chore(deps): update reqwest requirement from 0.12 to 0.13 in the cargo group

[dependabot]

Updates the requirements on reqwest to permit the latest version.
Updates reqwest to 0.12.28

Release notes

Sourced from reqwest's releases.

v0.12.28

What's Changed

• fix: correctly import TokioIo on Windows by @​seanmonstar in seanmonstar/reqwest#2896

Full Changelog: seanmonstar/reqwest@v0.12.27...v0.12.28

Changelog

Sourced from reqwest's changelog.

v0.12.28

• Fix compiling on Windows if TLS and SOCKS features are not enabled.

v0.12.27

• Add ClientBuilder::windows_named_pipe(name) option that will force all requests over that Windows Named Piper.

v0.12.26

• Fix sending Accept-Encoding header only with values configured with reqwest, regardless of underlying tower-http config.

v0.12.25

• Add Error::is_upgrade() to determine if the error was from an HTTP upgrade.
• Fix sending Proxy-Authorization if only username is configured.
• Fix sending Proxy-Authorization to HTTPS proxies when the target is HTTP.
• Refactor internal decompression handling to use tower-http.

v0.12.24

• Refactor cookie handling to an internal middleware.
• Refactor internal random generator.
• Refactor base64 encoding to reduce a copy.
• Documentation updates.

v0.12.23

• Add ClientBuilder::unix_socket(path) option that will force all requests over that Unix Domain Socket.
• Add ClientBuilder::retry(policy) and reqwest::retry::Builder to configure automatic retries.
• Add ClientBuilder::dns_resolver2() with more ergonomic argument bounds, allowing more resolver implementations.
• Add http3_* options to blocking::ClientBuilder.
• Fix default TCP timeout values to enabled and faster.
• Fix SOCKS proxies to default to port 1080
• (wasm) Add cache methods to RequestBuilder.

v0.12.22

• Fix socks proxies when resolving IPv6 destinations.

v0.12.21

• Fix socks proxy to use socks4a:// instead of socks4h://.
• Fix Error::is_timeout() to check for hyper and IO timeouts too.
• Fix request Error to again include URLs when possible.
• Fix socks connect error to include more context.
• (wasm) implement Default for Body.

v0.12.20

... (truncated)

Commits

• d978599 v0.12.28
• ef2768a fix: correctly import TokioIo on Windows (#2896)
• 1bf6441 v0.12.27
• 4967b1b feat: add windows_named_pipe() option to client builder (#2789)
• ef5b239 chore: Use http_body_util::BodyDataStream (#2892)
• a810004 chore: Disable unused tokio-util codec feature (#2893)
• 01f03a4 v0.12.26
• e908f57 fix(http3): correct compression defaults (#2890)
• 509c904 fix: disable default compression from tower-http if not enabled in reqwest (#...
• 896aaea deps: update cookie_store to 0.22 (#2886)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

[codeant-ai]

Skipping PR review because a bot author is detected.

If you want to trigger CodeAnt AI, comment @codeant-ai review to trigger a manual review.

[kilo-code-bot]

Code Review Summary

Status: 3 Issues Found | Recommendation: Request Changes

Overview

Severity	Count
WARNING	3

Issue Details (click to expand)

WARNING

File	Line	Issue
crates/llm-router/Cargo.toml	13	Major version bump from reqwest 0.12 to 0.13 - this is a breaking change per semver for 0.x versions
crates/pheno-embedding/Cargo.toml	13	Major version bump from reqwest 0.12 to 0.13 - this is a breaking change per semver for 0.x versions
crates/llm-router/Cargo.toml	13	Unpinned version constraint "0.13" allows any 0.13.x - should specify exact version or range like ">=0.13.0,<0.14.0"
crates/pheno-embedding/Cargo.toml	13	Unpinned version constraint "0.13" allows any 0.13.x - should specify exact version or range like ">=0.13.0,<0.14.0"

Other Observations (not in diff)

Issues found in unchanged code that cannot receive inline comments:

File	Line	Issue
crates/llm-router/src/lib.rs	94-100	HTTP response is discarded (_response) and method returns hardcoded mock data - integration won't catch reqwest API breaking changes
crates/pheno-embedding/src/lib.rs	59-65	HTTP response is discarded (_response) and method returns hardcoded mock data - integration won't catch reqwest API breaking changes

Files Reviewed (3 files)

• crates/llm-router/Cargo.toml - 2 issues
• crates/pheno-embedding/Cargo.toml - 2 issues
• crates/llm-router/src/lib.rs - pre-existing testing gap (observed)

---

Analysis

This is a major version upgrade (0.12 → 0.13) of the reqwest dependency. In Rust semver for 0.x versions, minor version bumps can contain breaking changes. While the usage in these crates is minimal (basic HTTP client construction, POST with JSON, header setting), breaking changes in reqwest 0.13 could include:

• Feature flag changes or defaults
• Method signature changes
• Error type changes
• Removal of deprecated APIs
• Changes to internal hyper/tower dependencies

The PR title/body mismatch: The title correctly states the upgrade to 0.13, but the body incorrectly references the 0.12.28 release notes. This is Dependabot's boilerplate text but may indicate the author didn't verify the actual version change.

Testing gap: Both OpenAiProvider::complete and OpenAiEmbeddings::embed discard the HTTP response and return hardcoded mock data, so unit tests will not catch breaking changes in the reqwest API. Recommend either:

1. Adding integration tests with mock servers (e.g., wiremock, mockito) to validate actual HTTP behavior
2. Or accepting this upgrade only after verifying manually that the code compiles and functions with reqwest 0.13

Version pinning: The constraint version = "0.13" is unbounded on the right and could pull in future 0.13.x releases with unexpected changes. Recommend specifying an explicit range such as:

reqwest = { version = ">=0.13.0,<0.14.0", features = ["json", "rustls-tls"] }

or pinning to an exact version after validation:

reqwest = { version = "0.13.0", features = ["json", "rustls-tls"] }

---

Action required before merge:

1. Verify the code compiles and tests pass with cargo check/test --workspace after upgrading to reqwest 0.13
2. Consider pinning the version to a specific 0.13.x release after validation
3. Consider improving test coverage for HTTP integration to catch future breaking changes

---

_{Reviewed by step-3.5-flash · 369,167 tokens}