chore(deps): bump the dependencies group across 1 directory with 6 updates

[dependabot]

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.

---

Updates the requirements on thiserror, nalgebra, itertools, reqwest, criterion and pyo3 to permit the latest version.
Updates thiserror to 2.0.18

Release notes

Sourced from thiserror's releases.

2.0.18

• Make compatible with project-level needless_lifetimes = "forbid" (#443, thanks @​LucaCappelletti94)

Commits

• dc0f6a2 Release 2.0.18
• 0275292 Touch up PR 443
• 3c33bc6 Merge pull request #443 from LucaCappelletti94/master
• 995939c Reproduce issue 442
• 21653d1 Made clippy lifetime allows conditional
• 45e5388 Update actions/upload-artifact@v5 -> v6
• 386aac1 Update actions/upload-artifact@v4 -> v5
• ec50561 Update actions/checkout@v5 -> v6
• 247eab5 Update name of empty_enum clippy lint
• 91b181f Raise required compiler to Rust 1.68
• Additional commits viewable in compare view

Updates nalgebra to 0.34.1

Changelog

Sourced from nalgebra's changelog.

[0.34.1] (20 Sept. 2025)

Added

• Added encase feature, providing encase trait implementations for nalgebra types.

[0.34.0] (31 July 2025)

Added

• Add the convert-glam030 feature to enable conversion from/to types from glam v0.30.
• Add the defmt cargo feature that enables derives of defmt::Format for all no-std types.

Changed

• Bumped MSRV to 1.87.0.
• Updated rand dependency to 0.9.0.
• Renamed associated const DimName::USIZE to DimName::DIM.
• Moved to Rust 2024 edition.
• Several methods are now const whenever possible. See details in #1522.
• Features for conversion from/to types from glam (such as convert-glam029) no longer enable default features for glam, allowing use in no_std environments.

Fixed

• Fix infinite loop when attempting to take the Schur decomposition of a 0 matrix.

[0.33.2] (29 October 2024)

Added

• Add the convert-glam029 feature to enable conversion from/to types from glam v0.29.

[0.33.1] (16 October 2024)

Added

• Add implementations of bytemuck traits for isometries and similarities.
• Implement AsRef<[T]> for matrices with contiguous storage.
• Enable the num-complex/bytemuck feature when the convert-bytemuck feature is enabled.

[0.33.0] (23 June 2024)

Fixed

• Fix a memory leak in Matrix::generic_resize.
• Fix glm::is_null to check the vector magnitude instead of individual components.
• Ensure that inverting a 4x4 matrix leaves it unchanged if the inversion fails.

Added

... (truncated)

Commits

• 122897f Release v0.34.1 (#1546)
• ef4202e Add encase trait implementations (#1545)
• 6519048 Merge Fix linalg bench warnings (#1544)
• 8cd8b4b Fixes for nalgebra-lapack (faulty test, bugs in implementations, compile erro...
• 8964bf2 chore: fix categories list in nalgebra-glm cargo.toml
• 631064a Release v0.34.0 (#1535)
• e0e2be8 Disable default features for glam (#1510)
• 9598744 Make epsilon more forgiving in euler_angles_ordered (#1489)
• 9687b8b Fixes the Schur decomposition for a zero matrix (#1532)
• 7d9a89b Clarify documentation for from_fn (#1516)
• Additional commits viewable in compare view

Updates itertools to 0.14.0

Changelog

Sourced from itertools's changelog.

0.14.0

Breaking

• Increased MSRV to 1.63.0 (#960)
• Removed generic parameter from cons_tuples (#988)

Added

• Added array_combinations (#991)
• Added k_smallest_relaxed and variants (#925)
• Added next_array and collect_array (#560)
• Implemented DoubleEndedIterator for FilterOk (#948)
• Implemented DoubleEndedIterator for FilterMapOk (#950)

Changed

• Allow Q: ?Sized in Itertools::contains (#971)
• Improved hygiene of chain! (#943)
• Improved into_group_map_by documentation (#1000)
• Improved tree_reduce documentation (#955)
• Improved discoverability of merge_join_by (#966)
• Improved discoverability of take_while_inclusive (#972)
• Improved documentation of find_or_last and find_or_first (#984)
• Prevented exponentially large type sizes in tuple_combinations (#945)
• Added track_caller attr for asser_equal (#976)

Notable Internal Changes

• Fixed clippy lints (#956, #987, #1008)
• Addressed warnings within doctests (#964)
• CI: Run most tests with miri (#961)
• CI: Speed up "cargo-semver-checks" action (#938)
• Changed an instance of default_features in Cargo.toml to default-features (#985)

0.13.0

Breaking

• Removed implementation of DoubleEndedIterator for ConsTuples (#853)
• Made MultiProduct fused and fixed on an empty iterator (#835, #834)
• Changed iproduct! to return tuples for maxi one iterator too (#870)
• Changed PutBack::put_back to return the old value (#880)
• Removed deprecated repeat_call, Itertools::{foreach, step, map_results, fold_results} (#878)
• Removed TakeWhileInclusive::new (#912)

