chore(deps): bump the others group in /bindings/nodejs with 4 updates

[dependabot]

Updates the requirements on reqwest, quick-xml, rand and reqsign to permit the latest version.
Updates reqwest to 0.12.28

Release notes

Sourced from reqwest's releases.

v0.12.28

What's Changed

• fix: correctly import TokioIo on Windows by @​seanmonstar in seanmonstar/reqwest#2896

Full Changelog: seanmonstar/reqwest@v0.12.27...v0.12.28

Changelog

Sourced from reqwest's changelog.

v0.12.28

• Fix compiling on Windows if TLS and SOCKS features are not enabled.

v0.12.27

• Add ClientBuilder::windows_named_pipe(name) option that will force all requests over that Windows Named Piper.

v0.12.26

• Fix sending Accept-Encoding header only with values configured with reqwest, regardless of underlying tower-http config.

v0.12.25

• Add Error::is_upgrade() to determine if the error was from an HTTP upgrade.
• Fix sending Proxy-Authorization if only username is configured.
• Fix sending Proxy-Authorization to HTTPS proxies when the target is HTTP.
• Refactor internal decompression handling to use tower-http.

v0.12.24

• Refactor cookie handling to an internal middleware.
• Refactor internal random generator.
• Refactor base64 encoding to reduce a copy.
• Documentation updates.

v0.12.23

• Add ClientBuilder::unix_socket(path) option that will force all requests over that Unix Domain Socket.
• Add ClientBuilder::retry(policy) and reqwest::retry::Builder to configure automatic retries.
• Add ClientBuilder::dns_resolver2() with more ergonomic argument bounds, allowing more resolver implementations.
• Add http3_* options to blocking::ClientBuilder.
• Fix default TCP timeout values to enabled and faster.
• Fix SOCKS proxies to default to port 1080
• (wasm) Add cache methods to RequestBuilder.

v0.12.22

• Fix socks proxies when resolving IPv6 destinations.

v0.12.21

• Fix socks proxy to use socks4a:// instead of socks4h://.
• Fix Error::is_timeout() to check for hyper and IO timeouts too.
• Fix request Error to again include URLs when possible.
• Fix socks connect error to include more context.
• (wasm) implement Default for Body.

v0.12.20

... (truncated)

Commits

• d978599 v0.12.28
• ef2768a fix: correctly import TokioIo on Windows (#2896)
• 1bf6441 v0.12.27
• 4967b1b feat: add windows_named_pipe() option to client builder (#2789)
• ef5b239 chore: Use http_body_util::BodyDataStream (#2892)
• a810004 chore: Disable unused tokio-util codec feature (#2893)
• 01f03a4 v0.12.26
• e908f57 fix(http3): correct compression defaults (#2890)
• 509c904 fix: disable default compression from tower-http if not enabled in reqwest (#...
• 896aaea deps: update cookie_store to 0.22 (#2886)
• Additional commits viewable in compare view

Updates quick-xml to 0.39.0

Release notes

Sourced from quick-xml's releases.

v0.39.0 - Config for Writer

What's Changed

Added a way to configure Writer. Now all configuration is contained in the writer::Config struct and can be applied at once. When serde-types feature is enabled, configuration is serializable.

New Features

• #846: Add methods config() and config_mut() to inspect and change the writer configuration.
• #846: Add ability to write space before /> in self-closed tags for maximum compatibility with XHTML.
• #846: Add method empty_element_handling() as a more powerful alternative to expand_empty_elements() in Serializer.
• #929: Allow to pass list of field names to impl_deserialize_for_internally_tagged_enum! macro which is required if you enum variants contains $value fields.

Bug Fixes

• #923: Implement correct skipping of well-formed DTD.

Misc Changes

• #908: Increase minimal supported serde version from 1.0.139 to 1.0.180.
• #913: Deprecate .prefixes(), .resolve(), .resolve_attribute(), and .resolve_element() of NsReader. Use .resolver().bindings() and .resolver().resolve() methods instead.
• #913: Attributes::has_nil now accepts NamespaceResolver instead of Reader<R>.
• #924: (breaking change) Split SyntaxError::UnclosedPIOrXmlDecl into UnclosedPI and UnclosedXmlDecl for more precise error reporting.
• #924: (breaking change) Parser::eof_error now takes &self and content &[u8] parameters.
• #926: (breaking change) Split SyntaxError::UnclosedTag into UnclosedTag, UnclosedSingleQuotedAttributeValue and UnclosedDoubleQuotedAttributeValue for more precise error reporting.

#846: tafia/quick-xml#846 #908: tafia/quick-xml#908 #913: tafia/quick-xml#913 #923: tafia/quick-xml#923 #924: tafia/quick-xml#924 #926: tafia/quick-xml#926 #929: tafia/quick-xml#929

New Contributors

• @​rzmk made their first contribution in tafia/quick-xml#920
• @​zrneely made their first contribution in tafia/quick-xml#922
• @​SuchAFuriousDeath made their first contribution in tafia/quick-xml#924
• @​tayu0110 made their first contribution in tafia/quick-xml#925

Full Changelog: tafia/quick-xml@v0.38.4...v0.39.0

Changelog

Sourced from quick-xml's changelog.

0.39.0 -- 2026-01-11

Added a way to configure Writer. Now all configuration is contained in the writer::Config struct and can be applied at once. When serde-types feature is enabled, configuration is serializable.

New Features

• #846: Add methods config() and config_mut() to inspect and change the writer configuration.
• #846: Add ability to write space before /> in self-closed tags for maximum compatibility with XHTML.
• #846: Add method empty_element_handling() as a more powerful alternative to expand_empty_elements() in Serializer.
• #929: Allow to pass list of field names to impl_deserialize_for_internally_tagged_enum! macro which is required if you enum variants contains $value fields.

Bug Fixes

• #923: Implement correct skipping of well-formed DTD.

Misc Changes

• #908: Increase minimal supported serde version from 1.0.139 to 1.0.180.
• #913: Deprecate .prefixes(), .resolve(), .resolve_attribute(), and .resolve_element() of NsReader. Use .resolver().bindings() and .resolver().resolve() methods instead.
• #913: Attributes::has_nil now accepts NamespaceResolver instead of Reader<R>.
• #924: (breaking change) Split SyntaxError::UnclosedPIOrXmlDecl into UnclosedPI and UnclosedXmlDecl for more precise error reporting.
• #924: (breaking change) Parser::eof_error now takes &self and content &[u8] parameters.
• #926: (breaking change) Split SyntaxError::UnclosedTag into UnclosedTag, UnclosedSingleQuotedAttributeValue and UnclosedDoubleQuotedAttributeValue for more precise error reporting.

#846: tafia/quick-xml#846 #908: tafia/quick-xml#908 #913: tafia/quick-xml#913 #923: tafia/quick-xml#923 #924: tafia/quick-xml#924 #926: tafia/quick-xml#926 #929: tafia/quick-xml#929

0.38.4 -- 2025-11-11

New Features

• #353: Add ability to serialize textual content as CDATA sections in Serializer. Everywhere where the text node may be created, a CDATA section(s) could be produced instead. See the new [Serializer::text_format()] method.

Bug Fixes

... (truncated)

Commits

• 6242da0 Release 0.39.0
• 549bb09 Disable tests for documents that are not supported by rxml
• 2c19dfd Run cargo fmt in compare project
• 5fc5a16 Fix misprint in benchmark name
• ba6b9c5 Update xml5ever & markup5even: 0.36 -> 0.37
• 70208da Fix not updated internal documentation link after #922
• 0bfface Fix misprint in error message
• 9f6babb Merge pull request #932 from Mingun/unclosed-attr-error
• 229d84c Split SyntaxError::UnclosedTag into UnclosedTag, `UnclosedSingleQuotedAtt...
• f869d0e Merge pull request #931 from Mingun/benches
• Additional commits viewable in compare view

Updates rand to 0.9.2

Changelog

Sourced from rand's changelog.

[0.9.2] - 2025-07-20

Deprecated

• Deprecate rand::rngs::mock module and StepRng generator (#1634)

Additions

• Enable WeightedIndex<usize> (de)serialization (#1646)

[0.9.1] - 2025-04-17

Security and unsafe

• Revise "not a crypto library" policy again (#1565)
• Remove zerocopy dependency from rand (#1579)

Fixes

• Fix feature simd_support for recent nightly rust (#1586)

Changes

• Allow fn rand::seq::index::sample_weighted and fn IndexedRandom::choose_multiple_weighted to return fewer than amount results (#1623), reverting an undocumented change (#1382) to the previous release.

