chore(deps): bump the version-updates group across 1 directory with 14 updates

[dependabot]

Bumps the version-updates group with 14 updates in the / directory:

Package	From	To
async-graphql	7.0.17	7.0.19
async-graphql-axum	7.0.17	7.0.19
axum	0.8.7	0.8.8
axum-extra	0.12.2	0.12.5
tokio	1.47.1	1.48.0
tower-http	0.6.6	0.6.8
serde_json	1.0.145	1.0.148
reqwest	0.12.23	0.13.1
config	0.15.18	0.15.19
tracing	0.1.41	0.1.44
tracing-subscriber	0.3.20	0.3.22
oauth2	4.4.2	5.0.0
bcrypt	0.15.1	0.17.1
rand	0.8.5	0.9.0

Updates async-graphql from 7.0.17 to 7.0.19

Changelog

Sourced from async-graphql's changelog.

[7.0.19] 2026-01-01

• Revert heck migration (breaks current schemas)

[7.0.18] 2026-01-01

• update MSRV to 1.89.0
• Fix DataLoader with tracing #1749
• Fix clippy lints #1770
• Upgrade hashbrown to 0.16 #1771
• Upgrade zxcvbn to 3.1 #1771
• Upgrade lru to 0.16 #1771
• Upgrade handlebars to 6.3 #1771
• Upgrade schemars to 1.2 #1771
• Upgrade darling to 0.23
• Upgrade strum to 0.27
• Upgrade criterion to 0.8
• Move from Inflector to heck (since Inflector is archived) #1732
• Remove double boxing from subscription streams #1736
• Fix unblock feature without tempfile #1718
• Upgrade thiserror to 2.0

Commits

• See full diff in compare view

Updates async-graphql-axum from 7.0.17 to 7.0.19

Changelog

Sourced from async-graphql-axum's changelog.

[7.0.19] 2026-01-01

• Revert heck migration (breaks current schemas)

[7.0.18] 2026-01-01

• update MSRV to 1.89.0
• Fix DataLoader with tracing #1749
• Fix clippy lints #1770
• Upgrade hashbrown to 0.16 #1771
• Upgrade zxcvbn to 3.1 #1771
• Upgrade lru to 0.16 #1771
• Upgrade handlebars to 6.3 #1771
• Upgrade schemars to 1.2 #1771
• Upgrade darling to 0.23
• Upgrade strum to 0.27
• Upgrade criterion to 0.8
• Move from Inflector to heck (since Inflector is archived) #1732
• Remove double boxing from subscription streams #1736
• Fix unblock feature without tempfile #1718
• Upgrade thiserror to 2.0

Commits

• See full diff in compare view

Updates axum from 0.8.7 to 0.8.8

Release notes

Sourced from axum's releases.

axum v0.8.8

• Clarify documentation for Router::route_layer (#3567)

#3567: tokio-rs/axum#3567

Commits

• d07863f Release axum v0.8.8 and axum-extra v0.12.3
• 287c674 axum-extra: Make typed-routing feature enable routing feature (#3514)
• f5804aa SecondElementIs: Correct a small inconsistency (#3559)
• f51f3ba axum-extra: Add trailing newline to pretty JSON response (#3526)
• 816407a Fix integer underflow in try_range_response for empty files (#3566)
• 78656eb docs: Clarify route_layer does not apply middleware to the fallback handler...
• See full diff in compare view

Updates axum-extra from 0.12.2 to 0.12.5

Release notes

Sourced from axum-extra's releases.

axum-extra v0.12.3

• changed: Make the typed-routing feature enable the routing feature (#3514)
• changed: Add trailing newline to ErasedJson::pretty response bodies (#3526)
• fixed: Fix integer underflow in FileStream::try_range_response for empty files (#3566)

#3514: tokio-rs/axum#3514 #3526: tokio-rs/axum#3526 #3566: tokio-rs/axum#3566

Commits

• d9f79f5 Release axum-extra v0.12.5
• 6b00891 fix(json-lines): Respect default body limit (#3591)
• 4e2bc8c Release axum-extra v0.12.4
• f72c298 Improve error messages with #[diagnostic::do_not_recommend] (#3588)
• aba8046 Deprecate Host and Scheme extractors
• adf2e6c Remove CI job using ancient nightly
• 8eaf49e Remove cargo-sort CI job
• 5155b9b Remove cargo-public-api-crates CI job
• b6ffaee Exclude broken example from workspace
• d07863f Release axum v0.8.8 and axum-extra v0.12.3
• Additional commits viewable in compare view

Updates tokio from 1.47.1 to 1.48.0

Release notes

Sourced from tokio's releases.

Tokio v1.48.0

1.48.0 (October 14th, 2025)

The MSRV is increased to 1.71.

Added

• fs: add File::max_buf_size (#7594)
• io: export Chain of AsyncReadExt::chain (#7599)
• net: add SocketAddr::as_abstract_name (#7491)
• net: add TcpStream::quickack and TcpStream::set_quickack (#7490)
• net: implement AsRef<Self> for TcpStream and UnixStream (#7573)
• task: add LocalKey::try_get (#7666)
• task: implement Ord for task::Id (#7530)

Changed

• deps: bump windows-sys to version 0.61 (#7645)
• fs: preserve max_buf_size when cloning a File (#7593)
• macros: suppress clippy::unwrap_in_result in #[tokio::main] (#7651)
• net: remove PollEvented noise from Debug formats (#7675)
• process: upgrade Command::spawn_with to use FnOnce (#7511)
• sync: remove inner mutex in SetOnce (#7554)
• sync: use UnsafeCell::get_mut in Mutex::get_mut and RwLock::get_mut (#7569)
• time: reduce the generated code size of Timeout<T>::poll (#7535)

Fixed

• macros: fix hygiene issue in join! and try_join! (#7638)
• net: fix copy/paste errors in udp peek methods (#7604)
• process: fix error when runtime is shut down on nightly-2025-10-12 (#7672)
• runtime: use release ordering in wake_by_ref() even if already woken (#7622)
• sync: close the broadcast::Sender in broadcast::Sender::new() (#7629)
• sync: fix implementation of unused RwLock::try_* methods (#7587)

Unstable

• tokio: use cargo features instead of --cfg flags for taskdump and io_uring (#7655, #7621)
• fs: support io_uring in fs::write (#7567)
• fs: support io_uring with File::open() (#7617)
• fs: support io_uring with OpenOptions (#7321)
• macros: add local runtime flavor (#7375, #7597)

Documented

• io: clarify the zero capacity case of AsyncRead::poll_read (#7580)
• io: fix typos in the docs of AsyncFd readiness guards (#7583)
• net: clarify socket gets closed on drop (#7526)
• net: clarify the behavior of UCred::pid() on Cygwin (#7611)
• net: clarify the supported platform of set_reuseport() and reuseport() (#7628)

... (truncated)

Commits

• 556820f chore: prepare Tokio v1.48.0 (#7677)
• fd1659a chore: prepare tokio-macros v2.6.0 (#7676)
• 53e8aca ci: update nightly version to 2025-10-12 (#7670)
• 9e5527d process: fix error when runtime is shut down on nightly-2025-10-12 (#7672)
• 25a24de net: remove PollEvented noise from Debug formats (#7675)
• c1fa25f task: clarify the behavior of several spawn_local methods (#7669)
• e7e02fc fs: use FileOptions inside fs::File to support uring (#7617)
• f7a7f62 ci: remove cargo-deny Unicode-DFS-2016 license exception config (#7619)
• d1f1499 tokio: use cargo feature for taskdump support instead of cfg (#7655)
• ad6f618 runtime: clarify the behavior of Handle::block_on (#7665)
• Additional commits viewable in compare view

Updates tower-http from 0.6.6 to 0.6.8

Release notes

Sourced from tower-http's releases.

tower-http-0.6.8

Fixed

• Disable multiple_members in Gzip decoder, since HTTP context only uses one member. (#621)

