Bump reqwest to 0.13.4 (hickory 0.26) and fix iterable fetch bodies

[vadimpiven]

Summary

Two related changes from the dependency-update pass:

chore(deps): bump reqwest to 0.13.4 + drop hickory advisory ignores

• cargo update refreshes the lockfile — hickory-proto/resolver 0.25.2 → 0.26.1, hyper 1.9 → 1.10, rustls-native-certs, http, and ~25 more — and moves reqwest 0.13.3 → 0.13.4.
• With hickory finally on the 0.26 branch, RUSTSEC-2026-0118 and RUSTSEC-2026-0119 no longer apply, so the temporary cargo-deny ignores and the matching trivy GHSA-q2qq-hmj6-3wpp entry are removed.
• cargo deny check (advisories/bans/licenses/sources) and trivy fs both pass clean with no ignores.

fix(node): accept async/sync iterable request bodies

• undici's fetch (and the Dispatcher contract) hand request bodies to the dispatcher as async/sync iterables — even a Uint8Array body arrives as an async generator. normalizeBody only recognized string/Buffer/Uint8Array/Readable/ReadableStream and silently dropped iterables to an empty body, so POST/PUT via fetch advertised a content-length with no body and hung until timeout.
• Fix: adapt iterables to a Readable and buffer them like other Readable bodies (matches undici's own typeof obj[Symbol.asyncIterator] === "function" detection).
• Adds regression tests for async-iterable, sync-iterable, and a real fetch POST through a node-reqwest dispatcher.

Testing

• cargo nextest run --workspace — 35 passed
• vitest run — 97 passed, 2 skipped (mitmproxy, needs external setup)
• Playwright/Electron integration — 1 passed
• cargo deny check + trivy fs — clean
• zizmor, clippy, oxlint/oxfmt, rustfmt, markdownlint, gitleaks — pass

🤖 Generated with Claude Code

[semanticdiff-com]

Review changes with  

Changed Files

File	Status
.trivyignore	Unsupported file format
Cargo.lock	Unsupported file format
Cargo.toml	Unsupported file format
deny.toml	Unsupported file format
packages/node/export/agent.ts	0% smaller
packages/node/tests/vitest/dispatch-integration.test.ts	0% smaller

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	pypi/​semgrep@​1.151.0
	pypi/​mitmproxy@​12.2.3
	pypi/​ruff@​0.15.14
	pypi/​pyrefly@​1.0.0
	pypi/​zizmor@​1.25.2

View full report

[gemini-code-assist]

Code Review

This pull request upgrades several Rust dependencies, including bumping reqwest to 0.13.4 and upgrading hickory-proto and hickory-resolver to version 0.26.1. This upgrade resolves previous security advisories, allowing the removal of corresponding ignores in .trivyignore and deny.toml. Additionally, the Node.js agent is updated to support Iterable<Uint8Array> and AsyncIterable<Uint8Array> request bodies, with new integration tests added to verify these changes. I have no feedback to provide as there are no review comments.

Important

The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.

[greptile-apps]

Greptile Summary

This PR does two things: bumps reqwest to 0.13.4 (pulling hickory-proto/resolver to 0.26.1) which lets it drop the temporary cargo-deny and trivy advisory ignores for RUSTSEC-2026-0118/0119, and fixes a silent body-drop bug where normalizeBody would fall through to EMPTY_BODY when undici handed it an async/sync iterable.

• Iterable body fix (agent.ts): adds an Iterable | AsyncIterable branch that converts the iterable to a Node Readable via Readable.from and routes it through the existing normalizeBodyBuffered path; TypeScript's control-flow narrowing after the prior instanceof guards means the call site is fully type-safe.
• Advisory cleanup (deny.toml, .trivyignore): removes the two hickory ignores now that hickory 0.26.1 resolves both CVEs upstream.
• Regression tests: three new integration tests cover the async-iterable, sync-iterable, and real undici.fetch POST paths.

Confidence Score: 5/5

Safe to merge — the iterable body fix is well-scoped, the dependency bumps are clean, and the advisory ignores being removed are genuinely resolved upstream.

The iterable branch is inserted after all prior type guards so it only fires on true iterables; Readable.from handles both sync and async iterables correctly; the three new tests exercise every new code path including the real fetch flow. The dependency update is a routine lockfile refresh with no yanked crates.

No files require special attention.

Important Files Changed

Filename	Overview
packages/node/export/agent.ts	Adds Iterable/AsyncIterable support to normalizeBody by converting them to a Node Readable via Readable.from — logic is correct and TypeScript control-flow narrows body to the right type before the Readable.from call
packages/node/tests/vitest/dispatch-integration.test.ts	Adds three regression tests covering async-iterable, sync-iterable, and a real undici fetch POST; test structure mirrors existing patterns and correctly validates byte counts
deny.toml	Removes the two hickory advisory ignores (RUSTSEC-2026-0118, RUSTSEC-2026-0119) now that hickory 0.26.1 resolves both; leaves ignore = [] which is valid cargo-deny syntax
.trivyignore	Removes GHSA-q2qq-hmj6-3wpp ignore now that hickory 0.26 resolves it; leaves a clean comment-only placeholder
Cargo.toml	Bumps the reqwest version pin from 0.13.3 to 0.13.4 — a single-line change matching the lockfile update
Cargo.lock	Lockfile refresh: reqwest 0.13.3→0.13.4, hickory-proto/resolver 0.25.2→0.26.1, hyper 1.9→1.10, rand 0.10.1 and rand_core 0.10.1 added for hickory, and ~25 minor crate bumps — no yanked or suspicious entries

_{Reviews (1): Last reviewed commit: "chore(deps): bump reqwest to 0.13.4, dro..." | Re-trigger Greptile}

[codspeed-hq]

Merging this PR will not alter performance

✅ 15 untouched benchmarks

---

_{Comparing reqwest-0.13.4-and-iterable-body-fix (37164dd) with main (d3731e4)}

[codecov]

Codecov Report

❌ Patch coverage is 75.00000% with 1 line in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
packages/node/export/agent.ts	75.00%	0 Missing and 1 partial ⚠️

📢 Thoughts on this report? Let us know!