Bump the dependencies group across 1 directory with 6 updates

[dependabot]

Bumps the dependencies group with 6 updates in the / directory:

Package	From	To
h2	0.4.14	0.4.15
tokio	1.51.1	1.52.3
bytes	1.11.1	1.12.0
http	1.4.1	1.4.2
quiche	0.29.1	0.29.2
rustls	0.23.40	0.23.41

Updates h2 from 0.4.14 to 0.4.15

Release notes

Sourced from h2's releases.

v0.4.15

What's Changed

• fix: Discard buffered DATA when a scheduled reset is pending by @​ArniDagur in hyperium/h2#896
• fix: poll_capacity must not return Ready(Some(Ok(0))) by @​ArniDagur in hyperium/h2#898
• fix: Reject frames on streams whose HEADERS haven't been sent by @​ArniDagur in hyperium/h2#899
• chore(ci): update actions/checkout to v6 by @​seanmonstar in hyperium/h2#910
• fix: Remove unnecessary clones by @​FranciscoTGouveia in hyperium/h2#911
• fix: use HeaderMap::try_append to prevent panics on absurd amounts of headers by @​imlk0 in hyperium/h2#909
• fix: ignore library resets at connection poll loop level by @​seanmonstar in hyperium/h2#913
• fix: remove padded_len() u8 overflow in DATA frame padding release by @​seanmonstar in hyperium/h2#914
• fix: close connection when header size is way too large by @​seanmonstar in hyperium/h2#915
• Prepare v0.4.15 by @​seanmonstar in hyperium/h2#916

New Contributors

• @​FranciscoTGouveia made their first contribution in hyperium/h2#911
• @​imlk0 made their first contribution in hyperium/h2#909

Full Changelog: hyperium/h2@v0.4.14...v0.4.15

Changelog

Sourced from h2's changelog.

0.4.15 (June 15, 2026)

• Fix closing a connection when header size is "way too large" (currently x4 configured limit).
• Fix overflow calculating padding length if a DATA frame had 255 bytes of padding.
• Fix ignoring library-initiated resets in the connection state loop.
• Fix decoding panic with an absurd amount of headers and no limit to now use try_append().
• Fix rejecting frames on streams whose HEADERS have not been sent.
• Fix poll_capacity() to not return Some(Ok(0)).
• Fix discarding of buffered DATA frames when a reset is scheduled.

Commits

• 21211d0 v0.4.15
• 29e209d fix: close connection when header size is way too large (#915)
• 9231cb0 fix: remove padded_len() u8 overflow in DATA frame padding release (#914)
• d351036 fix: ignore library resets at connection poll loop level (#913)
• 4f51fff fix: use HeaderMap::try_append to prevent panics on absurd amounts of headers...
• c813cc8 refactor: remove unnecessary clones (#911)
• 810f5ae chore(ci): update actions/checkout to v6 (#910)
• d361b75 fix: Reject frames on streams whose HEADERS haven't been sent (#899)
• 93ccead fix: poll_capacity must not return Ready(Some(Ok(0))) (#898)
• 733bba7 fix: Discard buffered DATA when a scheduled reset is pending (#896)
• See full diff in compare view

Updates tokio from 1.51.1 to 1.52.3

Release notes

Sourced from tokio's releases.

Tokio v1.52.3

1.52.3 (May 8th, 2026)

Fixed

• sync: fix underflow in mpsc channel len() (#8062)
• sync: notify receivers in mpsc OwnedPermit::release() method (#8075)
• sync: require that an RwLock has max_readers != 0 (#8076)
• sync: return Empty from try_recv() when mpsc is closed with outstanding permits (#8074)

#8062: tokio-rs/tokio#8062 #8074: tokio-rs/tokio#8074 #8075: tokio-rs/tokio#8075 #8076: tokio-rs/tokio#8076

Tokio v1.52.2

1.52.2 (May 4th, 2026)

This release reverts the LIFO slot stealing change introduced in 1.51.0 (#7431), due to [its performance impact]#8065. (#8100)

#7431: tokio-rs/tokio#7431 #8065: tokio-rs/tokio#8065 #8100: tokio-rs/tokio#8100

Tokio v1.52.1

1.52.1 (April 16th, 2026)

Fixed

• runtime: revert #7757 to fix [a regression]#8056 that causes spawn_blocking to hang (#8057)

#7757: tokio-rs/tokio#7757 #8056: tokio-rs/tokio#8056 #8057: tokio-rs/tokio#8057

Tokio v1.52.0

1.52.0 (April 14th, 2026)

Added

• io: AioSource::register_borrowed for I/O safety support (#7992)
• net: add try_io function to unix::pipe sender and receiver types (#8030)

Added (unstable)

• runtime: Builder::enable_eager_driver_handoff setting enable eager hand off of the I/O and time drivers before polling tasks (#8010)
• taskdump: add trace_with() for customized task dumps (#8025)
• taskdump: allow impl FnMut() in trace_with instead of just fn() (#8040)
• fs: support io_uring in AsyncRead for File (#7907)

... (truncated)

Commits

• d875691 chore: prepare Tokio v1.52.3 (#8130)
• e1aebb0 Merge 'tokio-1.51.3' into 'tokio-1.52.x' (#8129)
• fd63094 chore: prepare Tokio v1.51.3 (#8127)
• 8c600d0 Merge 'tokio-1.47.5' into 'tokio-1.51.x' (#8123)
• 11bfc13 chore: prepare Tokio v1.47.5 (#8122)
• f085b62 sync: notify receivers in mpsc OwnedPermit::release() method (#8075)
• 30d25cc sync: require that an RwLock has max_readers != 0 (#8076)
• 9fccf53 sync: return Empty from try_recv() when mpsc is closed with outstanding p...
• ebf61b4 sync: fix underflow in mpsc channel len() (#8062)
• 4abe9d7 chore: prepare Tokio v1.52.2 (#8115)
• Additional commits viewable in compare view

Updates bytes from 1.11.1 to 1.12.0

Release notes

Sourced from bytes's releases.