#621: tower-rs/tower-http#621

What's Changed

• Disable multiple_members option for gzip decoder by @​ducaale in tower-rs/tower-http#621
• ci: Pin tracing in MSRV job by @​ducaale in tower-rs/tower-http#622
• ci: Switch cargo-public-api-crates to cargo-check-external-types by @​tottoto in tower-rs/tower-http#613
• Remove deprecated annotations and Refactor From implementations by @​sinder38 in tower-rs/tower-http#608
• v0.6.8 by @​seanmonstar in tower-rs/tower-http#624

New Contributors

• @​sinder38 made their first contribution in tower-rs/tower-http#608

Full Changelog: tower-rs/tower-http@tower-http-0.6.7...tower-http-0.6.8

tower-http-0.6.7

Added

• TimeoutLayer::with_status_code(status) to define the status code returned when timeout is reached. (#599)

Deprecated

• auth::require_authorization is too basic for real-world. (#591)
• TimeoutLayer::new() should be replaced with TimeoutLayer::with_status_code(). (Previously was StatusCode::REQUEST_TIMEOUT) (#599)

Fixed

• on_eos is now called even for successful responses. (#580)
• ServeDir: call fallback when filename is invalid (#586)
• decompression will not fail when body is empty (#618)

#580: tower-rs/tower-http#580 #586: tower-rs/tower-http#586 #591: tower-rs/tower-http#591 #599: tower-rs/tower-http#599 #618: tower-rs/tower-http#618

New Contributors

• @​mladedav made their first contribution in tower-rs/tower-http#580
• @​aryaveersr made their first contribution in tower-rs/tower-http#586
• @​soerenmeier made their first contribution in tower-rs/tower-http#588

... (truncated)

Commits

• 33166c8 v0.6.8
• 6680160 Fix deprecated lints (#608)
• 81b8231 ci: Switch cargo-public-api-crates to cargo-check-external-types (#613)
• 1fb0144 ci: pin tracing in msrv job (#622)
• 1fe4c09 fix(decompression): disable multiple_members option for gzip decoder (#621)
• 3bf1ba7 v0.6.7
• 723ca9a fix(decompression): Suppress EOF errors caused by decompressing empty body (#...
• 8ab9f82 chore(ci): use newer cargo-public-api-crates job (#619)
• 7cfdf76 doc: Replace doc_auto_cfg with doc_cfg (#609)
• 50beeaf Add support for custom status code in TimeoutLayer (#599)
• Additional commits viewable in compare view

Updates serde_json from 1.0.145 to 1.0.148

Release notes

Sourced from serde_json's releases.

v1.0.148

• Update zmij dependency to 1.0

v1.0.147

• Switch float-to-string algorithm from Ryū to Żmij for better f32 and f64 serialization performance (#1304)

v1.0.146

• Set fast_arithmetic=64 for riscv64 (#1305, thanks @​Xeonacid)

Commits

• 8b291c4 Release 1.0.148
• 1aefe15 Update to zmij 1.0
• 62d6e8d Release 1.0.147
• fd829a6 Merge pull request #1304 from dtolnay/zmij
• e757a3d Switch from ryu -> zmij for float formatting
• 75ad7e6 Release 1.0.146
• bc6c827 Merge pull request #1305 from Xeonacid/patch-1
• a09210a Set fast_arithmetic=64 for riscv64
• 01182e5 Update actions/upload-artifact@v5 -> v6
• 383b13a Update actions/upload-artifact@v4 -> v5
• Additional commits viewable in compare view

Updates reqwest from 0.12.23 to 0.13.1

Release notes

Sourced from reqwest's releases.

v0.13.1

What's Changed

• http3: depend on quinn/rustls-aws-lc-rs to avoid ring dependency by @​djc in seanmonstar/reqwest#2917
• fix rustls on android by @​seanmonstar in seanmonstar/reqwest#2918

Full Changelog: seanmonstar/reqwest@v0.13.0...v0.13.1

v0.13.0

Breaking changes

• rustls is now the default TLS backend, instead of native-tls.
• rustls crypto provider defaults to aws-lc instead of ring. (rustls-no-provider exists if you want a different crypto provider)
• rustls-tls has been renamed to rustls.
• rustls roots features removed, rustls-platform-verifier is used by default.
  • To use different roots, call tls_certs_only(your_roots).
• native-tls now includes ALPN. To disable, use native-tls-no-alpn.
• query and form are now crate features, disabled by default.
• Long-deprecated methods and crate features have been removed (such as trust-dns, which was renamed hickory-dns a while ago).
• Many TLS-related methods renamed to improve autocompletion and discovery, but previous name left in place with a "soft" deprecation. (just documented, no warnings)
  • For example, prefer tls_backend_rustls() over use_rustls_tls().

Pull Requests in General

• start 0.13 dev by @​seanmonstar in seanmonstar/reqwest#2894
• Make serde optional by introducing query, form features, and re-working WASM header parsing by @​CathalMullan in seanmonstar/reqwest#2858
• replace ClientBuilder::dns_resolver with dns_resolver2 by @​seanmonstar in seanmonstar/reqwest#2898
• feat: make Rustls the default TLS provider by @​calavera in seanmonstar/reqwest#2897
• feat: consolidate TLS options with rustls-platform-verifier by @​seanmonstar in seanmonstar/reqwest#2891
• remove long-deprecated methods: trust-dns and non-wasm-cors by @​seanmonstar in seanmonstar/reqwest#2899
• rename rustls-tls feature to just rustls by @​seanmonstar in seanmonstar/reqwest#2900
• remove deprecated features trust-dns and macos-system-configuration by @​seanmonstar in seanmonstar/reqwest#2901
• chore: separate rustls and rustls-no-provider features by @​seanmonstar in seanmonstar/reqwest#2903
• rustls: allow windows to use extra roots by @​seanmonstar in seanmonstar/reqwest#2904
• v0.13.0-rc.1 by @​seanmonstar in seanmonstar/reqwest#2905
• Enable ALPN by default in native-tls by @​ducaale in seanmonstar/reqwest#2907
• v0.13.0 by @​seanmonstar in seanmonstar/reqwest#2915

New Contributors

• @​CathalMullan made their first contribution in seanmonstar/reqwest#2858

Full Changelog: seanmonstar/reqwest@v0.12.28...v0.13.0

v0.13.0-rc.1

👀 Discussion here if you give it try, thanks!

Main breaking changes

• rustls is now default instead of native-tls
• rustls provider defaults to aws-lc instead of ring (rustls-no-provider exists if you want to enable a different one)
• rustls-tls renamed to rustls
• rustls roots features removed, platform-verifier is used instead

... (truncated)

Changelog

Sourced from reqwest's changelog.

v0.13.1

• Fixes compiling with rustls on Android targets.

v0.13.0

• Breaking changes:
  • rustls is now the default TLS backend, instead of native-tls.
  • rustls crypto provider defaults to aws-lc instead of ring. (rustls-no-provider exists if you want a different crypto provider)
  • rustls-tls has been renamed to rustls.
  • rustls roots features removed, rustls-platform-verifier is used by default.
    • To use different roots, call tls_certs_only(your_roots).
  • native-tls now includes ALPN. To disable, use native-tls-no-alpn.
  • query and form are now crate features, disabled by default.
  • Long-deprecated methods and crate features have been removed (such as trust-dns, which was renamed hickory-dns a while ago).
• Many TLS-related methods renamed to improve autocompletion and discovery, but previous name left in place with a "soft" deprecation. (just documented, no warnings)
  • For example, prefer tls_backend_rustls() over use_rustls_tls().

v0.12.28

• Fix compiling on Windows if TLS and SOCKS features are not enabled.

v0.12.27

• Add ClientBuilder::windows_named_pipe(name) option that will force all requests over that Windows Named Piper.

v0.12.26

• Fix sending Accept-Encoding header only with values configured with reqwest, regardless of underlying tower-http config.

v0.12.25

• Add Error::is_upgrade() to determine if the error was from an HTTP upgrade.
• Fix sending Proxy-Authorization if only username is configured.
• Fix sending Proxy-Authorization to HTTPS proxies when the target is HTTP.
• Refactor internal decompression handling to use tower-http.

v0.12.24

• Refactor cookie handling to an internal middleware.
• Refactor internal random generator.
• Refactor base64 encoding to reduce a copy.
• Documentation updates.

Commits

• 10fb98c v0.13.1
• 438098a chore: refer to h2 as dep:h2 (#2919)
• 43aac91 chore(ci): bump actions/checkout from 5 to 6 (#2864)
• 175f5b2 fix rustls on android (#2918)
• 1afe88e Depend on quinn/rustls-aws-lc-rs to avoid ring dependency (#2917)
• 62a80af v0.13.0
• e8d89f4 enable ALPN by default in native-tls (#2907)
• 9a9daa7 v0.13.0-rc.1
• d518e45 rustls: allow windows to use extra roots (#2904)
• 934bc84 chore: separate rustls and rustls-no-provider features (#2903)
• Additional commits viewable in compare view

Updates config from 0.15.18 to 0.15.19

Changelog

Sourced from config's changelog.

[0.15.19] - 2025-11-12

Internal

• (ron) Update to 0.12

Commits

• e7ff326 chore: Release config version 0.15.19
• cbee54c chore: Update deps (#715)
• d53e906 chore: Update deps
• b10653a docs: Update changelog
• 527de7d fix: Update to latest ron (#714)
• 6c2cfd0 fix: Update to latest ron
• 16ef680 chore(deps): Update Rust Stable to v1.91 (#712)
• 2051f62 style: Make clippy happy
• bf6e256 chore: Update dependencies (#702)
• de242e0 chore: Update dependencies
• Additional commits viewable in compare view

Updates tracing from 0.1.41 to 0.1.44

Release notes

Sourced from tracing's releases.

tracing 0.1.44

Fixed

• Fix record_all panic (#3432)

Changed

• tracing-core: updated to 0.1.36 (#3440)

#3432: tokio-rs/tracing#3432 #3440: tokio-rs/tracing#3440

tracing 0.1.43

Important

The previous release [0.1.42] was yanked because #3382 was a breaking change. See further details in #3424. This release contains all the changes from that version, plus a revert for the problematic part of the breaking PR.

Fixed

• Revert "make valueset macro sanitary" (#3425)

#3382: tokio-rs/tracing#3382 #3424: tokio-rs/tracing#3424 #3425: tokio-rs/tracing#3425 [0.1.42]: https://github.com/tokio-rs/tracing/releases/tag/tracing-0.1.42

tracing 0.1.42

Important

The [Span::record_all] method has been removed from the documented API. It was always unsuable via the documented API as it requried a ValueSet which has no publically documented constructors. The method remains, but should not be used outside of tracing macros.

Added

• attributes: Support constant expressions as instrument field names (#3158)
• Add record_all! macro for recording multiple values in one call (#3227)
• core: Improve code generation at trace points significantly (#3398)

Changed

• tracing-core: updated to 0.1.35 (#3414)
• tracing-attributes: updated to 0.1.31 (#3417)

Fixed

• Fix "name / parent" variant of event! (#2983)

... (truncated)

Commits

• 2d55f6f chore: prepare tracing 0.1.44 (#3439)
• 10a9e83 chore: prepare tracing-core 0.1.36 (#3440)
• ee82cf9 tracing: fix record_all panic (#3432)
• 9978c36 chore: prepare tracing-mock 0.1.0-beta.3 (#3429)
• cc44064 chore: prepare tracing-subscriber 0.3.22 (#3428)
• 64e1c8d chore: prepare tracing 0.1.43 (#3427)
• 7c44f7b tracing: revert "make valueset macro sanitary" (#3425)
• cdaf661 chore: prepare tracing-mock 0.1.0-beta.2 (#3422)
• a164fd3 chore: prepare tracing-journald 0.3.2 (#3421)
• 405397b chore: prepare tracing-appender 0.2.4 (#3420)
• Additional commits viewable in compare view

Updates tracing-subscriber from 0.3.20 to 0.3.22

Release notes

Sourced from tracing-subscriber's releases.

tracing-subscriber 0.3.22

Important

The previous release [0.3.21] was yanked as it depended explicitly on [tracing-0.1.42], which was yanked due to a breaking change (see #3424 for details). This release contains all the changes from the previous release, plus an update to the newer version of tracing.

Changed

• tracing: updated to 0.1.43 (#3427)

#3424: tokio-rs/tracing#3424 #3427: tokio-rs/tracing#3427 [0.3.21]: https://github.com/tokio-rs/tracing/releases/tag/tracing-subscriber-0.3.21 [tracing-0.1.42]: https://github.com/tokio-rs/tracing/releases/tag/tracing-0.1.42

tracing-subscriber 0.3.21

Fixed

• Change registry exit to decrement local span ref only (#3331)
• Make Layered propagate on_register_dispatch (#3379)

Changed

• tracing: updated to 0.1.42 (#3418)

Performance

• Remove clone_span on enter (#3289)

Documented

• Fix a few small things in the format module (#3339)
• Fix extra closing brace in layer docs (#3350)
• Fix link in FmtSpan docs (#3411)

#3289: tokio-rs/tracing#3289 #3331: tokio-rs/tracing#3331 #3339: tokio-rs/tracing#3339 #3350: tokio-rs/tracing#3350 #3379: tokio-rs/tracing#3379 #3411: tokio-rs/tracing#3411 #3418: tokio-rs/tracing#3418

Commits

• cc44064 chore: prepare tracing-subscriber 0.3.22 (#3428)
• 64e1c8d chore: prepare tracing 0.1.43 (#3427)
• 7c44f7b tracing: revert "make valueset macro sanitary" (#3425)
• cdaf661 chore: prepare tracing-mock 0.1.0-beta.2 (#3422)
• a164fd3 chore: prepare tracing-journald 0.3.2 (#3421)
• 405397b chore: prepare tracing-appender 0.2.4 (#3420)
• a9eeed7 chore: prepare tracing-subscriber 0.3.21 (#3419)
• 5bd5505 chore: prepare tracing 0.1.42 (#3418)
• 5508623 chore: prepare tracing-attributes 0.1.31 (#3417)
• d92b4c0 chore: prepare tracing-core 0.1.35 (#3414)
• Additional commits viewable in compare view

Updates oauth2 from 4.4.2 to 5.0.0

Release notes

Sourced from oauth2's releases.

5.0.0

Refer to the Upgrade Guide for tips on how to upgrade from 4.x.

Changes since 5.0.0-rc.1

Bug Fixes

• Improve HttpClientError::Reqwest error message (9a2b746)

Full Changelog: ramosbugs/oauth2-rs@5.0.0-rc.1...5.0.0

Summary of changes since 4.4.2

Breaking Changes

• Replace TokenResponse generic with associated type (30ced325da24312c4e6b9d802adcb36a88594353)
• Return impl Future instead of Pin<Box<dyn Future>> to fix Send/Sync bounds (6e583bd03203e42ef712fc90edb57cf5a389f9b7)
• Bump http to 1.0 and reqwest to 0.12 (408ecab500158145bf249e78a73a8010933bb0e2)
• Add conditional typestates (replacing Boolean typestates from 5.0.0-alpha.1) (85ea4700e1ad8a3efef7aa78660fd0056d9b46e6)
• Consolidate HTTP client errors into oauth2::HttpClientError and flatten exports (e.g., oauth2::reqwest instead of oauth2::reqwest::reqwest) (4391eed01c26c3e9e9fd5a14d90f111a02636a4c)
• reqwest: Migrate to shared Error type and use thiserror's From impl by @​MarijnS95 (#238)
• Bump MSRV to 1.65 and institute a policy supporting Rust releases going back at least 6 months (same policy as openidconnect crate) (576f8096914c7da82a5cd8c2253d47541697aa6a)
• Improve Display output of RequestTokenError::ServerResponse (96c6f9b17b5fdea98a6a7b84bec8e420671342eb)
• Track Client endpoints statically via typestates (1d1f4d17ecdf2a3feb565eb1789cc8649cac7705)
• Refactor crate into smaller private modules and make devicecode and revocation modules private (9d8f11addf819134f15c6d7f03276adb3d32e80b)
• Add reqwest-blocking feature (da7d1c51ccfac95b25af67d2e725ae510d185f5b)
• Rename URI/URL getters and setters (4d55c26ad6e233d8f23b4514fe743d365a5a432f)
• Add AsyncHttpClient and SyncHttpClient traits (23b952b23e6069525bc7e4c4f2c4924b8d28ce3a)

New Features

• Implement SecretType::into_secret (#272)
• Add timing-resistant-secret-traits feature for PartialEq/Hash by @​kate-shine (ramosbugs/oauth2-rs#232)
• Derive Eq for types that already derive PartialEq (b19ad89262af501f53c1b82015046506834c98e9)
• Implement From instead of Into for newtypes (d9402c42767b35a4c05bc4db3780b1df115b7b24)
• Implement Display trait for URL types (8bd0ff1e0339c0945871552210b300c05e89c519)

Bug Fixes

• Improve HttpClientError::Reqwest error message (9a2b746)
• Accept null device code interval (#278)
• Ignore async token revocation response body (#282)
• Derive Clone and Debug for EndpointState types (#263)

Other Changes

• Inline format args (#270)
• Update dev dependencies (#285)
• Remove defunct sponsorship from README
• Remove client secret from implicit flow example (#286)
• Use --locked on MSRV build in CI
• Allow base64 0.21 or 0.22 (#261)
• Bump base64 to 0.21 (db0ea44657bd6c1130b83ce135ac2691ba091fad)
• Set minimum version of chrono to 0.4.31 (7b667fc29b52392f4c47c07f0923c88847951b50)
• Mention openidconnect crate in README (7b667fc29b52392f4c47c07f0923c88847951b50)

... (truncated)

Upgrade guide

Sourced from oauth2's upgrade guide.

Upgrade Guide

Upgrading from 4.x to 5.x

The 5.0 release includes breaking changes to address several long-standing API issues, along with a few minor improvements. Consider following the tips below to help ensure a smooth upgrade process.

Upgrade Rust to 1.65 or newer

The minimum supported Rust version (MSRV) is now 1.65. Going forward, this crate will maintain a policy of supporting Rust releases going back at least 6 months. Changes that break compatibility with Rust releases older than 6 months will no longer be considered SemVer breaking changes and will not result in a new major version number for this crate. MSRV changes will coincide with minor version updates and will not happen in patch releases.

Add typestate generic types to Client

Each auth flow depends on one or more server endpoints. For example, the authorization code flow depends on both an authorization endpoint and a token endpoint, while the client credentials flow only depends on a token endpoint. Previously, it was possible to instantiate a Client without a token endpoint and then attempt to use an auth flow that required a token endpoint, leading to errors at runtime. Also, the authorization endpoint was always required, even for auth flows that do not use it.

In the 5.0 release, all endpoints are optional. Typestates are used to statically track, at compile time, which endpoints' setters (e.g., set_auth_uri()) have been called. Auth flows that depend on an endpoint cannot be used without first calling the corresponding setter, which is enforced by the compiler's type checker. This guarantees that certain errors will not arise at runtime.

In addition to unconditional setters (e.g., set_auth_uri()), each endpoint has a corresponding conditional setter (e.g., set_auth_uri_option()) that sets a conditional typestate (EndpointMaybeSet). When the conditional typestate is set, endpoints can be used via fallible methods that return Err(ConfigurationError::MissingUrl(_)) if an endpoint has not been set. This is useful in dynamic scenarios such as OpenID Connect Discovery, in which it cannot be determined until runtime whether an endpoint is configured.

There are three possible typestates, each implementing the EndpointState trait:

• EndpointNotSet: the corresponding endpoint has not been set and cannot be used.
• EndpointSet: the corresponding endpoint has been set and is ready to be used.
• EndpointMaybeSet: the corresponding endpoint may have been set and can be used via fallible methods that return Result<_, ConfigurationError>.

The following code changes are required to support the new interface:

1. Update calls to Client::new() to use the single-argument constructor (which accepts only a ClientId). Use the set_auth_uri(), set_token_uri(), and set_client_secret() methods to set the authorization endpoint,

... (truncated)

Commits

• f3424b4 Update Cargo-1.65.lock
• 61ec227 Bump version to 5.0.0
• 9a2b746 Improve HttpClientError::Reqwest error message
• 2492d69 Bump version to 5.0.0-rc.1
• c599c12 Use --locked on MS...

  Description has been truncated