chore(deps): update rust crate tower-http to v0.6.7

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
tower-http	workspace.dependencies	patch	0.6.6 -> 0.6.7

---

Release Notes

tower-rs/tower-http (tower-http)

v0.6.7

Compare Source

Added

• TimeoutLayer::with_status_code(status) to define the status code returned
  when timeout is reached. (#​599)

Deprecated

• auth::require_authorization is too basic for real-world. (#​591)
• TimeoutLayer::new() should be replaced with
  TimeoutLayer::with_status_code(). (Previously was
  StatusCode::REQUEST_TIMEOUT) (#​599)

Fixed

• on_eos is now called even for successful responses. (#​580)
• ServeDir: call fallback when filename is invalid (#​586)
• decompression will not fail when body is empty (#​618)

New Contributors

• @​mladedav made their first contribution in #​580
• @​aryaveersr made their first contribution in #​586
• @​soerenmeier made their first contribution in #​588
• @​gjabell made their first contribution in #​591
• @​FalkWoldmann made their first contribution in #​599
• @​ducaale made their first contribution in #​618

Full Changelog: tower-rs/tower-http@tower-http-0.6.6...tower-http-0.6.7

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[claude]

PR Review: Update tower-http to v0.6.7

Overview

This is an automated dependency update by Renovate, upgrading tower-http from 0.6.6 to 0.6.7. This is a patch version update that should be safe to merge.

Summary

✅ Approved - This is a low-risk dependency update with beneficial bug fixes.

---

Code Quality & Best Practices

✅ Good: This is a routine dependency update following semantic versioning
✅ Good: The project uses workspace dependencies, ensuring consistent versions across all crates
✅ Good: Renovate is properly configured with automerge for patch updates

---

Changes Analysis

Direct Impact

The codebase uses tower-http minimally:

• Usage location: scotty/src/http.rs:6 - Only imports CorsLayer
• Features used: cors and fs (workspace definition at Cargo.toml:59)

Dependency Changes

The diff shows indirect updates:

• windows-sys updated from 0.52.0 to 0.59.0 (transitive dependency)
• tower-http checksum updated: adc82fd73... → 9cf146f99...

---

Security Concerns

✅ No security issues identified

The update includes several security-relevant improvements:

1. Better error handling: Decompression won't fail on empty body (#618)
2. Input validation: ServeDir now calls fallback for invalid filenames (#586)

---

Bug Fixes Included

The v0.6.7 release includes important bug fixes:

1. ✅ on_eos callback fix (#580)

   • Previously only called on errors, now called for successful responses too
   • Impact: Low (project doesn't appear to use this feature)

2. ✅ ServeDir invalid filename handling (#586)

   • Now calls fallback when filename is invalid
   • Impact: Low (project uses fs feature but specific usage not found in quick search)

3. ✅ Empty body decompression fix (#618)

   • Prevents failures when decompressing empty bodies
   • Impact: Low (project doesn't appear to use decompression)

---

Performance Considerations

✅ No performance concerns

This is a patch release focused on bug fixes with no breaking changes or performance regressions expected.

---

Test Coverage

✅ CI checks should validate

The project has comprehensive CI:

• cargo check --all-targets --all-features
• cargo test --all-targets --all-features
• cargo clippy -- -D warnings
• cargo fmt -- --check
• Frontend build and lint

Recommendation: Ensure all CI checks pass before merging.

---

Additional Notes

Deprecated APIs (not affecting this project)

The update deprecates:

• auth::require_authorization - Project doesn't use this
• TimeoutLayer::new() - Project doesn't use this

New Features Available

• TimeoutLayer::with_status_code(status) - Allows customizing timeout status code

---

Recommendations

1. ✅ Safe to merge once CI passes
2. ✅ Automerge enabled - Can be merged automatically
3. ℹ️ Consider: Review the CORS configuration in scotty/src/http.rs:15 for production:
   • Currently uses wildcard origin ("*")
   • Has .allow_credentials(true) commented out
   • This is fine for development but consider tightening for production

---

Conclusion

This is a low-risk, beneficial update that:

• ✅ Fixes several bugs
• ✅ Improves error handling
• ✅ Has no breaking changes
• ✅ Minimal impact on codebase (only uses CorsLayer)

Verdict: LGTM 🚢 Ready to merge once CI passes.

---

Review conducted by Claude Code

[claude]

Pull Request Review - tower-http v0.6.6 → v0.6.7

Overview

This is an automated dependency update from Renovate upgrading tower-http from version 0.6.6 to 0.6.7. This is a patch version update that includes bug fixes and minor improvements.

Code Quality ✅

• Clean dependency update: Only updates Cargo.lock with no code changes required
• Follows best practices: Automated dependency management via Renovate
• Conventional commits: Uses proper commit message format

Changes Analysis

What Changed

The PR updates:

1. tower-http: 0.6.6 → 0.6.7
2. Transitive dependency windows-sys: 0.52.0 → 0.59.0 (in 4 locations)

Upstream Changes in tower-http 0.6.7

Based on the release notes, this version includes:

Fixes:

• on_eos is now called even for successful responses
• ServeDir: calls fallback when filename is invalid
• decompression will not fail when body is empty

Additions:

• TimeoutLayer::with_status_code(status) to define custom timeout status codes

Deprecations:

• auth::require_authorization (too basic for real-world use)
• TimeoutLayer::new() in favor of with_status_code()

Impact Assessment

Usage in Codebase

The codebase uses tower-http only for CORS functionality (tower_http::cors::CorsLayer) in scotty/src/http.rs:6.

Risk Level: LOW ✅

• The CORS module is not affected by any of the changes in v0.6.7
• No breaking changes in this patch release
• The project does not use TimeoutLayer, ServeDir, decompression, or auth::require_authorization
• Bug fixes improve stability without changing behavior

Security ✅

• No security concerns identified
• The transitive windows-sys update (0.52.0 → 0.59.0) brings the dependency more up-to-date
• GitGuardian security check: PASSED

Testing ✅

• CI checks are currently in progress
• Rustfmt: PASSED ✅
• Frontend: PASSED ✅
• Test Suite: In progress
• Clippy: In progress

Performance Considerations ✅

• No performance impact expected
• The bug fix for on_eos might slightly improve callback reliability
• Decompression fix prevents unnecessary failures

Test Coverage

• No additional tests needed for a dependency update
• Existing tests will verify no regressions occur
• Wait for CI to complete to ensure compatibility

Recommendations

✅ APPROVE - This is a safe patch update

Action Items:

1. ✅ Wait for all CI checks to complete (Check, Test Suite, Clippy)
2. ✅ Once CI passes, this can be safely merged
3. ✅ Automerge is enabled, so this will merge automatically when CI passes

Conclusion

This is a routine, low-risk dependency update that brings bug fixes and improvements without introducing breaking changes. The CORS functionality used by scotty is unaffected. The update is recommended for improved stability and to keep dependencies current.

---

Review performed by Claude Code

[claude]

PR Review: Update tower-http to v0.6.7

Summary

This is an automated dependency update from Renovate that updates tower-http from version 0.6.6 to 0.6.7. The changes are limited to Cargo.lock with no modifications to application code.

✅ Code Quality & Best Practices

• Clean dependency update: The PR only modifies Cargo.lock, which is the expected behavior for a patch version update
• Follows semantic versioning: This is a patch update (0.6.6 → 0.6.7), indicating backward-compatible bug fixes
• The workspace configuration in Cargo.toml specifies tower-http = { version = "0.6.1", features = ["cors", "fs"] }, which means this update is compatible with the version constraint

🐛 Potential Bugs/Issues

No issues identified. The upstream release notes indicate:

• ✅ Bug fixes for on_eos callbacks, ServeDir invalid filename handling, and empty body decompression
• ⚠️ Some APIs deprecated (auth::require_authorization and TimeoutLayer::new()), but codebase search confirms you're not using these deprecated features

⚡ Performance Considerations

• No performance regressions expected: This is a patch release with bug fixes
• The changes to windows-sys dependencies (0.52.0 → 0.59.0) are indirect updates, likely pulled in by tower-http's dependency chain

🔒 Security Concerns

• No security vulnerabilities addressed in this release (based on release notes)
• Dependencies updated: Indirect updates to windows-sys appear to be maintenance updates
• Recommendation: Safe to merge

🧪 Test Coverage

• The existing test suite should provide adequate coverage for this dependency update
• Recommendation: Ensure CI passes before merging (Renovate should have automerge enabled)
• No new tests needed as this is a dependency patch update with bug fixes

📋 Additional Notes

1. Deprecation warnings: While TimeoutLayer::new() and auth::require_authorization are deprecated in tower-http v0.6.7, your codebase doesn't use these features (confirmed via search)
2. Breaking changes: None in this patch release
3. Benefits of this update:
   • Fixes on_eos callback invocation for successful responses
   • Fixes ServeDir fallback behavior with invalid filenames
   • Fixes decompression handling of empty bodies

🎯 Recommendation

APPROVE - This is a safe, routine dependency update with bug fixes and no breaking changes. The update aligns with your project's dependency management practices and includes beneficial bug fixes from upstream.

---

Review performed by Claude Code