Additions

• Add rand::distr::Alphabetic distribution. (#1587)
• Re-export rand_core (#1604)

[0.9.0] - 2025-01-27

Security and unsafe

• Policy: "rand is not a crypto library" (#1514)
• Remove fork-protection from ReseedingRng and ThreadRng. Instead, it is recommended to call ThreadRng::reseed on fork. (#1379)
• Use zerocopy to replace some unsafe code (#1349, #1393, #1446, #1502)

Dependencies

• Bump the MSRV to 1.63.0 (#1207, #1246, #1269, #1341, #1416, #1536); note that 1.60.0 may work for dependents when using --ignore-rust-version
• Update to rand_core v0.9.0 (#1558)

Features

• Support std feature without getrandom or rand_chacha (#1354)
• Enable feature small_rng by default (#1455)
• Remove implicit feature rand_chacha; use std_rng instead. (#1473)
• Rename feature serde1 to serde (#1477)
• Rename feature getrandom to os_rng (#1537)
• Add feature thread_rng (#1547)

API changes: rand_core traits

• Add fn RngCore::read_adapter implementing std::io::Read (#1267)
• Add trait CryptoBlockRng: BlockRngCore; make trait CryptoRng: RngCore (#1273)
• Add traits TryRngCore, TryCryptoRng (#1424, #1499)
• Rename fn SeedableRng::from_rng -> try_from_rng and add infallible variant fn from_rng (#1424)
• Rename fn SeedableRng::from_entropy -> from_os_rng and add fallible variant fn try_from_os_rng (#1424)
• Add bounds Clone and AsRef to associated type SeedableRng::Seed (#1491)

API changes: Rng trait and top-level fns

• Rename fn rand::thread_rng() to rand::rng() and remove from the prelude (#1506)

... (truncated)

Commits

• d3dd415 Prepare rand_core 0.9.2 (#1605)
• 99fabd2 Prepare rand_core 0.9.2
• c7fe1c4 rand: re-export rand_core (#1604)
• db2b1e0 rand: re-export rand_core
• ee1d96f rand_core: implement reborrow for UnwrapMut (#1595)
• e0eb2ee rand_core: implement reborrow for UnwrapMut
• 975f602 fixup clippy 1.85 warnings
• 775b05b Relax Sized requirements for blanket impls (#1593)
• ec6d5c0 Prepare rand_core v0.9.1 (#1591)
• 6a06056 rand_core: introduce an UnwrapMut wrapper (#1589)
• Additional commits viewable in compare view

Updates reqsign to 0.19.0

Release notes

Sourced from reqsign's releases.

v0.19.0

What's Changed

• chore: Fix typo in reqsign-google description by @​musicinmybrain in apache/opendal-reqsign#663
• ci: fix wasm test by @​tisonkun in apache/opendal-reqsign#664
• chore: fix wasm tests by @​akx in apache/opendal-reqsign#667
• chore: do not require reqwest directly in services by @​akx in apache/opendal-reqsign#666
• chore(deps): Bump actions/checkout from 5 to 6 by @​dependabot[bot] in apache/opendal-reqsign#665
• feat(google): Add sign blob support by @​Xuanwo in apache/opendal-reqsign#671
• feat(aws): Add session policy support for sts by @​Xuanwo in apache/opendal-reqsign#670
• feat(azure): Add scoped SAS support by @​Xuanwo in apache/opendal-reqsign#672
• feat(google): Add workload identity support by @​Xuanwo in apache/opendal-reqsign#673
• chore: Align our mock servers impl by @​Xuanwo in apache/opendal-reqsign#674
• chore: upgrade reqwest to 0.13 by @​tisonkun in apache/opendal-reqsign#675
• chore(deps): Bump 1password/load-secrets-action from 3.0.0 to 3.1.0 by @​dependabot[bot] in apache/opendal-reqsign#669
• feat(oss): Add role session name suppport by @​Xuanwo in apache/opendal-reqsign#678
• Bump reqsign to v0.19.0 by @​Xuanwo in apache/opendal-reqsign#679

New Contributors

• @​akx made their first contribution in apache/opendal-reqsign#667

Full Changelog: apache/opendal-reqsign@v0.18.1...v0.19.0

Commits

• cc77c27 Bump reqsign to v0.19.0 (#679)
• 3918127 feat(oss): Add role session name suppport (#678)
• b93f92c chore(deps): Bump 1password/load-secrets-action from 3.0.0 to 3.1.0 (#669)
• e3d028e chore: upgrade reqwest to 0.13 (#675)
• 0ff4c42 chore: Align our mock servers impl (#674)
• 08aa73e feat(google): Add workload identity support (#673)
• ab9b0fc feat(azure): Add scoped SAS support (#672)
• c3b660e feat(aws): Add session policy support for sts (#670)
• f2eb9ea feat(google): Add sign blob support (#671)
• 42fd8f3 chore(deps): Bump actions/checkout from 5 to 6 (#665)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions