_backend_rustls() over use_rustls_tls().

v0.12.28

• Fix compiling on Windows if TLS and SOCKS features are not enabled.

v0.12.27

• Add ClientBuilder::windows_named_pipe(name) option that will force all requests over that Windows Named Piper.

v0.12.26

• Fix sending Accept-Encoding header only with values configured with reqwest, regardless of underlying tower-http config.

v0.12.25

• Add Error::is_upgrade() to determine if the error was from an HTTP upgrade.
• Fix sending Proxy-Authorization if only username is configured.
• Fix sending Proxy-Authorization to HTTPS proxies when the target is HTTP.
• Refactor internal decompression handling to use tower-http.

v0.12.24

• Refactor cookie handling to an internal middleware.
• Refactor internal random generator.
• Refactor base64 encoding to reduce a copy.
• Documentation updates.

v0.12.23

• Add ClientBuilder::unix_socket(path) option that will force all requests over that Unix Domain Socket.
• Add ClientBuilder::retry(policy) and reqwest::retry::Builder to configure automatic retries.
• Add ClientBuilder::dns_resolver2() with more ergonomic argument bounds, allowing more resolver implementations.
• Add http3_* options to blocking::ClientBuilder.
• Fix default TCP timeout values to enabled and faster.
• Fix SOCKS proxies to default to port 1080
• (wasm) Add cache methods to RequestBuilder.

v0.12.22

• Fix socks proxies when resolving IPv6 destinations.

v0.12.21

• Fix socks proxy to use socks4a:// instead of socks4h://.
• Fix Error::is_timeout() to check for hyper and IO timeouts too.
• Fix request Error to again include URLs when possible.
• Fix socks connect error to include more context.
• (wasm) implement Default for Body.

v0.12.20

• Add ClientBuilder::tcp_user_timeout(Duration) option to set TCP_USER_TIMEOUT.
• Fix proxy headers only using the first matched proxy.
• (wasm) Fix re-adding Error::is_status().

v0.12.19

• Fix redirect that changes the method to GET should remove payload headers.
• Fix redirect to only check the next scheme if the policy action is to follow.
• (wasm) Fix compilation error if cookies feature is enabled (by the way, it's a noop feature in wasm).

v0.12.18

• Fix compilation when socks enabled without TLS.

v0.12.17

• Fix compilation on macOS.

v0.12.16

• Add ClientBuilder::http3_congestion_bbr() to enable BBR congestion control.
• Add ClientBuilder::http3_send_grease() to configure whether to send use QUIC grease.
• Add ClientBuilder::http3_max_field_section_size() to configure the maximum response headers.
• Add ClientBuilder::tcp_keepalive_interval() to configure TCP probe interval.
• Add ClientBuilder::tcp_keepalive_retries() to configure TCP probe count.
• Add Proxy::headers() to add extra headers that should be sent to a proxy.
• Fix redirect::Policy::limit() which had an off-by-1 error, allowing 1 more redirect than specified.
• Fix HTTP/3 to support streaming request bodies.
• (wasm) Fix null bodies when calling Response::bytes_stream().

v0.12.15

• Fix Windows to support both ProxyOverride and NO_PROXY.
• Fix http3 to support streaming response bodies.
• Fix http3 dependency from public API misuse.

v0.12.14

• Fix missing fetch_mode_no_cors(), marking as deprecated when not on WASM.

v0.12.13

• Add Form::into_reader() for blocking multipart forms.
• Add Form::into_stream() for async multipart forms.
• Add support for SOCKS4a proxies.
• Fix decoding responses with multiple zstd frames.
• Fix RequestBuilder::form() from overwriting a previously set Content-Type header, like the other builder methods.
• Fix cloning of request timeout in blocking::Request.
• Fix http3 synchronization of connection creation, reducing unneccesary extra connections.
• Fix Windows system proxy to use ProxyOverride as a NO_PROXY value.
• Fix blocking read to correctly reserve and zero read buffer.
• (wasm) Add support for request timeouts.
• (wasm) Fix Error::is_timeout() to return true when from a request timeout.

v0.12.12

• (wasm) Fix compilation by not compiler tokio/time on WASM.

v0.12.11

• Fix decompression returning an error when HTTP/2 ends with an empty data frame.

v0.12.10

• Add ClientBuilder::connector_layer() to allow customizing the connector stack.
• Add ClientBuilder::http2_max_header_list_size() option.
• Fix propagating body size hint (content-length) information when wrapping bodies.
• Fix decompression of chunked bodies so the connections can be reused more often.

