chore(deps): update rust crate reqwest to 0.13.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
reqwest	workspace.dependencies	minor	0.12.8 → 0.13.0

---

Release Notes

seanmonstar/reqwest (reqwest)

v0.13.2

Compare Source

• Fix HTTP/2 and native-tls ALPN feature combinations.
• Fix HTTP/3 to send h3 ALPN.
• (wasm) fix RequestBuilder::json() from override previously set content-type.

v0.13.1

Compare Source

• Fixes compiling with rustls on Android targets.

v0.13.0

Compare Source

• Breaking changes:
  • rustls is now the default TLS backend, instead of native-tls.
  • rustls crypto provider defaults to aws-lc instead of ring. (rustls-no-provider exists if you want a different crypto provider)
  • rustls-tls has been renamed to rustls.
  • rustls roots features removed, rustls-platform-verifier is used by default.
    • To use different roots, call tls_certs_only(your_roots).
  • native-tls now includes ALPN. To disable, use native-tls-no-alpn.
  • query and form are now crate features, disabled by default.
  • Long-deprecated methods and crate features have been removed (such as trust-dns, which was renamed hickory-dns a while ago).
• Many TLS-related methods renamed to improve autocompletion and discovery, but previous name left in place with a "soft" deprecation. (just documented, no warnings)
  • For example, prefer tls_backend_rustls() over use_rustls_tls().

v0.12.28

• Fix compiling on Windows if TLS and SOCKS features are not enabled.

v0.12.27

• Add ClientBuilder::windows_named_pipe(name) option that will force all requests over that Windows Named Piper.

v0.12.26

• Fix sending Accept-Encoding header only with values configured with reqwest, regardless of underlying tower-http config.

v0.12.25

• Add Error::is_upgrade() to determine if the error was from an HTTP upgrade.
• Fix sending Proxy-Authorization if only username is configured.
• Fix sending Proxy-Authorization to HTTPS proxies when the target is HTTP.
• Refactor internal decompression handling to use tower-http.

v0.12.24

• Refactor cookie handling to an internal middleware.
• Refactor internal random generator.
• Refactor base64 encoding to reduce a copy.
• Documentation updates.

v0.12.23

• Add ClientBuilder::unix_socket(path) option that will force all requests over that Unix Domain Socket.
• Add ClientBuilder::retry(policy) and reqwest::retry::Builder to configure automatic retries.
• Add ClientBuilder::dns_resolver2() with more ergonomic argument bounds, allowing more resolver implementations.
• Add http3_* options to blocking::ClientBuilder.
• Fix default TCP timeout values to enabled and faster.
• Fix SOCKS proxies to default to port 1080
• (wasm) Add cache methods to RequestBuilder.

v0.12.22

• Fix socks proxies when resolving IPv6 destinations.

v0.12.21

• Fix socks proxy to use socks4a:// instead of socks4h://.
• Fix Error::is_timeout() to check for hyper and IO timeouts too.
• Fix request Error to again include URLs when possible.
• Fix socks connect error to include more context.
• (wasm) implement Default for Body.

v0.12.20

• Add ClientBuilder::tcp_user_timeout(Duration) option to set TCP_USER_TIMEOUT.
• Fix proxy headers only using the first matched proxy.
• (wasm) Fix re-adding Error::is_status().

v0.12.19

• Fix redirect that changes the method to GET should remove payload headers.
• Fix redirect to only check the next scheme if the policy action is to follow.
• (wasm) Fix compilation error if cookies feature is enabled (by the way, it's a noop feature in wasm).

v0.12.18

• Fix compilation when socks enabled without TLS.

v0.12.17

• Fix compilation on macOS.

v0.12.16

• Add ClientBuilder::http3_congestion_bbr() to enable BBR congestion control.
• Add ClientBuilder::http3_send_grease() to configure whether to send use QUIC grease.
• Add ClientBuilder::http3_max_field_section_size() to configure the maximum response headers.
• Add ClientBuilder::tcp_keepalive_interval() to configure TCP probe interval.
• Add ClientBuilder::tcp_keepalive_retries() to configure TCP probe count.
• Add Proxy::headers() to add extra headers that should be sent to a proxy.
• Fix redirect::Policy::limit() which had an off-by-1 error, allowing 1 more redirect than specified.
• Fix HTTP/3 to support streaming request bodies.
• (wasm) Fix null bodies when calling Response::bytes_stream().

v0.12.15

• Fix Windows to support both ProxyOverride and NO_PROXY.
• Fix http3 to support streaming response bodies.
• Fix http3 dependency from public API misuse.

v0.12.14

• Fix missing fetch_mode_no_cors(), marking as deprecated when not on WASM.