Added

• Added Itertools::{smallest_by, smallest_by_key, largest, largest_by, largest_by_key} (#654, #885)
• Added Itertools::tail (#899)
• Implemented DoubleEndedIterator for ProcessResults (#910)
• Implemented Debug for FormatWith (#931)
• Added Itertools::get (#891)

Changed

• Deprecated Itertools::group_by (renamed chunk_by) (#866, #879)

... (truncated)

Commits

• a015a68 Add next_array and collect_array
• a1213e1 Prepare v0.14.0 release
• ff0c942 fix clippy lints
• f80883b Fix into_group_map_by documentation errors
• b793238 Add track_caller for asser_equal
• 5d4056b default_features is deprecated - switch it to default-features
• a447b68 doc for added trait
• d0479b0 "nitpicks"
• 35c78ce IndexMut -> BorrowMut<slice>
• deb53ba refactored to share code
• Additional commits viewable in compare view

Updates reqwest to 0.13.1

Release notes

Sourced from reqwest's releases.

v0.13.1

What's Changed

• http3: depend on quinn/rustls-aws-lc-rs to avoid ring dependency by @​djc in seanmonstar/reqwest#2917
• fix rustls on android by @​seanmonstar in seanmonstar/reqwest#2918

Full Changelog: seanmonstar/reqwest@v0.13.0...v0.13.1

Changelog

Sourced from reqwest's changelog.

v0.13.1

• Fixes compiling with rustls on Android targets.

v0.13.0

• Breaking changes:
  • rustls is now the default TLS backend, instead of native-tls.
  • rustls crypto provider defaults to aws-lc instead of ring. (rustls-no-provider exists if you want a different crypto provider)
  • rustls-tls has been renamed to rustls.
  • rustls roots features removed, rustls-platform-verifier is used by default.
    • To use different roots, call tls_certs_only(your_roots).
  • native-tls now includes ALPN. To disable, use native-tls-no-alpn.
  • query and form are now crate features, disabled by default.
  • Long-deprecated methods and crate features have been removed (such as trust-dns, which was renamed hickory-dns a while ago).
• Many TLS-related methods renamed to improve autocompletion and discovery, but previous name left in place with a "soft" deprecation. (just documented, no warnings)
  • For example, prefer tls_backend_rustls() over use_rustls_tls().

v0.12.28

• Fix compiling on Windows if TLS and SOCKS features are not enabled.

v0.12.27

• Add ClientBuilder::windows_named_pipe(name) option that will force all requests over that Windows Named Piper.

v0.12.26

• Fix sending Accept-Encoding header only with values configured with reqwest, regardless of underlying tower-http config.

v0.12.25

• Add Error::is_upgrade() to determine if the error was from an HTTP upgrade.
• Fix sending Proxy-Authorization if only username is configured.
• Fix sending Proxy-Authorization to HTTPS proxies when the target is HTTP.
• Refactor internal decompression handling to use tower-http.

v0.12.24

• Refactor cookie handling to an internal middleware.
• Refactor internal random generator.
• Refactor base64 encoding to reduce a copy.
• Documentation updates.

v0.12.23

• Add ClientBuilder::unix_socket(path) option that will force all requests over that Unix Domain Socket.
• Add ClientBuilder::retry(policy) and reqwest::retry::Builder to configure automatic retries.
• Add ClientBuilder::dns_resolver2() with more ergonomic argument bounds, allowing more resolver implementations.

... (truncated)

Commits

• 10fb98c v0.13.1
• 438098a chore: refer to h2 as dep:h2 (#2919)
• 43aac91 chore(ci): bump actions/checkout from 5 to 6 (#2864)
• 175f5b2 fix rustls on android (#2918)
• 1afe88e Depend on quinn/rustls-aws-lc-rs to avoid ring dependency (#2917)
• 62a80af v0.13.0
• e8d89f4 enable ALPN by default in native-tls (#2907)
• 9a9daa7 v0.13.0-rc.1
• d518e45 rustls: allow windows to use extra roots (#2904)
• 934bc84 chore: separate rustls and rustls-no-provider features (#2903)
• Additional commits viewable in compare view

Updates criterion to 0.8.1

Release notes

Sourced from criterion's releases.

criterion-plot-v0.8.1

Fixed

• Typo

Changelog

Sourced from criterion's changelog.

0.8.1 - 2025-12-07

Fixed

• Homepage link

Other

• (deps) bump crate-ci/typos from 1.23.5 to 1.40.0
• (deps) bump jontze/action-mdbook from 3 to 4
• (deps) bump actions/checkout from 4 to 6

0.8.0 - 2025-11-29

BREAKING

• Drop async-std support

Changed

• Bump MSRV to 1.86, stable to 1.91.1

Added

• Add ability to plot throughput on summary page.
• Add support for reporting throughput in elements and bytes - Throughput::ElementsAndBytes allows the text summary to report throughput in both units simultaneously.
• Add alloca-based memory layout randomisation to mitigate memory effects on measurements.
• Add doc comment to benchmark runner in criterion_group macro (removes linter warnings)

Fixed

• Fix plotting NaN bug

Other

• Remove Master API Docs links temporarily while we restore the docs publishing.

[0.7.0] - 2025-07-25

• Bump version of criterion-plot to align dependencies.

[0.6.0] - 2025-05-17

Changed

• MSRV bumped to 1.80
• The real_blackbox feature no longer has any impact. Criterion always uses std::hint::black_box() now. Users of criterion::black_box() should switch to std::hint::black_box().
• clap dependency unpinned.

Fixed

... (truncated)

Commits

• e4e06df chore: release v0.8.1
• aa548b9 fix: Homepage link
• 950c3b7 fix: Typo
• 7e3e50c chore(deps): bump crate-ci/typos from 1.23.5 to 1.40.0
• 391a99a chore(deps): bump jontze/action-mdbook from 3 to 4
• 8fb9a87 chore(deps): bump actions/checkout from 4 to 6
• b49ade7 chore: release v0.8.0
• c56485f docs: Mark Master API Docs links that need to be updated
• 86526a4 docs: Remove Master API Docs link temporarily
• 00a443f docs: Update README links
• Additional commits viewable in compare view

Updates pyo3 to 0.22.6

Release notes

Sourced from pyo3's releases.

PyO3 0.22.6

This release corrects the check for free-threaded Python introduced in PyO3 0.22.2 to prevent users accidentally installing PyO3 packages on Python 3.13t; PyO3 0.22 does not support free-threaded Python. (Stay tuned for the 0.23 release coming very soon!)

Thanks @​minrk for the report and @​davidhewitt for the fix!

Changelog

Sourced from pyo3's changelog.

[0.22.6] - 2024-11-05

Fixed

• Fix detection of freethreaded Python 3.13t added in PyO3 0.22.2; freethreaded is not yet supported (support coming soon in 0.23). #4684

[0.22.5] - 2024-10-15

Fixed

• Fix regression in 0.22.4 of naming collision in __clear__ slot and clear method generated code. #4619

[0.22.4] - 2024-10-12

Added

• Add FFI definition PyWeakref_GetRef and compat::PyWeakref_GetRef. #4528

Changed

• Deprecate _borrowed methods on PyWeakRef and PyWeakrefProxy (just use the owning forms). #4590

Fixed

• Revert removal of private FFI function _PyLong_NumBits on Python 3.13 and later. #4450
• Fix __traverse__ functions for base classes not being called by subclasses created with #[pyclass(extends = ...)]. #4563
• Fix regression in 0.22.3 failing compiles under #![forbid(unsafe_code)]. #4574
• Workaround possible use-after-free in _borrowed methods on PyWeakRef and PyWeakrefProxy by leaking their contents. #4590
• Fix crash calling PyType_GetSlot on static types before Python 3.10. #4599

[0.22.3] - 2024-09-15

Added

• Add pyo3::ffi::compat namespace with compatibility shims for C API functions added in recent versions of Python.
• Add FFI definition PyDict_GetItemRef on Python 3.13 and newer, and compat::PyDict_GetItemRef for all versions. #4355
• Add FFI definition PyList_GetItemRef on Python 3.13 and newer, and pyo3_ffi::compat::PyList_GetItemRef for all versions. #4410
• Add FFI definitions compat::Py_NewRef and compat::Py_XNewRef. #4445
• Add FFI definitions compat::PyObject_CallNoArgs and compat::PyObject_CallMethodNoArgs. #4461
• Add GilOnceCell<Py<T>>::clone_ref. #4511

Changed

• Improve error messages for #[pyfunction] defined inside #[pymethods]. #4349
• Improve performance of calls to Python by using the vectorcall calling convention where possible. #4456
• Mention the type name in the exception message when trying to instantiate a class with no constructor defined. #4481

Removed

... (truncated)

Commits

• c000ab9 release: 0.22.6
• 02b8dfe fix compiler warning on 32 bit platforms
• a76ce14 fix detection of freethreaded interpreter
• 4c88e9a release: 0.22.5
• 8f6464e fix __clear__ slot naming collision with clear method (#4619)
• dff9723 release: 0.22.4
• 3330bf2 fix garbage collection in inheritance cases (#4563)
• 8b23397 ci: pypy 3.7 macos on x64 still
• ce63713 ci: run benchmarks on ubuntu 22.04 (#4609)
• b1173f5 ci: fix more ubuntu-24.04 failures (#4610)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[HFooladi]

Closing this PR as the security vulnerability RUSTSEC-2025-0020 has already been addressed in commit 2c3a24e by updating pyo3 to 0.24 and numpy to 0.24. The dependency updates in this PR conflict with the current main branch versions and cause linking errors with pyo3-ffi. If we want to upgrade to pyo3 0.28+ in the future, we can do so in a separate, targeted PR.

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml