From f55a343137bfd79b060325aaf559ed0d59442028 Mon Sep 17 00:00:00 2001
From: Pino de Candia <32303022+pinodeca@users.noreply.github.com>
Date: Mon, 15 Jun 2026 22:12:51 +0000
Subject: [PATCH] fix(deps): bump reqwest requirement to 0.13 to match lockfile

PR #236 (Dependabot grouped cargo update) moved Cargo.lock's reqwest to
0.13.3 via feature unification with duroxide-pg, but left Cargo.toml
requiring "0.12". That makes the manifest and lockfile inconsistent.

Bump the requirement to "0.13" and pin the lockfile to 0.13.3. Keep
default-features = false + explicit native-tls: in reqwest 0.13 the
default-tls feature resolves to rustls, not native-tls, so relying on
defaults would silently switch the TLS backend. cargo tree confirms the
graph stays on native-tls/hyper-tls/tokio-native-tls with no
rustls/ring/aws-lc backend. Build + all 36 ssrf tests pass.
---
 Cargo.lock |  2 +-
 Cargo.toml | 10 ++++++++--
 2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 54893d77..73831975 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3064,7 +3064,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "32497e9a4c7b38532efcdebeef879707aa9f794296a4f0244f6f69e9bc8574bd"
 dependencies = [
  "fastrand",
- "getrandom 0.3.4",
+ "getrandom 0.4.2",
  "once_cell",
  "rustix",
  "windows-sys 0.61.2",
diff --git a/Cargo.toml b/Cargo.toml
index 45a400ad..481b9777 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -46,8 +46,14 @@ bigdecimal = "0.4"
 cron = "0.13"
 chrono = "0.4"
 
-# For HTTP requests (df.http)
-reqwest = { version = "0.12", default-features = false, features = ["json", "native-tls"] }
+# For HTTP requests (df.http). We set default-features = false and select
+# native-tls explicitly: in reqwest 0.13 the `default-tls` feature resolves to
+# rustls, NOT native-tls, so enabling defaults would silently switch our TLS
+# backend. native-tls keeps the openssl-backed connector (hyper-tls +
+# tokio-native-tls). duroxide-pg also selects native-tls on the same resolved
+# reqwest version; Cargo feature unification merges them, so the whole graph
+# stays on native-tls with no rustls/ring/aws-lc in the tree.
+reqwest = { version = "0.13", default-features = false, features = ["json", "native-tls"] }
 
 # For duroxide tracing integration
 tracing-subscriber = { version = "0.3", features = ["env-filter"] }