Bytes v1.12.0

1.12.0 (June 18th, 2026)

Added

• Add BytesMut::extend_from_within() (#818)
• Add BytesMut::try_unsplit() (#746)

Fixed

• Fix panic in get_int if nbytes is zero (#806)

Changed

• Pass vtable data by value (#826)
• Exclude development scripts from published package (#810)

Documented

• Document that BytesMut::{reserve,try_reserve} doesn't preserve unused capacity (#808)

Changelog

Sourced from bytes's changelog.

1.12.0 (June 18th, 2026)

Added

• Add BytesMut::extend_from_within() (#818)
• Add BytesMut::try_unsplit() (#746)

Fixed

• Fix panic in get_int if nbytes is zero (#806)

Changed

• Pass vtable data by value (#826)
• Exclude development scripts from published package (#810)

Documented

• Document that BytesMut::{reserve,try_reserve} doesn't preserve unused capacity (#808)

Commits

• 91402ce Release bytes v1.12.0 (#831)
• 2256e6d chore: add safety comments on unsafe blocks (#827)
• 245adff Pass vtable data by value (#826)
• 00cc5ff Implement BytesMut::extend_from_within (#818)
• 5b79d31 Merge tag 'v1.11.1'
• 804ee6d Make try_unsplit method public (#746)
• fd426ca Exclude development scripts from published package (#810)
• b4ed70d Add test for copy_to_bytes() -> BytesMut avoiding clone (#809)
• 94e4291 Document that BytesMut::{reserve,try_reserve} doesn't preserve unused capac...
• acd1e0f Fix get_int if nbytes is zero (#806)
• See full diff in compare view

Updates http from 1.4.1 to 1.4.2

Changelog

Sourced from http's changelog.

1.4.2 (June 8, 2026)

• Fix uri::Builder to allow "*" as the path when scheme and authority are also set, used in HTTP/2 requests.
• Fix Uri to properly reject DEL characters.

Commits

• 82db5b8 v1.4.2
• a9cdbf8 fix(uri): reject DEL character (#842)
• df75ca3 fix(uri): allow STAR paths with scheme/auth (#843)
• ec3f8ce feat(method): impl PartialOrd + Ord (#840)
• See full diff in compare view

Updates quiche from 0.29.1 to 0.29.2

Release notes

Sourced from quiche's releases.

🛡️ 0.29.2

⚠️ Security:

• Fixed a use-after-free in quiche_connection_id_iter_next(), which is part of quiche's C FFI API. The iterator previously returned a pointer to a cloned connection ID whose backing storage was dropped before the caller could read it. It now returns pointers to connection IDs owned by the iterator.
• Fixed a use-after-free in quiche_conn_retired_scid_next(), which is also part of the C FFI API. The function previously returned a pointer to a retired source connection ID whose backing storage was dropped before the caller could read it. It has been replaced by quiche_conn_retired_scid_iter(), which drains retired source connection IDs into an iterator before exposing them to callers.

The C FFI API is disabled by default via the ffi feature. The normal Rust API is not affected by these issues.

Breaking changes:

• The C API function quiche_conn_retired_scid_next() was removed and replaced with quiche_conn_retired_scid_iter() to avoid returning pointers to temporary memory. Applications using quiche_conn_retired_scid_next() should call quiche_conn_retired_scid_iter(conn), iterate with quiche_connection_id_iter_next(), and release the iterator with quiche_connection_id_iter_free().

Highlights:

• Fixed stream send-buffer accounting so congestion controller app-limited detection and Stats::tx_buffered_state track the actual bytes buffered in stream send buffers. This avoids buffered byte-count drift across retransmissions, ACKs, and stream shutdown/reset paths.

Full changelog at 0.29.1...0.29.2

Commits

• 839b23d quiche: release 0.29.2
• f2db946 ffi: fix use-after-free in quiche_conn_retired_scid_next
• 386ad63 ffi: fix use-after-free in quiche_connection_id_iter_next
• 65a85fb Fix tx_buffered computation so it matches the sum of bytes in stream buffers ...
• 6b5a13c Remove unused imports in qlog-dancer component (#2511)
• See full diff in compare view

Updates rustls from 0.23.40 to 0.23.41

Commits

• 642a103 ci: drop Taplo job
• 752c144 Drop nightly clippy tests
• 8d8611a Fix new clippy::useless-borrows-in-formatting
• ebf3297 Fix new clippy::manual_clear
• 46808e7 ci: sync cargo-check-external-types nightly
• 041a8d2 Cargo deny: allow RUSTSEC-2026-0173
• 62e220e Take semver-compatible dependency updates
• 3c14696 Upgrade to hickory-resolver 0.26
• 848a2cc connect-tests: delete ech.rs
• 5ce9cac Bump version to 0.23.41
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions