build(deps): bump the cargo group across 1 directory with 9 updates

[dependabot]

Bumps the cargo group with 9 updates in the / directory:

Package	From	To
clap	4.5.60	4.6.0
pyo3	0.28.2	0.28.3
semver	1.0.27	1.0.28
tempfile	3.26.0	3.27.0
tokio	1.50.0	1.51.1
napi	3.8.3	3.8.4
napi-derive	3.5.2	3.5.3
sha2	0.10.9	0.11.0
zip	8.2.0	8.5.1

Updates clap from 4.5.60 to 4.6.0

Changelog

Sourced from clap's changelog.

[4.6.0] - 2026-03-12

Compatibility

• Update MSRV to 1.85

[4.5.61] - 2026-03-12

Internal

• Update dependencies

Commits

• 9ab6dee chore: Release
• 374a30d docs: Update changelog
• d0c8aab Merge pull request #6306 from epage/update
• 686ce2f chore: Upgrade compatible
• 8203238 Merge pull request #6305 from epage/msrv
• c774a89 docs: Reduce main's in doctests
• 73534f6 chore: Upgrade to 2025 edition
• dfe05a9 chore: Bump MSRV to 1.85
• 8b41d0b chore: Release
• 518220f docs: Update changelog
• Additional commits viewable in compare view

Updates pyo3 from 0.28.2 to 0.28.3

Release notes

Sourced from pyo3's releases.

PyO3 0.28.3

This patch contains several fixes for stability of the PyO3 0.28.x series:

• Python::attach and Python::try_attach will no longer return before the thread initializing the interpreter has finished runnning site.py when using the auto-initialize feature.
• Fix unsoundness in PyBytesWriter::write_vectored when targeting the Python 3.15 prerelease interpreter.
• Fix possible deadlock in .into_pyobject() implementation for C-like #[pyclass] enums.

A couple of edge cases causing compile failures were also fixed.

Thank you to the following contributors for the improvements:

@​alex @​bschoenmaeckers @​chirizxc @​davidhewitt @​Embers-of-the-Fire @​Icxolu @​maurosilber @​ngoldbaum

Changelog

Sourced from pyo3's changelog.

[0.28.3] - 2026-04-02

Fixed

• Fix compile error with #[pyclass(get_all)] on a type named Probe. #5837
• Fix compile error in debug builds related to _Py_NegativeRefcount with Python < 3.12. #5847
• Fix a race condition where Python::attach or try_attach could return before site.py had finished running. #5903
• Fix unsoundness in PyBytesWriter::write_vectored with Python 3.15 prerelease versions. #5907
• Fix deadlock in .into_pyobject() implementation for C-like #[pyclass] enums. #5928

Commits

• 743af64 release: 0.28.3
• 2042b4c fix deadlock when initializing enum via into_pyobject() (#5928)
• 0157247 ci: update UI tests for Rust 1.94 (#5859)
• e234f8a Update getting-started.md (#5899)
• c06848d fix ffi-check in 3.15.0a7 (#5873)
• 83f4283 remove unused try_trait_v2 feature when enabling the nightly feature (#5868)
• 0de57ed Fix unsoundness in PyBytesWriter::write_vectored (#5907)
• 49cd13f fixes #5900 -- address race condition with initialization and site.py loading...
• c90d163 [fix] Fix std::ffi import for _Py_NegativeRefcount (#5847)
• b79d725 fix(pyo3-macros): allow pyclass named Probe (#5837)
• See full diff in compare view

Updates semver from 1.0.27 to 1.0.28

Release notes

Sourced from semver's releases.

1.0.28

• Documentation improvements

Commits

• 7625c7a Release 1.0.28
• fd404d0 Merge pull request 351 from czy-29/master
• f75f26e The doc_auto_cfg and doc_cfg features have been merged
• 9e2bfa2 Enable serde on docs.rs and automatically add serde flag to the docs
• 8591f23 Unpin CI miri toolchain
• 66bdd2c Pin CI miri to nightly-2026-02-11
• 324ffce Switch from cargo bench to criterion
• 34133a5 Update actions/upload-artifact@v5 -> v6
• 7f935ff Update actions/upload-artifact@v4 -> v5
• c07fb91 Switch from test::black_box to std::hint::black_box
• Additional commits viewable in compare view

Updates tempfile from 3.26.0 to 3.27.0

Changelog

Sourced from tempfile's changelog.

3.27.0

This release adds TempPath::try_from_path and deprecates TempPath::from_path.

Prior to this release, TempPath::from_path made no attempts to convert relative paths into absolute paths. The following code would have deleted the wrong file:

let tmp_path = TempPath::from_path("foo")
std::env::set_current_dir("/some/other/path").unwrap();
drop(tmp_path);

Now:

1. TempPath::from_path will attempt to convert relative paths into absolute paths. However, this isn't always possible as we need to call std::env::current_dir, which can fail. If we fail to convert the relative path to an absolute path, we simply keep the relative path.
2. The TempPath::try_from_path behaves exactly like TempPath::from_path, except that it returns an error if we fail to convert a relative path into an absolute path (or if the passed path is empty).

Neither function attempt to verify the existence of the file in question.

Thanks to @​meng-xu-cs for reporting this issue.

Commits

• 5c8fa12 chore: release 3.27.0
• e34e574 test: disable uds conflict test on redox
• 772c795 test: add CWD guards
• 2632fb9 fix: resolve relative paths when constructing TempPath
• See full diff in compare view

Updates tokio from 1.50.0 to 1.51.1

Release notes

Sourced from tokio's releases.

Tokio v1.51.1

1.51.1 (April 8th, 2026)

Fixed

• sync: fix semaphore reopens after forget (#8021)
• net: surface errors from SO_ERROR on recv for UDP sockets on Linux (#8001)

Fixed (unstable)

• metrics: fix worker_local_schedule_count test (#8008)
• rt: do not leak fd when cancelling io_uring open operation (#7983)

#7983: tokio-rs/tokio#7983 #8001: tokio-rs/tokio#8001 #8008: tokio-rs/tokio#8008 #8021: tokio-rs/tokio#8021

Tokio v1.51.0

1.51.0 (April 3rd, 2026)

Added

• net: implement get_peer_cred on Hurd (#7989)
• runtime: add tokio::runtime::worker_index() (#7921)
• runtime: add runtime name (#7924)
• runtime: stabilize LocalRuntime (#7557)
• wasm: add wasm32-wasip2 networking support (#7933)

Changed

• runtime: steal tasks from the LIFO slot (#7431)

Fixed

• docs: do not show "Available on non-loom only." doc label (#7977)
• macros: improve overall macro hygiene (#7997)
• sync: fix notify_waiters priority in Notify (#7996)
• sync: fix panic in Chan::recv_many when called with non-empty vector on closed channel (#7991)

#7431: tokio-rs/tokio#7431 #7557: tokio-rs/tokio#7557 #7921: tokio-rs/tokio#7921 #7924: tokio-rs/tokio#7924 #7933: tokio-rs/tokio#7933 #7977: tokio-rs/tokio#7977 #7989: tokio-rs/tokio#7989 #7991: tokio-rs/tokio#7991 #7996: tokio-rs/tokio#7996 #7997: tokio-rs/tokio#7997

Commits

• 98df02d chore: prepare Tokio v1.51.1 (#8023)
• 3ea11e2 sync: fix semaphore reopens after forget (#8021)
• c791213 rt: do not leak fd when cancelling io_uring open operation (#7983)
• ad8c59a net: surface errors from SO_ERROR on recv for UDP sockets on Linux (#8001)
• 654d38b metrics: fix worker_local_schedule_count test (#8008)
• 857ba80 docs: improve contributing docs on how to specify crates dependency versions ...
• 95b9342 chore: remove path deps for tokio-macros 2.7.0 (#8007)
• 0af06b7 chore: prepare Tokio v1.51.0 (#8005)
• 01a7f1d chore: prepare tokio-macros v2.7.0 (#8004)
• eeb55c7 runtime: steal tasks from the LIFO slot (#7431)
• Additional commits viewable in compare view

Updates napi from 3.8.3 to 3.8.4

Release notes

Sourced from napi's releases.

napi-v3.8.4

Fixed

• (deps) update rust crate ctor to v0.8.0 (#3170)
• (deps) update rust crate ctor to v0.7.0 (#3169)
• (napi) check for null error_message in ExtendedErrorInfo::try_from (#3158)
• (napi) skip nullish error causes when converting from Unknown (#3143)

Commits

• 7f65844 chore: release (#3150)
• 20c2cef chore(release): publish
• 4076daf test: fix flaky test
• d5a6288 fix(deps): update rust crate ctor to v0.8.0 (#3170)
• f72ec77 fix(deps): update rust crate ctor to v0.7.0 (#3169)
• bc728d0 fix: ensure emnapi version is synced (#3151)
• a1eadb8 fix: wasi template output (#3164)
• 68f4495 chore(deps): update openharmony-rs/setup-ohos-sdk action to v1 (#3166)
• 0e09cf2 build(deps): bump handlebars from 4.7.8 to 4.7.9 (#3167)
• 2bd0af6 fix(deps): update rust crate snmalloc-rs to 0.7 (#3163)
• Additional commits viewable in compare view

Updates napi-derive from 3.5.2 to 3.5.3

Release notes

Sourced from napi-derive's releases.

napi-derive-v3.5.3

Fixed

• (deps) update rust crate ctor to v0.8.0 (#3170)
• (deps) update rust crate ctor to v0.7.0 (#3169)

Commits

• 7f65844 chore: release (#3150)
• 20c2cef chore(release): publish
• 4076daf test: fix flaky test
• d5a6288 fix(deps): update rust crate ctor to v0.8.0 (#3170)
• f72ec77 fix(deps): update rust crate ctor to v0.7.0 (#3169)
• bc728d0 fix: ensure emnapi version is synced (#3151)
• a1eadb8 fix: wasi template output (#3164)
• 68f4495 chore(deps): update openharmony-rs/setup-ohos-sdk action to v1 (#3166)
• 0e09cf2 build(deps): bump handlebars from 4.7.8 to 4.7.9 (#3167)
• 2bd0af6 fix(deps): update rust crate snmalloc-rs to 0.7 (#3163)
• Additional commits viewable in compare view

Updates sha2 from 0.10.9 to 0.11.0

Commits

• ffe0939 Release sha2 0.11.0 (#806)
• 8991b65 Use the standard order of the [package] section fields (#807)
• 3d2bc57 sha2: refactor backends (#802)
• faa55fb sha3: bump keccak to v0.2 (#803)
• d3e6489 sha3 v0.11.0-rc.9 (#801)
• bbf6f51 sha2: tweak backend docs (#800)
• 155dbbf sha3: add default value for the DS generic parameter on TurboShake128/256...
• ed514f2 Use published version of keccak v0.2 (#799)
• 702bcd8 Migrate to closure-based keccak (#796)
• 827c043 sha3 v0.11.0-rc.8 (#794)
• Additional commits viewable in compare view

Updates zip from 8.2.0 to 8.5.1

Release notes

Sourced from zip's releases.

v8.5.1

🚜 Refactor

• change magic finder to stack buffer (#763)
• simplify extra field parsing (#764)

v8.5.0

🐛 Bug Fixes

• remove zip64 comment and add zip64 extensible data sector (#747)

🚜 Refactor

• remove useless magic in struct (#730)
• change extra_field from Arc<Vec> to Arc<[u8]> (#741)

⚙️ Miscellaneous Tasks

• cleanup README (#758)

v8.4.0

🚀 Features

• add a check for building benches (#748)

🚜 Refactor

• split part of read.rs for code readability (#744)
• remove unused allow (#745)

⚡ Performance

• skip BufReader for Stored files in make_reader (#739)

⚙️ Miscellaneous Tasks

• move pull request template to correct folder (#749)

v8.3.1

🚜 Refactor

• use AexEncryption::new (#736)
• update tests to add big endian miri check (#735)

⚙️ Miscellaneous Tasks

• cleanup repository files (#743)

v8.3.0

🚀 Features

... (truncated)

Changelog

Sourced from zip's changelog.

8.5.1 - 2026-04-06

🚜 Refactor

• change magic finder to stack buffer (#763)
• simplify extra field parsing (#764)

8.5.0 - 2026-04-01

🐛 Bug Fixes

• remove zip64 comment and add zip64 extensible data sector (#747)

🚜 Refactor

• remove useless magic in struct (#730)
• change extra_field from Arc<Vec> to Arc<[u8]> (#741)

⚙️ Miscellaneous Tasks

• cleanup README (#758)

8.4.0 - 2026-03-23

🚀 Features

• add a check for building benches (#748)

🚜 Refactor

• split part of read.rs for code readability (#744)
• remove unused allow (#745)

⚡ Performance

• skip BufReader for Stored files in make_reader (#739)

⚙️ Miscellaneous Tasks

• move pull request template to correct folder (#749)

8.3.1 - 2026-03-21

🚜 Refactor

• use AexEncryption::new (#736)
• update tests to add big endian miri check (#735)

⚙️ Miscellaneous Tasks

... (truncated)

Commits

• 5c0a0a2 chore: release v8.5.1 (#766)
• e1fc904 ci(deps): bump github/codeql-action from 4.32.6 to 4.35.1 (#769)
• ef6392d refactor: change magic finder to stack buffer (#763)
• f6c64ff refactor: simplify extra field parsing (#764)
• 93ea679 chore: release v8.5.0 (#762)
• fbd0d41 refactor: remove useless magic in struct (#730)
• 1043e92 refactor: change extra_field from Arc<Vec> to Arc<[u8]> (#741)
• 2eb28b6 fix: remove zip64 comment and add zip64 extensible data sector (#747)
• 5f4a644 ci(deps): bump rust-lang/crates-io-auth-action from 1.0.3 to 1.0.4 (#761)
• 6469720 ci: Add static.crates.io to allowed hosts in CodeQL workflow (#759)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions