chore(deps)(deps): bump reqwest from 0.12.14 to 0.13.2

[dependabot]

Bumps reqwest from 0.12.14 to 0.13.2.

Release notes

Sourced from reqwest's releases.

v0.13.2

tl;dr

• Fix HTTP/2 and native-tls ALPN feature combinations.
• Fix HTTP/3 to send h3 ALPN.
• (wasm) fix RequestBuilder::json() from override previously set content-type.

What's Changed

• chore(deps): bump actions/checkout from 5 to 6 by @​dependabot[bot] in seanmonstar/reqwest#2921
• Update readme for 0.13 by @​VojtaStanek in seanmonstar/reqwest#2926
• fix http2 feature is not enabled for "native-tls" by @​fox0 in seanmonstar/reqwest#2927
• chore(deps): remove unused webpki-roots and rustls-native-certs by @​seanmonstar in seanmonstar/reqwest#2932
• docs: native-tls-alpn has changed to native-tls-no-alpn by @​seanmonstar in seanmonstar/reqwest#2940
• Specify h3 alpn for http3 connector by @​passcod in seanmonstar/reqwest#2929
• update copyright year to 2026 by @​taozui472 in seanmonstar/reqwest#2943
• fix(json): custom content-type overidden by json method for wasm by @​Narendran-KT in seanmonstar/reqwest#2908
• chore: upgrade wasm-streams to v0.5 by @​xangelix in seanmonstar/reqwest#2958
• chore(ci): add windows and linux arm64 to ci by @​dennisameling in seanmonstar/reqwest#2960

New Contributors

• @​VojtaStanek made their first contribution in seanmonstar/reqwest#2926
• @​fox0 made their first contribution in seanmonstar/reqwest#2927
• @​passcod made their first contribution in seanmonstar/reqwest#2929
• @​taozui472 made their first contribution in seanmonstar/reqwest#2943
• @​Narendran-KT made their first contribution in seanmonstar/reqwest#2908
• @​xangelix made their first contribution in seanmonstar/reqwest#2958
• @​dennisameling made their first contribution in seanmonstar/reqwest#2960

Full Changelog: seanmonstar/reqwest@v0.13.1...v0.13.2

v0.13.1

What's Changed

• http3: depend on quinn/rustls-aws-lc-rs to avoid ring dependency by @​djc in seanmonstar/reqwest#2917
• fix rustls on android by @​seanmonstar in seanmonstar/reqwest#2918

Full Changelog: seanmonstar/reqwest@v0.13.0...v0.13.1

v0.13.0

Breaking changes

• rustls is now the default TLS backend, instead of native-tls.
• rustls crypto provider defaults to aws-lc instead of ring. (rustls-no-provider exists if you want a different crypto provider)
• rustls-tls has been renamed to rustls.
• rustls roots features removed, rustls-platform-verifier is used by default.
  • To use different roots, call tls_certs_only(your_roots).
• native-tls now includes ALPN. To disable, use native-tls-no-alpn.
• query and form are now crate features, disabled by default.
• Long-deprecated methods and crate features have been removed (such as trust-dns, which was renamed hickory-dns a while ago).

... (truncated)

Changelog

Sourced from reqwest's changelog.

v0.13.2

• Fix HTTP/2 and native-tls ALPN feature combinations.
• Fix HTTP/3 to send h3 ALPN.
• (wasm) fix RequestBuilder::json() from override previously set content-type.

v0.13.1

• Fixes compiling with rustls on Android targets.

v0.13.0

• Breaking changes:
  • rustls is now the default TLS backend, instead of native-tls.
  • rustls crypto provider defaults to aws-lc instead of ring. (rustls-no-provider exists if you want a different crypto provider)
  • rustls-tls has been renamed to rustls.
  • rustls roots features removed, rustls-platform-verifier is used by default.
    • To use different roots, call tls_certs_only(your_roots).
  • native-tls now includes ALPN. To disable, use native-tls-no-alpn.
  • query and form are now crate features, disabled by default.
  • Long-deprecated methods and crate features have been removed (such as trust-dns, which was renamed hickory-dns a while ago).
• Many TLS-related methods renamed to improve autocompletion and discovery, but previous name left in place with a "soft" deprecation. (just documented, no warnings)
  • For example, prefer tls_backend_rustls() over use_rustls_tls().

v0.12.28

• Fix compiling on Windows if TLS and SOCKS features are not enabled.

v0.12.27

• Add ClientBuilder::windows_named_pipe(name) option that will force all requests over that Windows Named Piper.

v0.12.26

• Fix sending Accept-Encoding header only with values configured with reqwest, regardless of underlying tower-http config.

v0.12.25

• Add Error::is_upgrade() to determine if the error was from an HTTP upgrade.
• Fix sending Proxy-Authorization if only username is configured.
• Fix sending Proxy-Authorization to HTTPS proxies when the target is HTTP.
• Refactor internal decompression handling to use tower-http.

v0.12.24

• Refactor cookie handling to an internal middleware.
• Refactor internal random generator.
• Refactor base64 encoding to reduce a copy.
• Documentation updates.

... (truncated)

Commits

• ad83b63 v0.13.2
• c25f3db chore: Add Windows and Linux arm64 to CI (#2960)
• 761b89e chore: upgrade wasm-streams to v0.5 (#2958)
• fd2d507 fix(wasm): custom content-type overidden by json method for wasm (#2908)
• 23eb7d4 chore: update copyright year to 2026 (#2943)
• 10c31c2 fix(http3): specify h3 alpn for http3 connector (#2929)
• 8530ec3 docs: native-tls-alpn has changed to native-tls-no-alpn (#2940)
• 04a216f chore(deps): remove unused webpki-roots and rustls-native-certs (#2932)
• 406b59e fix http2 feature is not enabled for native-tls ALPN (#2927)
• 325a020 Update readme for 0.13 (#2926)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated HTTP client library to the latest patch version for improved stability and performance.

[dependabot]

Labels

The following labels could not be found: dependencies, rust. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated the reqwest HTTP client library dependency from version 0.12.14 to 0.12.28 in the project manifest, maintaining the existing feature configuration and non-default feature set.

Changes

Cohort / File(s)	Summary
Dependency Version Update Cargo.toml	Bumped reqwest from 0.12.14 to 0.12.28; features and default-features setting remain unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A hop and a skip, a version so fine,
Reqwest now shines at point twenty-eight in the line,
No features were tweaked, just a gentle update,
The rabbit approves of this dependency fate! 🚀

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Title check	⚠️ Warning	The title claims a bump to version 0.13.2, but the summary shows the actual update is from 0.12.14 to 0.12.28, which is a different version than stated in the title.	Correct the title to accurately reflect the actual version bump: 'chore(deps): bump reqwest from 0.12.14 to 0.12.28' to match the actual changes in Cargo.toml.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/cargo/reqwest-0.13.2

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Cargo.toml`:
- Line 39: The Cargo.toml entry for reqwest is using the wrong version and a
removed feature; update the dependency declared as reqwest = { ... } to version
"0.13.2" and replace the feature "rustls-tls-native-roots" with the current
rustls support (use "rustls" as the feature) so the crate and feature flags
match reqwest 0.13.x; if native root certificates are required, wire them up via
ClientBuilder::tls_config() in the code that constructs the reqwest client (look
for places referencing reqwest client construction to adjust TLS setup
accordingly).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 865c9467-11c5-4273-b7b8-cd1ec56a1eaf

📥 Commits

Reviewing files that changed from the base of the PR and between 1d6541a and d2fbfb6.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• Cargo.toml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🌐 Web query:

What are the available features for reqwest version 0.12.28 and does rustls-tls-native-roots exist?

💡 Result:

For reqwest v0.12.28, the available Cargo features are: default, charset, default-tls, http2, system-proxy, h2, blocking, brotli, cookies, deflate, gzip, hickory-dns, http3, json, macos-system-configuration, multipart, native-tls, native-tls-alpn, native-tls-vendored, rustls-tls, rustls-tls-manual-roots, rustls-tls-manual-roots-no-provider, rustls-tls-native-roots, rustls-tls-native-roots-no-provider, rustls-tls-no-provider, rustls-tls-webpki-roots, rustls-tls-webpki-roots-no-provider, socks, stream, trust-dns, zstd. [1]

Yes—rustls-tls-native-roots does exist in reqwest 0.12.28. [1]

Sources: [1]

---

🌐 Web query:

What are the breaking changes and new features in reqwest 0.13.2 compared to 0.12.x?