v0.12.9

• Add tls::CertificateRevocationLists support.
• Add crate features to enable webpki roots without selecting a rustls provider.
• Fix connection_verbose() to output read logs.
• Fix multipart::Part::file() to automatically include content-length.
• Fix proxy to internally no longer cache system proxy settings.

v0.12.8

• Add support for SOCKS4 proxies.
• Add multipart::Form::file() method for adding files easily.
• Add Body::wrap() to wrap any http_body::Body type.
• Fix the pool configuration to use a timer to remove expired connections.

v0.12.7

• Revert adding impl Service<http::Request<_>> for Client.

v0.12.6

• Add support for danger_accept_invalid_hostnames for rustls.
• Add impl Service<http::Request<Body>> for Client and &'_ Client.
• Add support for !Sync bodies in Body::wrap_stream().
• Enable happy eyeballs when hickory-dns is used.
• Fix Proxy so that HTTP(S)_PROXY values take precedence over ALL_PROXY.
• Fix blocking::RequestBuilder::header() from unsetting sensitive on passed header values.

v0.12.5

• Add blocking::ClientBuilder::dns_resolver() method to change DNS resolver in blocking client.
• Add http3 feature back, still requiring reqwest_unstable.
• Add rustls-tls-no-provider Cargo feature to use rustls without a crypto provider.
• Fix Accept-Encoding header combinations.
• Fix http3 resolving IPv6 addresses.
• Internal: upgrade to rustls 0.23.

v0.12.4

• Add zstd support, enabled with zstd Cargo feature.
• Add ClientBuilder::read_timeout(Duration), which applies the duration for each read operation. The timeout resets after a successful read.

v0.12.3

• Add FromStr for dns::Name.
• Add ClientBuilder::built_in_webpki_certs(bool) to enable them separately.
• Add ClientBuilder::built_in_native_certs(bool) to enable them separately.
• Fix sending content-length: 0 for GET requests.
• Fix response body content_length() to return value when timeout is configured.
• Fix ClientBuilder::resolve() to use lowercase domain names.

v0.12.2

• Fix missing ALPN when connecting to socks5 proxy with rustls.
• Fix TLS version limits with rustls.
• Fix not detected ALPN h2 from server with native-tls.

v0.12.1

• Fix ClientBuilder::interface() when no TLS is enabled.
• Fix TlsInfo::peer_certificate() being truncated with rustls.
• Fix panic if http2 feature disabled but TLS negotiated h2 in ALPN.
• Fix Display for Error to not include its source error.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[ffortier]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: undefined

Command failed: ./.github/renovate/post-upgrade.sh
+ bzl_opts=(--override_module=toolchains_llvm=./third_party/cpp/no_toolchains_llvm)
+ git diff --exit-code third_party/python/requirements.in
+ git diff --exit-code third_party/java/deps.MODULE.bazel
+ git diff --exit-code third_party/dotnet/paket.dependencies
+ git diff --exit-code deno.jsonc
+ git diff --exit-code third_party/deno/toolchains.MODULE.bazel
+ REPIN=1
+ bazel build --nobuild //... --override_module=toolchains_llvm=./third_party/cpp/no_toolchains_llvm
Computing main repo mapping: 
Loading: 
Loading: 2 packages loaded
Analyzing: 169 targets (84 packages loaded, 6 targets configured)
Analyzing: 169 targets (346 packages loaded, 7207 targets configured)
Analyzing: 169 targets (347 packages loaded, 25486 targets configured)
Analyzing: 169 targets (492 packages loaded, 37293 targets configured, 6 aspect applications)
Analyzing: 169 targets (550 packages loaded, 60111 targets configured, 6 aspect applications)
Analyzing: 169 targets (566 packages loaded, 73300 targets configured, 6 aspect applications)
Analyzing: 169 targets (566 packages loaded, 73300 targets configured, 6 aspect applications)
Analyzing: 169 targets (566 packages loaded, 73300 targets configured, 6 aspect applications)
Analyzing: 169 targets (566 packages loaded, 73300 targets configured, 6 aspect applications)
Analyzing: 169 targets (566 packages loaded, 73300 targets configured, 6 aspect applications)
Analyzing: 169 targets (566 packages loaded, 73300 targets configured, 6 aspect applications)
Analyzing: 169 targets (566 packages loaded, 73300 targets configured, 6 aspect applications)

    Updating crates.io index
error: failed to select a version for `reqwest`.
    ... required by package `direct-cargo-bazel-deps v0.0.1 (/tmp/.tmpgGGOKF)`
versions that meet the requirements `=0.13.3` are: 0.13.3

package `direct-cargo-bazel-deps` depends on `reqwest` with feature `rustls-tls` but `reqwest` does not have that feature.
 available features: __native-tls, __native-tls-alpn, __rustls, __rustls-aws-lc-rs, __tls, blocking, brotli, charset, cookies, default, default-tls, deflate, form, gzip, hickory-dns, http2, http3, json, multipart, native-tls, native-tls-no-alpn, native-tls-vendored, native-tls-vendored-no-alpn, query, rustls, rustls-no-provider, socks, stream, system-proxy, zstd


failed to select a version for `reqwest` which could resolve this conflict

Error: Failed to generate lockfile

Caused by:
    Failed to generate lockfile: exit status: 101
ERROR: /tmp/containerbase/cache/.cache/bazel/_bazel_ubuntu/1b5ffcdd61e73605eab60db158621164/external/rules_rust+/crate_universe/private/common_utils.bzl:61:13: Traceback (most recent call last):
	File "/tmp/containerbase/cache/.cache/bazel/_bazel_ubuntu/1b5ffcdd61e73605eab60db158621164/external/rules_rust+/crate_universe/extensions.bzl", line 1165, column 37, in _crate_impl
		_generate_hub_and_spokes(
	File "/tmp/containerbase/cache/.cache/bazel/_bazel_ubuntu/1b5ffcdd61e73605eab60db158621164/external/rules_rust+/crate_universe/extensions.bzl", line 647, column 51, in _generate_hub_and_spokes
		splice_outputs = splice_workspace_manifest(
	File "/tmp/containerbase/cache/.cache/bazel/_bazel_ubuntu/1b5ffcdd61e73605eab60db158621164/external/rules_rust+/crate_universe/private/splicing_utils.bzl", line 192, column 19, in splice_workspace_manifest
		cargo_bazel_fn(
	File "/tmp/containerbase/cache/.cache/bazel/_bazel_ubuntu/1b5ffcdd61e73605eab60db158621164/external/rules_rust+/crate_universe/private/common_utils.bzl", line 94, column 23, in _execute
		return execute(
	File "/tmp/containerbase/cache/.cache/bazel/_bazel_ubuntu/1b5ffcdd61e73605eab60db158621164/external/rules_rust+/crate_universe/private/common_utils.bzl", line 61, column 13, in execute
		fail(_EXECUTE_ERROR_MESSAGE.format(
Error in fail: Command ["/tmp/containerbase/cache/.cache/bazel/_bazel_ubuntu/1b5ffcdd61e73605eab60db158621164/modextwd/rules_rust++crate/cargo-bazel", "splice", "--output-dir", "/tmp/containerbase/cache/.cache/bazel/_bazel_ubuntu/1b5ffcdd61e73605eab60db158621164/modextwd/rules_rust++crate/crates/splicing-output", "--splicing-manifest", "/tmp/containerbase/cache/.cache/bazel/_bazel_ubuntu/1b5ffcdd61e73605eab60db158621164/modextwd/rules_rust++crate/crates/splicing_manifest.json", "--config", "/tmp/containerbase/cache/.cache/bazel/_bazel_ubuntu/1b5ffcdd61e73605eab60db158621164/modextwd/rules_rust++crate/crates/config.json", "--repository-name", "crates", "--nonhermetic-root-bazel-workspace-dir", "/tmp/renovate/repos/github/ffortier/mono", "--cargo", "/tmp/containerbase/cache/.cache/bazel/_bazel_ubuntu/1b5ffcdd61e73605eab60db158621164/external/rules_rust++rust_host_tools+rust_host_tools/bin/cargo", "--rustc", "/tmp/containerbase/cache/.cache/bazel/_bazel_ubuntu/1b5ffcdd61e73605eab60db158621164/external/rules_rust++rust_host_tools+rust_host_tools/bin/rustc"] failed with exit code 1.
STDOUT ------------------------------------------------------------------------

STDERR ------------------------------------------------------------------------

    Updating crates.io index
error: failed to select a version for `reqwest`.
    ... required by package `direct-cargo-bazel-deps v0.0.1 (/tmp/.tmpgGGOKF)`
versions that meet the requirements `=0.13.3` are: 0.13.3

package `direct-cargo-bazel-deps` depends on `reqwest` with feature `rustls-tls` but `reqwest` does not have that feature.
 available features: __native-tls, __native-tls-alpn, __rustls, __rustls-aws-lc-rs, __tls, blocking, brotli, charset, cookies, default, default-tls, deflate, form, gzip, hickory-dns, http2, http3, json, multipart, native-tls, native-tls-no-alpn, native-tls-vendored, native-tls-vendored-no-alpn, query, rustls, rustls-no-provider, socks, stream, system-proxy, zstd


failed to select a version for `reqwest` which could resolve this conflict

Error: Failed to generate lockfile

Caused by:
    Failed to generate lockfile: exit status: 101

ERROR: Analysis of target '//:scryper_prolog' failed; build aborted: error evaluating module extension @@rules_rust+//crate_universe:extension.bzl%crate
INFO: Elapsed time: 20.906s
INFO: 0 processes.
ERROR: Build did NOT complete successfully
Loading: 566 packages loaded

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

Bumps the reqwest crate version in third_party/rust/deps.MODULE.bazel from =0.12.28 to =0.13.2.

Changes

Cohort / File(s)	Summary
Rust Dependency Update third_party/rust/deps.MODULE.bazel	Updated reqwest crate version spec from =0.12.28 → =0.13.2 (single-line change).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• deps: Update dependency reqwest to v0.12.28 #546: Prior bump of the same reqwest crate entry in third_party/rust/deps.MODULE.bazel.
• deps: Update dependency reqwest to v0.12.23 #311: Changes the reqwest crate version in third_party/rust/deps.MODULE.bazel.
• deps: Update dependency reqwest to v0.12.22 #255: Another update to the reqwest dependency version in third_party/rust/deps.MODULE.bazel.

Poem

🐇 I hopped through crates and found a clue,
A tiny bump — a version new,
My whiskers twitch, the build may sing,
I nibble bytes and softly bring,
A carrot cheer — merge and do!

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The PR title claims an update to v0.13.3, but the actual change is to v0.13.2, creating a mismatch between the stated and implemented versions.	Update the PR title from 'deps: Update dependency reqwest to v0.13.3' to 'deps: Update dependency reqwest to v0.13.2' to match the actual version change.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/reqwest-0.x

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

third_party/rust/deps.MODULE.bazel (1)

7-17: Update feature name to match reqwest v0.13.x breaking changes.

The feature rustls-tls was renamed to rustls in reqwest v0.13.0. The build failure reported by Renovate confirms that reqwest 0.13.1 does not have the rustls-tls feature, which is causing the cargo-bazel lockfile generation to fail.

🔎 Fix: Update the feature name from rustls-tls to rustls

 crate.spec(
     default_features = False,
     features = [
         "blocking",
-        "rustls-tls",
+        "rustls",
         "http2",
         "charset",
     ],
     package = "reqwest",
     version = "=0.13.1",
 )

📜 Review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 439c13a and 92a8b04.

📒 Files selected for processing (1)

• third_party/rust/deps.MODULE.bazel

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: build-windows-x86_64
• GitHub Check: build-linux-x86_64

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

third_party/rust/deps.MODULE.bazel (1)

7-17: ⚠️ Potential issue | 🔴 Critical

Fix required: rustls-tls feature was renamed to rustls in reqwest 0.13.0

Update line 11 to rename the feature from "rustls-tls" to "rustls". This is a breaking change in reqwest 0.13.0 that causes the current build to fail with the error: "the package direct-cargo-bazel-deps depends on reqwest, with features: rustls-tls but reqwest does not have these features."

Proposed fix

 crate.spec(
     default_features = False,
     features = [
         "blocking",
-        "rustls-tls",
+        "rustls",
         "http2",
         "charset",
     ],
     package = "reqwest",
     version = "=0.13.1",
 )

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

third_party/rust/deps.MODULE.bazel (1)

7-17: ⚠️ Potential issue | 🔴 Critical

Build breakage: rustls-tls feature was renamed to rustls in reqwest 0.13.x.

The cargo feature rustls-tls does not exist in reqwest 0.13.0+; it was renamed to rustls. Update line 11 to use the correct feature name.

Proposed fix

 crate.spec(
     default_features = False,
     features = [
         "blocking",
-        "rustls-tls",
+        "rustls",
         "http2",
         "charset",
     ],
     package = "reqwest",
     version = "=0.13.2",
 )

The other features (blocking, http2, charset) are confirmed as valid in reqwest 0.13.x. However, note that in reqwest 0.13.0, the query and form features were moved to separate opt-in crate features and are disabled by default. If your code relies on these, they must be explicitly added to the features list.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

third_party/rust/deps.MODULE.bazel (1)

7-17: ⚠️ Potential issue | 🔴 Critical

Feature rustls-tls was renamed to rustls in reqwest v0.13.0 — build is broken.

The rustls-tls feature no longer exists in v0.13.2. It must be renamed to rustls. The other features (blocking, http2, charset) remain valid in v0.13.2 and do not need changes.

Fix: rename the feature

 crate.spec(
     default_features = False,
     features = [
         "blocking",
-        "rustls-tls",
+        "rustls",
         "http2",
         "charset",
     ],
     package = "reqwest",
     version = "=0.13.2",
 )