Update Rust crate reqwest to 0.13.0

[hash-worker]

This PR contains the following updates:

Package	Type	Update	Change
reqwest	workspace.dependencies	minor	0.12.24 -> 0.13.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

seanmonstar/reqwest (reqwest)

v0.13.1

Compare Source

• Fixes compiling with rustls on Android targets.

v0.13.0

Compare Source

• Breaking changes:
  • rustls is now the default TLS backend, instead of native-tls.
  • rustls crypto provider defaults to aws-lc instead of ring. (rustls-no-provider exists if you want a different crypto provider)
  • rustls-tls has been renamed to rustls.
  • rustls roots features removed, rustls-platform-verifier is used by default.
    • To use different roots, call tls_certs_only(your_roots).
  • native-tls now includes ALPN. To disable, use native-tls-no-alpn.
  • query and form are now crate features, disabled by default.
  • Long-deprecated methods and crate features have been removed (such as trust-dns, which was renamed hickory-dns a while ago).
• Many TLS-related methods renamed to improve autocompletion and discovery, but previous name left in place with a "soft" deprecation. (just documented, no warnings)
  • For example, prefer tls_backend_rustls() over use_rustls_tls().

v0.12.28

• Fix compiling on Windows if TLS and SOCKS features are not enabled.

v0.12.27

• Add ClientBuilder::windows_named_pipe(name) option that will force all requests over that Windows Named Piper.

v0.12.26

• Fix sending Accept-Encoding header only with values configured with reqwest, regardless of underlying tower-http config.

v0.12.25

• Add Error::is_upgrade() to determine if the error was from an HTTP upgrade.
• Fix sending Proxy-Authorization if only username is configured.
• Fix sending Proxy-Authorization to HTTPS proxies when the target is HTTP.
• Refactor internal decompression handling to use tower-http.

v0.12.24

• Refactor cookie handling to an internal middleware.
• Refactor internal random generator.
• Refactor base64 encoding to reduce a copy.
• Documentation updates.

v0.12.23

• Add ClientBuilder::unix_socket(path) option that will force all requests over that Unix Domain Socket.
• Add ClientBuilder::retry(policy) and reqwest::retry::Builder to configure automatic retries.
• Add ClientBuilder::dns_resolver2() with more ergonomic argument bounds, allowing more resolver implementations.
• Add http3_* options to blocking::ClientBuilder.
• Fix default TCP timeout values to enabled and faster.
• Fix SOCKS proxies to default to port 1080
• (wasm) Add cache methods to RequestBuilder.

v0.12.22

• Fix socks proxies when resolving IPv6 destinations.

v0.12.21

• Fix socks proxy to use socks4a:// instead of socks4h://.
• Fix Error::is_timeout() to check for hyper and IO timeouts too.
• Fix request Error to again include URLs when possible.
• Fix socks connect error to include more context.
• (wasm) implement Default for Body.

v0.12.20

• Add ClientBuilder::tcp_user_timeout(Duration) option to set TCP_USER_TIMEOUT.
• Fix proxy headers only using the first matched proxy.
• (wasm) Fix re-adding Error::is_status().

v0.12.19

• Fix redirect that changes the method to GET should remove payload headers.
• Fix redirect to only check the next scheme if the policy action is to follow.
• (wasm) Fix compilation error if cookies feature is enabled (by the way, it's a noop feature in wasm).

v0.12.18

• Fix compilation when socks enabled without TLS.

v0.12.17

• Fix compilation on macOS.

v0.12.16

• Add ClientBuilder::http3_congestion_bbr() to enable BBR congestion control.
• Add ClientBuilder::http3_send_grease() to configure whether to send use QUIC grease.
• Add ClientBuilder::http3_max_field_section_size() to configure the maximum response headers.
• Add ClientBuilder::tcp_keepalive_interval() to configure TCP probe interval.
• Add ClientBuilder::tcp_keepalive_retries() to configure TCP probe count.
• Add Proxy::headers() to add extra headers that should be sent to a proxy.
• Fix redirect::Policy::limit() which had an off-by-1 error, allowing 1 more redirect than specified.
• Fix HTTP/3 to support streaming request bodies.
• (wasm) Fix null bodies when calling Response::bytes_stream().