💡 Result:

Breaking changes in reqwest 0.13.x vs 0.12.x

• TLS backend default changed: rustls is now the default TLS implementation (instead of native-tls). [1][2]
• rustls crypto provider default changed: rustls now defaults to aws-lc instead of ring (use rustls-no-provider if you want to pick a different provider yourself). [1]
• Feature flag changes (TLS):
  • rustls-tls feature was renamed to rustls. [1]
  • rustls “roots” features were removed; reqwest uses rustls-platform-verifier instead (and you can supply custom roots via tls_certs_only(...)). [1]
• Serde no longer required by default: RequestBuilder::query() and RequestBuilder::form() are now behind crate features (query, form) and are disabled by default, making it possible to build without serde. [1][2]
• API surface cleanup/renames:
  • Many TLS-related ClientBuilder methods were renamed (old names kept as “soft-deprecated”, i.e., documented as deprecated but not warning). [1][2]
  • Some long-deprecated methods and crate features were removed. [1]
  • ClientBuilder::dns_resolver was replaced with dns_resolver2. [1]

New features / notable changes through 0.13.2 (relative to 0.12.x)

• 0.13.0: (besides the breaking changes above) enabled ALPN by default when using native-tls. [3]
• 0.13.1: HTTP/3 switched to depending on quinn/rustls-aws-lc-rs to avoid a ring dependency; also includes an Android rustls fix. [4]
• 0.13.2: fixes and behavior changes:
  • Fixes HTTP/2 + native-tls ALPN feature combinations.
  • Fixes HTTP/3 to send the h3 ALPN.
  • (wasm) fixes RequestBuilder::json() so it doesn’t override a previously set content-type.
  • Docs note: native-tls-alpn changed to native-tls-no-alpn. [3]

Sources: reqwest GitHub release notes for v0.13.0-rc.1 (breaking changes list) [1], maintainer blog post on v0.13 [2], GitHub release notes for v0.13.2 [3] and v0.13.1 [4].

---

🏁 Script executed:

#!/bin/bash
# Description: Check if query strings or form encoding are used in the codebase
# This is relevant because reqwest 0.13.0 disables query/form features by default

echo "=== Checking for query string usage ==="
rg -n --type rust -C2 '\.query\(' 

echo -e "\n=== Checking for form encoding usage ==="
rg -n --type rust -C2 '\.form\('

echo -e "\n=== Checking for reqwest usage patterns ==="
rg -n --type rust -C2 'reqwest::'

Repository: fg-labs/redskull

Length of output: 2692

---

🏁 Script executed:

# Check git history or PR metadata for the change
git log -1 --format="%B" -- Cargo.toml | head -20

Repository: fg-labs/redskull

Length of output: 640

---

🏁 Script executed:

# Also check if there's any PR or commit message that states the intended version
git log --all --oneline --grep="reqwest" -i | head -10

Repository: fg-labs/redskull

Length of output: 188

---

Fix the reqwest version and features: PR requires 0.13.2 but code shows 0.12.28, with incompatible feature flags.

The commit message confirms this PR should update reqwest from 0.12.14 to 0.13.2, but line 39 specifies 0.12.28. Additionally, the feature rustls-tls-native-roots does not exist in 0.13.2—it was removed in favor of rustls-platform-verifier.

Update to:

• Version: 0.13.2
• Features: Change rustls-tls-native-roots to rustls (and optionally configure native roots via ClientBuilder::tls_config() if needed)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Cargo.toml` at line 39, The Cargo.toml entry for reqwest is using the wrong
version and a removed feature; update the dependency declared as reqwest = { ...
} to version "0.13.2" and replace the feature "rustls-tls-native-roots" with the
current rustls support (use "rustls" as the feature) so the crate and feature
flags match reqwest 0.13.x; if native root certificates are required, wire them
up via ClientBuilder::tls_config() in the code that constructs the reqwest
client (look for places referencing reqwest client construction to adjust TLS
setup accordingly).

[nh13]

Closing: dependabot grouping now includes major updates, will be recreated as a single grouped PR.

[dependabot]

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.