chore(deps): update all non-major dependencies

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
cargo-dist (source)		minor	0.30.3 → 0.31.0
signal-hook	workspace.dependencies	patch	0.4.3 → 0.4.4
tokio (source)	dependencies	minor	1.50.0 → 1.51.0

---

Release Notes

axodotdev/cargo-dist (cargo-dist)

v0.31.0

Compare Source

This release includes several new features, including the major introduction of mirrors that installers can fallback to.

Simple hosting (aka mirrors)

This release adds a new hosting method, simple, which supports static file hosting. This allows you to host your artifacts on the hosting provider of your choice so long as it follows a similar URL structure to GitHub Releases hosting. It can also be used alongside GitHub hosting; if you specify more than one hosting provider, the secondary hosting source will be used as a mirror. The priority is determined by the order of the keys in your config. For example, this will use GitHub first and fall back to your static host if GitHub is unavailable:

hosting = ["github", "simple"]
simple-download-url = "https://static.myapp.com/{tag}"

And this will use your static host first and fall back to GitHub if necessary:

hosting = ["simple", "github"]
simple-download-url = "https://static.myapp.com/{tag}"

For more information, see the docs.

Note: currently, dist won't upload artifacts to static hosts; it expects you to handle that, either manually or via writing a custom job.

• impl @​Gankra Add "simple" hosting style
• impl @​mistydemeo feat(homebrew): mirror support with multi-urls

Disabling npm-shrinkwrap.json for npm installers

Currently, the npm installer includes an npm-shrinkwrap.json to specify the exact versions of its runtime dependencies as used at the time dist was released. Since some users would prefer looser dependency specification, this release provides an option to disable this. For more information, see the docs.

npm-shrinkwrap = false

• impl @​mistydemeo feat: option to skip npm-shrinkwrap.json generation

Configurable build directory for generic projects

Until now, generic (non-Rust) project support has assumed that artifacts are always written to the root of the project directory. This path is now configurable using the out-dir setting in your dist.toml. For example, if your project generates a binary named example in a subdirectory called build, you can specify:

binaries = ["example"]
out-dir = "build"

• impl @​CatBraaain support out_dir in config

Fixes

• impl @​EliteTK + @​gankra Reduce risk of an interrupted installation leading to a partial installation

v0.30.4

Compare Source

This release contains a few minor bugfixes. It also updates dependencies, including a rimraf upgrade that resolves a CVE in @​isaacs/brace-expansion. This vulnerability was not exploitable in the way dist used rimraf.

Fixes

• impl @​eegli fix: installer receipt for windows with posix shell
• impl @​kazutoiris fix: prevent unintended escaping of multiline run
• impl @​20jasper fix: typo in variable name
• impl @​OpenSauce chore(actions): bump default github actions

vorner/signal-hook (signal-hook)

v0.4.4

Compare Source

• Documentation about SIGBUS (#​204).

tokio-rs/tokio (tokio)

v1.51.0: Tokio v1.51.0

Compare Source

1.51.0 (April 3rd, 2026)

Added

• net: implement get_peer_cred on Hurd (#​7989)
• runtime: add tokio::runtime::worker_index() (#​7921)
• runtime: add runtime name (#​7924)
• runtime: stabilize LocalRuntime (#​7557)
• wasm: add wasm32-wasip2 networking support (#​7933)

Changed

• runtime: steal tasks from the LIFO slot (#​7431)

Fixed

• docs: do not show "Available on non-loom only." doc label (#​7977)
• macros: improve overall macro hygiene (#​7997)
• sync: fix notify_waiters priority in Notify (#​7996)
• sync: fix panic in Chan::recv_many when called with non-empty vector on closed channel (#​7991)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

View full report

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	tokio@​1.50.0 ⏵ 1.51.0
	signal-hook@​0.4.3 ⏵ 0.4.4

View full report