deps(rust): bump the rust-dependencies group across 1 directory with 5 updates

[dependabot]

Bumps the rust-dependencies group with 5 updates in the / directory:

Package	From	To
tokio	1.49.0	1.50.0
uuid	1.21.0	1.22.0
ort	2.0.0-rc.11	2.0.0-rc.12
lz4_flex	0.12.0	0.13.0
tempfile	3.26.0	3.27.0

Updates tokio from 1.49.0 to 1.50.0

Release notes

Sourced from tokio's releases.

Tokio v1.50.0

1.50.0 (Mar 3rd, 2026)

Added

• net: add TcpStream::set_zero_linger (#7837)
• rt: add is_rt_shutdown_err (#7771)

Changed

• io: add optimizer hint that memchr returns in-bounds pointer (#7792)
• io: implement vectored writes for write_buf (#7871)
• runtime: panic when event_interval is set to 0 (#7838)
• runtime: shorten default thread name to fit in Linux limit (#7880)
• signal: remember the result of SetConsoleCtrlHandler (#7833)
• signal: specialize windows Registry (#7885)

Fixed

• io: always cleanup AsyncFd registration list on deregister (#7773)
• macros: remove (most) local use declarations in tokio::select! (#7929)
• net: fix GET_BUF_SIZE constant for target_os = "android" (#7889)
• runtime: avoid redundant unpark in current_thread scheduler (#7834)
• runtime: don't park in current_thread if before_park defers waker (#7835)
• io: fix write readiness on ESP32 on short writes (#7872)
• runtime: wake deferred tasks before entering block_in_place (#7879)
• sync: drop rx waker when oneshot receiver is dropped (#7886)
• runtime: fix double increment of num_idle_threads on shutdown (#7910, #7918, #7922)

Unstable

• fs: check for io-uring opcode support (#7815)
• runtime: avoid lock acquisition after uring init (#7850)

Documented

• docs: update outdated unstable features section (#7839)
• io: clarify the behavior of AsyncWriteExt::shutdown() (#7908)
• io: explain how to flush stdout/stderr (#7904)
• io: fix incorrect and confusing AsyncWrite documentation (#7875)
• rt: clarify the documentation of Runtime::spawn (#7803)
• rt: fix missing quotation in docs (#7925)
• runtime: correct the default thread name in docs (#7896)
• runtime: fix event_interval doc (#7932)
• sync: clarify RwLock fairness documentation (#7919)
• sync: clarify that recv returns None once closed and no more messages (#7920)
• task: clarify when to use spawn_blocking vs dedicated threads (#7923)
• task: doc that task drops before JoinHandle completion (#7825)
• signal: guarantee that listeners never return None (#7869)
• task: fix task module feature flags in docs (#7891)

... (truncated)

Commits

• 0273e45 chore: prepare Tokio v1.50.0 (#7934)
• e3ee4e5 chore: prepare tokio-macros v2.6.1 (#7943)
• 8c980ea io: add write_all_vectored to tokio-util (#7768)
• e35fd6d ci: fix patch during clippy step (#7935)
• 03fe44c runtime: fix event_interval doc (#7932)
• d18e5df io: fix race in Mock::poll_write (#7882)
• f21f269 runtime: fix race condition during the blocking pool shutdown (#7922)
• d81e8f0 macros: remove (most) local use declarations in tokio::select! (#7929)
• 25e7f26 rt: fix missing quotation in docs (#7925)
• e1a91ef util: fix typo in docs (#7926)
• Additional commits viewable in compare view

Updates uuid from 1.21.0 to 1.22.0

Release notes

Sourced from uuid's releases.

v1.22.0

What's Changed

• Default to rand 0.10 by @​haxtibal in uuid-rs/uuid#863
• Prepare for 1.22.0 release by @​KodrAus in uuid-rs/uuid#864

New Contributors

• @​haxtibal made their first contribution in uuid-rs/uuid#863

Full Changelog: uuid-rs/uuid@v1.21.0...v1.22.0

Commits

• da15792 Merge pull request #864 from uuid-rs/cargo/v1.22.0
• 7ec48c9 prepare for 1.22.0 release
• c4e983f Merge pull request #863 from haxtibal/tdmg/rand_0_9_and_0_10
• f3f677e update workspace root to rand 0.10
• See full diff in compare view

Updates ort from 2.0.0-rc.11 to 2.0.0-rc.12

Release notes

Sourced from ort's releases.

v2.0.0-rc.12

2.0.0-rc.12

💖 If you find ort useful, please consider sponsoring us on Open Collective 💖

🤔 Need help upgrading? Ask questions in GitHub Discussions or in the pyke.io Discord server!

---

This release was made possible by Rime.ai!

Authentic AI voice models for enterprise.

---

📍 Multiversioning

🚨 If you used ort with default-features = false, enable the api-24 feature to use the latest features.

The big highlight of this release is multiversioning: ort can now use any minor version of ONNX Runtime from v1.17 to v1.24. New features are gated behind api-* feature flags, like api-20 or api-24. These flags will set the minimum version of ONNX Runtime required by ort.

More info 👉 https://ort.pyke.io/setup/multiversion

🪄 Automatic device selection

With ONNX Runtime 1.22 or later, ort will now automatically use an NPU if one is available for maximum efficiency & power savings! Setting your own execution providers will override this.

This is thanks to the super cool new SessionBuilder::with_auto_device API! There's also SessionBuilder::with_devices for finer control.

👁️ CUDA 13

ort now ships builds for both CUDA 12 & CUDA 13! It should automatically detect which CUDA you're using, but if it gets it wrong, you can override it by setting the ORT_CUDA_VERSION environment variable to 12 or 13.

🩹 SessionBuilder error recovery

You can now recover from errors when building a session by calling .recover() on the error type to get the SessionBuilder back.

🛡️ Build attestations

Prebuilt binaries are now attested via GitHub Actions, so you can verify that they are untampered builds of ONNX Runtime coming straight from pyke.io.

To verify, download your binary package of choice and use the gh CLI to verify:

➜  gh attestation verify --owner pykeio ./x86_64-pc-windows-msvc+cu13.tar.lzma2
Loaded digest sha256:e96616510082108be228ad6ea026246a31650b7d446b330c6b9671fcb9ae6267 for file://./x86_64-pc-windows-msvc+cu13.tar.lzma2
Loaded 1 attestation from GitHub API
The following policy criteria will be enforced:

OIDC Issuer must match:................... https://token.actions.githubusercontent.com
Source Repository Owner URI must match:... https://github.com/pykeio

</tr></table>

... (truncated)

Commits

• f085e4c 2.0.0-rc.12
• 079ecb4 fix: one environment (#542)
• 0023124 fix(tract): support external data
• e9666c7 fix: no_std
• a08efe6 feat: manual device selection
• 771e1a5 refactor: make Outlet wrap OrtValueInfo
• a02122d fix: web, no-std
• 0fe5b25 config: silence clippy warning
• fb29790 feat: recover from SessionBuilder errors
• 831422c docs(readme): update projects
• Additional commits viewable in compare view

Updates lz4_flex from 0.12.0 to 0.13.0

Changelog

Sourced from lz4_flex's changelog.

0.13.0 (2026-03-15)

Features

• Add option to reuse compression dict #207 (thanks @​matthewfollegot)

Fixes

• Fix handling of invalid match offsets during decompression #055502e (thanks @​Marcono1234)

Invalid match offsets (offset == 0) during decompression were not properly
handled, which could lead to invalid memory reads. This is a security fix
that was also backported to 0.12.1 and 0.11.6.

• Fix get_maximum_output_size overflow on 32-bit targets #205 (thanks @​dglittle)

Cast input_len to u64 before multiplying by 110, avoiding overflow on
32-bit targets (e.g. wasm32) where input_len * 110 overflows usize
when input_len > ~39MB.

0.12.1 (2026-03-14)

Security Fix

• Fix handling of invalid match offsets during decompression #a0b9154 (thanks @​Marcono1234)

Invalid match offsets (offset == 0) during decompression were not properly
handled, which could lead to invalid memory reads on untrusted input.
Users on 0.12.x should upgrade to 0.12.1.

Commits

• bfaae84 release 0.13.0
• 055502e fix handling of invalid match offsets during decompression
• 7191df8 make hashtable visibility crate public
• 1bdafca add doc comments
• c90fc91 lz4_block exposes option to reuse compression dict
• 22e77f9 Delete .github/workflows/typos.yml
• 2991a09 fix get_maximum_output_size overflow on 32-bit targets
• 7b5fb80 add minimal security policy
• See full diff in compare view

Updates tempfile from 3.26.0 to 3.27.0

Changelog

Sourced from tempfile's changelog.

3.27.0

This release adds TempPath::try_from_path and deprecates TempPath::from_path.

Prior to this release, TempPath::from_path made no attempts to convert relative paths into absolute paths. The following code would have deleted the wrong file:

let tmp_path = TempPath::from_path("foo")
std::env::set_current_dir("/some/other/path").unwrap();
drop(tmp_path);

Now:

1. TempPath::from_path will attempt to convert relative paths into absolute paths. However, this isn't always possible as we need to call std::env::current_dir, which can fail. If we fail to convert the relative path to an absolute path, we simply keep the relative path.
2. The TempPath::try_from_path behaves exactly like TempPath::from_path, except that it returns an error if we fail to convert a relative path into an absolute path (or if the passed path is empty).

Neither function attempt to verify the existence of the file in question.

Thanks to @​meng-xu-cs for reporting this issue.

Commits

• 5c8fa12 chore: release 3.27.0
• e34e574 test: disable uds conflict test on redox
• 772c795 test: add CWD guards
• 2632fb9 fix: resolve relative paths when constructing TempPath
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[dependabot]

Labels

The following labels could not be found: dependencies, rust. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.