v0.12.15

• Fix Windows to support both ProxyOverride and NO_PROXY.
• Fix http3 to support streaming response bodies.
• Fix http3 dependency from public API misuse.

v0.12.14

• Fix missing fetch_mode_no_cors(), marking as deprecated when not on WASM.

v0.12.13

• Add Form::into_reader() for blocking multipart forms.
• Add Form::into_stream() for async multipart forms.
• Add support for SOCKS4a proxies.
• Fix decoding responses with multiple zstd frames.
• Fix RequestBuilder::form() from overwriting a previously set Content-Type header, like the other builder methods.
• Fix cloning of request timeout in blocking::Request.
• Fix http3 synchronization of connection creation, reducing unneccesary extra connections.
• Fix Windows system proxy to use ProxyOverride as a NO_PROXY value.
• Fix blocking read to correctly reserve and zero read buffer.
• (wasm) Add support for request timeouts.
• (wasm) Fix Error::is_timeout() to return true when from a request timeout.

v0.12.12

• (wasm) Fix compilation by not compiler tokio/time on WASM.

v0.12.11

• Fix decompression returning an error when HTTP/2 ends with an empty data frame.

v0.12.10

• Add ClientBuilder::connector_layer() to allow customizing the connector stack.
• Add ClientBuilder::http2_max_header_list_size() option.
• Fix propagating body size hint (content-length) information when wrapping bodies.
• Fix decompression of chunked bodies so the connections can be reused more often.

v0.12.9

• Add tls::CertificateRevocationLists support.
• Add crate features to enable webpki roots without selecting a rustls provider.
• Fix connection_verbose() to output read logs.
• Fix multipart::Part::file() to automatically include content-length.
• Fix proxy to internally no longer cache system proxy settings.

v0.12.8

• Add support for SOCKS4 proxies.
• Add multipart::Form::file() method for adding files easily.
• Add Body::wrap() to wrap any http_body::Body type.
• Fix the pool configuration to use a timer to remove expired connections.

v0.12.7

• Revert adding impl Service<http::Request<_>> for Client.

v0.12.6

• Add support for danger_accept_invalid_hostnames for rustls.
• Add impl Service<http::Request<Body>> for Client and &'_ Client.
• Add support for !Sync bodies in Body::wrap_stream().
• Enable happy eyeballs when hickory-dns is used.
• Fix Proxy so that HTTP(S)_PROXY values take precedence over ALL_PROXY.
• Fix blocking::RequestBuilder::header() from unsetting sensitive on passed header values.

v0.12.5

• Add blocking::ClientBuilder::dns_resolver() method to change DNS resolver in blocking client.
• Add http3 feature back, still requiring reqwest_unstable.
• Add rustls-tls-no-provider Cargo feature to use rustls without a crypto provider.
• Fix Accept-Encoding header combinations.
• Fix http3 resolving IPv6 addresses.
• Internal: upgrade to rustls 0.23.

v0.12.4

• Add zstd support, enabled with zstd Cargo feature.
• Add ClientBuilder::read_timeout(Duration), which applies the duration for each read operation. The timeout resets after a successful read.

v0.12.3

• Add FromStr for dns::Name.
• Add ClientBuilder::built_in_webpki_certs(bool) to enable them separately.
• Add ClientBuilder::built_in_native_certs(bool) to enable them separately.
• Fix sending content-length: 0 for GET requests.
• Fix response body content_length() to return value when timeout is configured.
• Fix ClientBuilder::resolve() to use lowercase domain names.

v0.12.2

• Fix missing ALPN when connecting to socks5 proxy with rustls.
• Fix TLS version limits with rustls.
• Fix not detected ALPN h2 from server with native-tls.

v0.12.1

• Fix ClientBuilder::interface() when no TLS is enabled.
• Fix TlsInfo::peer_certificate() being truncated with rustls.
• Fix panic if http2 feature disabled but TLS negotiated h2 in ALPN.
• Fix Display for Error to not include its source error.

---

Configuration

📅 Schedule: Branch creation - "before 4am every weekday,every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[cursor]

PR Summary

Medium Risk
Dependency-only change, but reqwest 0.13 includes breaking API/feature and TLS-default changes that could affect compilation or HTTP/TLS behavior at runtime.

Overview
Updates the workspace dependency on reqwest from 0.12.24 to 0.13.0 while keeping default-features = false and the rustls-tls feature selection.

No other code changes are included; reviewers should watch for build/runtime changes due to reqwest’s 0.13 breaking changes (TLS backend/feature gating) if any crates rely on previously-enabled defaults.

^{Written by Cursor Bugbot for commit f4d15d3. This will update automatically on new commits. Configure here.}

[codspeed-hq]

Merging this PR will create unknown performance changes

⏩ 21 skipped benchmarks¹
🗄️ 12 archived benchmarks run²

---

_{Comparing deps/rs/reqwest-0.x (f4d15d3) with main (1752c85)}

Footnotes

1. 21 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

2. 12 benchmarks were run, but are now archived. If they were deleted in another branch, consider rebasing to remove them from the report. Instead if they were added back, click here to restore them. ↩

[augmentcode]

🤖 Augment PR Summary

Summary: Updates the workspace Rust dependency on reqwest from 0.12.24 to 0.13.0.
Why: Keeps the HTTP client stack current, though reqwest 0.13 includes breaking changes (notably feature/TLS-related).

_{🤖 Was this summary useful? React with 👍 or 👎}

[augmentcode]

Review completed. 3 suggestions posted.

Comment augment review to trigger a new review at any time.

[augmentcode]

reqwest 0.13 renamed the rustls-tls Cargo feature to rustls, so keeping features = ["rustls-tls"] will likely fail with an unknown-feature error when resolving/building this crate.

_{🤖 Was this useful? React with 👍 or 👎}

[augmentcode]

reqwest-middleware 0.4.2 (and reqwest-tracing 0.5.8) depends on reqwest ^0.12, and the codebase constructs ClientWithMiddleware from reqwest::Client (e.g. in libs/@local/graph/type-fetcher), so bumping reqwest to 0.13 here is likely to create an incompatible dual-reqwest version situation / type mismatch.

_{🤖 Was this useful? React with 👍 or 👎}

[augmentcode]

This version bump also needs a corresponding Cargo.lock update; CI runs cargo update --workspace --locked (see .github/workflows/lint.yml), which will fail if the lockfile isn’t already consistent with the new reqwest version.

_{🤖 Was this useful? React with 👍 or 👎}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 60.93%. Comparing base (1752c85) to head (f4d15d3).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #8319   +/-   ##
=======================================
  Coverage   60.93%   60.93%           
=======================================
  Files        1244     1244           
  Lines      121209   121209           
  Branches     5252     5252           
=======================================
+ Hits        73854    73855    +1     
+ Misses      46486    46485    -1     
  Partials      869      869           

Flag	Coverage Δ
local.claude-hooks	0.00% <ø> (ø)
local.harpc-client	51.24% <ø> (ø)
rust.antsi	0.00% <ø> (ø)
rust.error-stack	90.88% <ø> (ø)
rust.harpc-codec	84.70% <ø> (ø)
rust.harpc-net	96.16% <ø> (+0.01%)	⬆️
rust.harpc-tower	66.80% <ø> (ø)
rust.harpc-types	0.00% <ø> (ø)
rust.harpc-wire-protocol	92.23% <ø> (ø)
rust.hash-codec	72.76% <ø> (ø)
rust.hash-graph-temporal-versioning	47.95% <ø> (ø)
rust.hashql-core	81.75% <ø> (ø)
rust.hashql-diagnostics	72.43% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[hash-worker]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --package reqwest@0.12.28 --precise 0.13.2
info: syncing channel updates for 'nightly-2026-02-02-x86_64-unknown-linux-gnu'
info: latest update on 2026-02-02, rust version 1.95.0-nightly (57d2fb136 2026-02-01)
info: downloading component 'cargo'
info: downloading component 'clippy'
info: downloading component 'llvm-tools'
info: downloading component 'miri'
info: downloading component 'rust-analyzer'
info: downloading component 'rust-src'
info: downloading component 'rust-std'
info: downloading component 'rustc'
info: downloading component 'rustc-codegen-cranelift'
info: downloading component 'rustfmt'
info: installing component 'cargo'
info: installing component 'clippy'
info: installing component 'llvm-tools'
info: installing component 'miri'
info: installing component 'rust-analyzer'
info: installing component 'rust-src'
info: installing component 'rust-std'
info: installing component 'rustc'
info: installing component 'rustc-codegen-cranelift'
info: installing component 'rustfmt'
    Updating git repository `https://github.com/hashdeps/oxc`
From https://github.com/hashdeps/oxc
 * [new ref]             73c781b54fdd9b34accca9585ee2ebe091400104 -> refs/commit/73c781b54fdd9b34accca9585ee2ebe091400104
    Updating git repository `https://github.com/specta-rs/specta`
From https://github.com/specta-rs/specta
 * [new ref]         ab7d9245d5e2ace951707c3c383b0211ca7fc8ce -> refs/commit/ab7d9245d5e2ace951707c3c383b0211ca7fc8ce
    Updating crates.io index
    Updating git repository `https://github.com/google/tarpc`
From https://github.com/google/tarpc
 * [new ref]         f55f36d2d876b1868cfcf52f41d0456a60cf726c -> refs/commit/f55f36d2d876b1868cfcf52f41d0456a60cf726c
    Updating git repository `https://github.com/temporalio/sdk-core`
From https://github.com/temporalio/sdk-core
 * [new ref]         4a2368d19f57e971ca9b2465f1dbeede7a861c34 -> refs/commit/4a2368d19f57e971ca9b2465f1dbeede7a861c34
error: failed to select a version for `reqwest`.
    ... required by package `hash-graph-type-fetcher v0.0.0 (/tmp/renovate/repos/github/hashintel/hash/libs/@local/graph/type-fetcher)`
    ... which satisfies path dependency `hash-graph-type-fetcher` (locked to 0.0.0) of package `hash-graph v0.0.0 (/tmp/renovate/repos/github/hashintel/hash/apps/hash-graph)`
versions that meet the requirements `^0.13.0` are: 0.13.2, 0.13.1, 0.13.0

package `hash-graph-type-fetcher` depends on `reqwest` with feature `rustls-tls` but `reqwest` does not have that feature.
 available features: __native-tls, __native-tls-alpn, __rustls, __rustls-aws-lc-rs, __tls, blocking, brotli, charset, cookies, default, default-tls, deflate, form, gzip, h2, hickory-dns, http2, http3, json, multipart, native-tls, native-tls-no-alpn, native-tls-vendored, native-tls-vendored-no-alpn, query, rustls, rustls-native-certs, rustls-no-provider, socks, stream, system-proxy, webpki-roots, zstd


failed to select a version for `reqwest` which could resolve this conflict

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
hash	Error		Feb 6, 2026 7:58pm
hashdotdesign	Ready	Preview, Comment	Feb 6, 2026 7:58pm
hashdotdesign-tokens	Ready	Preview, Comment	Feb 6, 2026 7:58pm
petrinaut	Ready	Preview	Feb 6, 2026 7:58pm