v0.12.13

• Add Form::into_reader() for blocking multipart forms.
• Add Form::into_stream() for async multipart forms.
• Add support for SOCKS4a proxies.
• Fix decoding responses with multiple zstd frames.
• Fix RequestBuilder::form() from overwriting a previously set Content-Type header, like the other builder methods.
• Fix cloning of request timeout in blocking::Request.
• Fix http3 synchronization of connection creation, reducing unneccesary extra connections.
• Fix Windows system proxy to use ProxyOverride as a NO_PROXY value.
• Fix blocking read to correctly reserve and zero read buffer.
• (wasm) Add support for request timeouts.
• (wasm) Fix Error::is_timeout() to return true when from a request timeout.

v0.12.12

• (wasm) Fix compilation by not compiler tokio/time on WASM.

v0.12.11

• Fix decompression returning an error when HTTP/2 ends with an empty data frame.

v0.12.10

• Add ClientBuilder::connector_layer() to allow customizing the connector stack.
• Add ClientBuilder::http2_max_header_list_size() option.
• Fix propagating body size hint (content-length) information when wrapping bodies.
• Fix decompression of chunked bodies so the connections can be reused more often.

v0.12.9

• Add tls::CertificateRevocationLists support.
• Add crate features to enable webpki roots without selecting a rustls provider.
• Fix connection_verbose() to output read logs.
• Fix multipart::Part::file() to automatically include content-length.
• Fix proxy to internally no longer cache system proxy settings.

v0.12.8

• Add support for SOCKS4 proxies.
• Add multipart::Form::file() method for adding files easily.
• Add Body::wrap() to wrap any http_body::Body type.
• Fix the pool configuration to use a timer to remove expired connections.

v0.12.7

• Revert adding impl Service<http::Request<_>> for Client.

v0.12.6

• Add support for danger_accept_invalid_hostnames for rustls.
• Add impl Service<http::Request<Body>> for Client and &'_ Client.
• Add support for !Sync bodies in Body::wrap_stream().
• Enable happy eyeballs when hickory-dns is used.
• Fix Proxy so that HTTP(S)_PROXY values take precedence over ALL_PROXY.
• Fix blocking::RequestBuilder::header() from unsetting sensitive on passed header values.

v0.12.5

• Add blocking::ClientBuilder::dns_resolver() method to change DNS resolver in blocking client.
• Add http3 feature back, still requiring reqwest_unstable.
• Add rustls-tls-no-provider Cargo feature to use rustls without a crypto provider.
• Fix Accept-Encoding header combinations.
• Fix http3 resolving IPv6 addresses.
• Internal: upgrade to rustls 0.23.

v0.12.4

• Add zstd support, enabled with zstd Cargo feature.
• Add ClientBuilder::read_timeout(Duration), which applies the duration for each read operation. The timeout resets after a successful read.

v0.12.3

• Add FromStr for dns::Name.
• Add ClientBuilder::built_in_webpki_certs(bool) to enable them separately.
• Add ClientBuilder::built_in_native_certs(bool) to enable them separately.
• Fix sending content-length: 0 for GET requests.
• Fix response body content_length() to return value when timeout is configured.
• Fix ClientBuilder::resolve() to use lowercase domain names.

v0.12.2

• Fix missing ALPN when connecting to socks5 proxy with rustls.
• Fix TLS version limits with rustls.
• Fix not detected ALPN h2 from server with native-tls.

v0.12.1

• Fix ClientBuilder::interface() when no TLS is enabled.
• Fix TlsInfo::peer_certificate() being truncated with rustls.
• Fix panic if http2 feature disabled but TLS negotiated h2 in ALPN.
• Fix Display for Error to not include its source error.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --package reqwest@0.12.28 --precise 0.13.2
    Updating crates.io index
error: failed to select a version for the requirement `reqwest = "^0.12"`
candidate versions found which didn't match: 0.13.2
location searched: crates.io index
required by package `opentelemetry-otlp v0.31.0`
    ... which satisfies dependency `opentelemetry-otlp = "^0.31.0"` of package `scotty v0.2.9 (/tmp/renovate/repos/github/factorial-io/scotty/scotty)`

[claude]

PR Review: reqwest 0.12.8 → 0.13.0 Upgrade

I've reviewed this dependency update PR. While the change appears minimal (single version bump), reqwest 0.13.0 introduces several breaking changes that require attention.

---

❌ BLOCKING ISSUE: Missing form Feature

Critical: The code uses .form() method in scotty/src/oauth/device_flow.rs:148, but reqwest 0.13.0 makes form and query opt-in features (disabled by default).

Required Fix:

# Cargo.toml line 64
reqwest = { version = "0.13.0", default-features = false, features = ["json", "rustls-tls", "http2", "charset", "stream", "form"] }

Impact: Without this feature, the code will fail to compile.

---

⚠️ Breaking Changes to Review

1. Feature Rename: rustls-tls (Currently Used)

The PR uses the renamed feature rustls-tls which is correct for 0.13.0. In 0.12.x it was also rustls-tls, so this is compatible. ✅

However, note that:

• The old feature name still works but is soft-deprecated
• Recommended new name: rustls (but keeping rustls-tls is fine for now)

2. TLS Backend Change

• Before (0.12): native-tls was default
• After (0.13): rustls is now default
• Your config: Explicitly uses rustls-tls with default-features = false ✅

This is handled correctly since you're explicitly specifying the TLS backend.

3. Rustls Crypto Provider

• New default: aws-lc-rs (changed from ring)
• Impact: Binary size may change slightly, but functionally equivalent
• Your config: No action needed (you're not using rustls-no-provider) ✅

4. Certificate Validation

• Change: Now uses rustls-platform-verifier by default instead of webpki roots
• Impact: Better platform integration (uses OS certificate store)
• Your config: No action needed ✅

5. oauth2 Crate Compatibility

The oauth2 crate (v4.4) in scotty/Cargo.toml:92 uses:

oauth2 = { version = "4.4", default-features = false, features = ["reqwest", "rustls-tls"] }

Action needed: Verify oauth2 v4.4 supports reqwest 0.13. Check if an oauth2 update is also needed.

---

🧪 Test Coverage Recommendations

Before merging, verify:

1. OAuth Device Flow:

   • Test device flow authentication end-to-end
   • Verify .form() method works correctly in scotty/src/oauth/device_flow.rs:148

2. HTTP Client:

   • Run tests in scotty-core/src/http/client.rs (lines 337-568)
   • Verify error handling, redirects, and timeouts still work

3. External Integrations:

   • GitLab notifications (scotty/src/notification/gitlab.rs)
   • Mattermost notifications (scotty/src/notification/mattermost.rs)
   • Webhook calls (scotty/src/notification/webhook.rs)
   • OnePassword API (scotty/src/onepassword/api.rs)

4. scottyctl API client:

   • Test all scottyctl commands that make HTTP requests

---

📋 Action Items

• Add "form" feature to reqwest dependency in Cargo.toml:64
• Verify oauth2 crate v4.4 is compatible with reqwest 0.13 (or update if needed)
• Run full test suite: cargo test
• Test OAuth device flow manually
• Test scottyctl commands that use HTTP client

---

💡 Optional Improvements (Not Blocking)

Consider these in a follow-up PR:

1. Update to new feature names:

   reqwest = { version = "0.13.0", default-features = false, features = ["json", "rustls", "http2", "charset", "stream", "form"] }

2. Review timeout configuration:
   The changelog mentions improved default TCP timeouts. Review if your custom timeouts in scotty-core/src/http/client.rs are still optimal.

---

🎯 Summary

Cannot merge yet - missing required "form" feature will cause compilation failure.

Once the feature is added and oauth2 compatibility is verified, this upgrade should be safe. The breaking changes are well-handled by your explicit feature configuration, except for the missing form feature.

---

Relevant Files:

• scotty/src/oauth/device_flow.rs:148 (uses .form())
• scotty-core/src/http/client.rs (main HTTP client)
• Cargo.toml:64 (reqwest dependency - needs form feature)
• scotty/Cargo.toml:92 (oauth2 dependency - verify compatibility)

[claude]

Code Review: reqwest 0.12.8 → 0.13.0 Update

I've reviewed this dependency update PR. Here's my analysis:

---

🔍 Overview

This PR updates the reqwest HTTP client library from 0.12.8 to 0.13.0, which includes several breaking changes that need careful consideration.

---

⚠️ Breaking Changes in reqwest 0.13.0

The release includes these major breaking changes:

1. TLS Backend Change: rustls is now the default (was native-tls)
2. Crypto Provider Change: aws-lc is now default (was ring)
3. Feature Rename: rustls-tls renamed to rustls
4. Features Disabled by Default: query and form features now opt-in
5. ALPN Changes: native-tls now includes ALPN by default

---

✅ Positive Findings

Good news: The codebase appears compatible with these changes:

1. Correct Feature Usage: The Cargo.toml already uses rustls-tls feature, which still works (soft deprecated, not removed)

   reqwest = { version = "0.13.0", default-features = false, 
               features = ["json", "rustls-tls", "http2", "charset", "stream"] }

2. No query/form Usage: The codebase doesn't rely on form or query features (uses .json() methods instead)

3. Consistent TLS Backend: Already using rustls throughout:

   • tokio-tungstenite: rustls-tls-native-roots
   • oauth2: rustls-tls

4. API Compatibility: Core reqwest API usage remains unchanged:

   • Request building (.get(), .post(), .json())
   • Response handling (.json(), .bytes_stream())
   • Header manipulation
   • Redirect policies

---

🎯 Recommendations

1. Feature Update (Optional but Recommended)

Update to the new feature name to follow best practices:

- features = ["json", "rustls-tls", "http2", "charset", "stream"]
+ features = ["json", "rustls", "http2", "charset", "stream"]

The old name still works (soft deprecated), but the new name is preferred for autocompletion and discovery.

2. Verification Steps Before Merging

Run these checks:

# 1. Verify the project builds
cargo build --workspace

# 2. Run all tests (especially HTTP client tests)
cargo test --workspace

# 3. Test OAuth flows (uses reqwest via oauth2 crate)
cargo test -p scotty oauth -- --nocapture

# 4. Test webhook/notification functionality
cargo test -p scotty notification -- --nocapture

3. Runtime Testing

After merging, verify these scenarios:

• OAuth device flow and web flow work correctly
• Webhook notifications send successfully
• GitLab API integration works
• HTTP client retry logic functions properly

---

🔒 Security Considerations

Positive: This update improves security posture:

• aws-lc crypto provider is FIPS-validated
• Latest rustls version includes security fixes
• HTTP/3 ALPN fix improves protocol negotiation

No concerns regarding the existing security implementations in:

• scotty-core/src/http/client.rs (custom retry + error handling)
• Authorization headers
• TLS certificate handling

---

📊 Test Coverage

Existing test coverage should catch any issues:

• ✅ HTTP client tests with wiremock: scotty-core/src/http/client.rs:337-568
• ✅ Integration tests in scotty/tests/
• ✅ OAuth flow tests

Note: All tests use the same reqwest APIs, so if they pass, the upgrade is safe.

---

🚀 Performance Considerations

Expected minor performance improvements:

• aws-lc can be faster than ring on some platforms
• Internal decompression refactored to use tower-http (more efficient)
• Improved connection pooling (expired connections removed via timer)

No performance concerns identified.

---

📝 Additional Notes

1. OAuth2 Crate Compatibility: The oauth2 crate (v4.4) should work fine since it uses reqwest::async_http_client which is unchanged

2. No Code Changes Required: The HTTP client wrapper in scotty-core is fully compatible

3. Backwards Compatibility: The frontend-backend coupling means no API versioning concerns

---

✨ Conclusion

Recommendation: ✅ APPROVE with optional feature name update

This is a low-risk upgrade because:

• The codebase already uses rustls (matches new defaults)
• Core APIs are unchanged
• Soft deprecation means existing features still work
• Test coverage should catch any issues

The optional feature rename (rustls-tls → rustls) is purely for following the new convention and can be done in a follow-up PR if preferred.

---

📚 References

• reqwest v0.13.0 Changelog
• Files reviewed:
  • Cargo.toml (workspace dependencies)
  • scotty-core/src/http/client.rs (core HTTP client)
  • scotty/Cargo.toml (oauth2 integration)
  • scottyctl/src/api.rs (CLI client usage)

[claude]

PR Review: reqwest 0.12.8 → 0.13.0 Upgrade

Critical Issue Found ⚠️

This PR will break compilation due to missing feature flags in reqwest 0.13.0.

Breaking Changes Analysis

The reqwest 0.13.0 release introduces several breaking changes:

1. form feature is now disabled by default - The codebase uses .form() method in scotty/src/oauth/device_flow.rs:148
2. query feature is now disabled by default - Not currently used in the codebase
3. rustls-tls feature renamed to rustls - Currently specified in Cargo.toml

Required Changes

Cargo.toml line 64 needs to be updated from:

reqwest = { version = "0.13.0", default-features = false, features = ["json", "rustls-tls", "http2", "charset", "stream"] }

To:

reqwest = { version = "0.13.0", default-features = false, features = ["json", "rustls", "http2", "charset", "stream", "form"] }

Changes needed:

• Add "form" feature (required for .form() usage in OAuth device flow)
• Change "rustls-tls" to "rustls" (feature renamed in 0.13.0)

Code Location Affected

• scotty/src/oauth/device_flow.rs:148 - Uses .form(&params) for OAuth token exchange

Additional Notes

1. rustls backend: The new version now uses rustls by default (good - already your preference)
2. aws-lc crypto provider: Now defaults to aws-lc instead of ring (performance improvement)
3. TLS verification: Uses rustls-platform-verifier by default (better native integration)

Test Coverage

Before merging, ensure:

• OAuth device flow tests pass
• OAuth web flow tests pass
• Integration tests verify token exchange functionality

Recommendation

Do not merge this PR as-is. Please update the feature flags as specified above, then verify compilation with:

cargo check --workspace
cargo test --workspace