chore(deps): update rust crate http to v1.4.2

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
http	dev-dependencies	patch	1.4.0 → 1.4.2
http	dependencies	patch	1.4.0 → 1.4.2

---

Release Notes

hyperium/http (http)

v1.4.2

Compare Source

• Fix uri::Builder to allow "*" as the path when scheme and authority are also set, used in HTTP/2 requests.
• Fix Uri to properly reject DEL characters.

v1.4.1

Compare Source

• Fix PathAndQuery::from_static() and from_shared() to reject inputs that do not start with /.
• Fix Extend for HeaderMap to clamp max size hint and not overflow.
• Fix header::IntoIter that could use-after-free if the generic value type could panic on drop.
• Fix header::{IterMut, ValuesIterMut} to not violate stacked borrows.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[doubleword-code]

Summary

This PR updates the http crate dependency from v1.4.0 to v1.4.1. This is a patch release containing only bug fixes with no breaking changes or API modifications that would affect this codebase.

Verdict: Approved - Safe dependency update with no impact on existing functionality.

Research notes

I reviewed the v1.4.1 release notes which lists four bug fixes:

1. PathAndQuery validation: from_static() and from_shared() now reject inputs not starting with /
2. HeaderMap overflow fix: Extend implementation clamps max size hint to prevent overflow
3. IntoIter memory safety: Fixed potential use-after-free if generic value type panics on drop
4. Stacked borrows compliance: Fixed IterMut and ValuesIterMut to not violate stacked borrows

I searched the codebase for usage of these affected APIs (PathAndQuery, HeaderMap::extend, IntoIter) and found no direct usage. The http crate is used here only for:

• http::Method constants (e.g., http::Method::POST)
• http::Uri::from_static() for URI construction
• http::StatusCode constants and conversions

None of these usages are impacted by the v1.4.1 fixes.

Suggested next steps

1. Merge this PR as-is - no changes needed
2. Consider enabling automated security advisories for dependencies if not already configured
3. Standard practice: verify tests pass after dependency update (CI should catch any issues)

General findings

No issues identified. This is a straightforward maintenance update that improves the underlying library's correctness and memory safety without changing its public API surface in ways that matter to this crate.

[doubleword-code]

Summary

This PR updates the http crate from version 1.4.0 to 1.4.2 via Cargo.lock. This is a routine dependency maintenance update that includes important bug fixes and security improvements.

Verdict: Approve — Safe patch update with no breaking changes.

Research notes

Fetched the http crate CHANGELOG to understand what changed between 1.4.0 and 1.4.2:

v1.4.2 (June 8, 2026)

• Fix uri::Builder to allow "*" as the path when scheme and authority are set (HTTP/2 requests)
• Fix Uri to properly reject DEL characters (security hardening)

v1.4.1 (May 25, 2026)

• Fix PathAndQuery::from_static() and from_shared() to reject inputs that do not start with /
• Fix Extend for HeaderMap to clamp max size hint and prevent overflow
• Fix header::IntoIter use-after-free if generic value type panics on drop
• Fix header::{IterMut, ValuesIterMut} to not violate stacked borrows

These are all bug fixes and security improvements with no breaking API changes.

Suggested next steps

1. Merge this PR — The update is safe and beneficial
2. No code changes required — the codebase doesn't use the affected APIs in ways that would be impacted
3. Consider running cargo test after merge to confirm everything passes with the updated dependency (though the lockfile change alone indicates compatibility)

General findings

None — this is a minimal, low-risk dependency update. The change affects only Cargo.lock and introduces no new code paths or behavioral changes in this repository.