fix(deps): update rust crate tower-http to 0.7.0

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
tower-http	dependencies	minor	0.6.8 → 0.7.0

---

Release Notes

tower-rs/tower-http (tower-http)

v0.7.0

Compare Source

Changes since 0.6.11

Added

• csrf: add cross-site request forgery (CSRF) protection middleware, porting the cross-origin protection scheme introduced in Go 1.25 (#​699)

  use tower::ServiceBuilder;
  use tower_http::csrf::CsrfLayer;
  
  // Rejects cross-origin state-changing requests using `Sec-Fetch-Site`,
  // an `Origin` allow-list, and an `Origin`/`Host` fallback. No per-request
  // token state required.
  let layer = CsrfLayer::new().add_trusted_origin("https://example.com")?;
  
  let service = ServiceBuilder::new().layer(layer).service_fn(handler);

• timeout: add DeadlineBody for non-resetting body timeouts, applied via the new RequestBodyDeadlineLayer and ResponseBodyDeadlineLayer (#​688)

  Unlike TimeoutBody, which resets its deadline on every frame, DeadlineBody caps the total time of a body transfer. A slow client trickling one byte at a time never trips an idle timeout but will trip a deadline.

  use std::time::Duration;
  use tower::ServiceBuilder;
  use tower_http::timeout::RequestBodyDeadlineLayer;
  
  // Abort the request body transfer after 30s total, regardless of how
  // frequently data arrives.
  let service = ServiceBuilder::new()
      .layer(RequestBodyDeadlineLayer::new(Duration::from_secs(30)))
      .service_fn(handler);

• fs: add strong ETag support to ServeDir, including If-Match and If-None-Match precondition handling per RFC 9110. 304 Not Modified responses now carry the ETag and Last-Modified validators (#​691)

• fs: add a Backend trait to make ServeDir work with non-filesystem sources (e.g. embedded assets or object storage). The default TokioBackend preserves existing behavior. Use ServeDir::with_backend() to plug in custom implementations (#​684)

  use tower_http::services::fs::ServeDir;
  
  // `MyBackend` implements `tower_http::services::fs::Backend`.
  // The default `ServeDir::new()` continues to use `TokioBackend` (local FS).
  let service = ServeDir::with_backend("assets", MyBackend::new());

• fs: add html_as_default_extension option to ServeDir, appending .html when the request path has no extension (#​519)

• fs: add redirect_path_prefix option to ServeDir, prepending a prefix on trailing-slash redirects so the service can be mounted under a sub-path (#​486)

• validate-request: add ValidateRequestHeaderLayer::has_header_value() to reject requests when a header does not have an expected value (#​360)

• body: UnsyncBoxBody::new() constructor and From<ServeFileSystemResponseBody> conversion to avoid double-boxing when combining ServeDir responses with other body types (#​537)

• limit: implement Default for limit::ResponseBody when the wrapped body also implements Default (#​679)

Changed

• breaking: compression: the middleware now handles the * wildcard and identity;q=0 in Accept-Encoding per RFC 9110 §12.5.3. Requests that previously fell back to identity (e.g. *;q=0 or identity;q=0 with no other acceptable encoding) now receive a 406 Not Acceptable response. Clients that explicitly reject all encodings without listing an alternative will see different behavior. (#​693)

• breaking: compression: upgrade the SizeAbove predicate threshold from u16 to u64, allowing minimum sizes above 64 KiB (#​704)

• breaking: remove the implicit no-op tokio and async-compression features. These were kept as no-op features in 0.6.x for backwards compatibility after the switch to dep: syntax in #​642. Downstream crates that activate tower-http/tokio or tower http/async-compression should remove those feature entries; the underlying dependencies are still pulled in transitively by the features that need them (e.g. compression-gzip, fs, timeout). (#​628)

• breaking: trace/classify: include the gRPC error message in tracing output. GrpcCode and GrpcFailureClass are now #[non_exhaustive], and GrpcStatus is exported from the classify module (#​422)

• breaking: follow-redirect: FollowRedirect now forwards request Extensions to redirected requests instead of dropping them. The Standard policy drops extensions on cross-origin redirections (same-origin keeps them). Opt out with FollowRedirectLayer::preserve_extensions(false); keep specific types with FilterCredentials::allow_extension::<T>() or all of them with keep_all_extensions(). (#​706)

  use tower_http::follow_redirect::FollowRedirectLayer;
  
  // 0.7.0 forwards request `Extensions` across redirects by default.
  // Restore the previous behavior (drop all extensions) with:
  let layer = FollowRedirectLayer::new().preserve_extensions(false);

• breaking: follow-redirect: header and extension filtering is now cumulative. A value a policy drops on one hop is no longer replayed on later hops, so FilterCredentials no longer re-sends Cookie/Authorization to a same-origin target reached after cross-origin hop. Custom Policy::on_request impls now see the previous hop's filtered request, not the original. (#​706)

• trace: DefaultOnRequest, DefaultOnResponse, DefaultOnFailure, and DefaultOnEos now explicitly parent their tracing events to the request span rather than relying on the ambient span context. This fixes intermittent cases where events could appear without their request span attached (#​690)

• cors: relax the Vary header defaults (#​674)

• MSRV bumped from 1.64 to 1.65 (#​684)

Fixed

• fs: ServeDir and ServeFile now emit a Vary: Accept-Encoding response
  header when precompressed serving is configured, ensuring caches correctly
  distinguish between compressed and uncompressed variants (#​692)
• breaking: services: reject a trailing slash for file paths. File requests with a trailing slash now return 404 Not Found instead of serving the file (#​678)
• fs: fix ServeDir stripping the file extension when serving with identity encoding (#​686)
• compression: forward trailers from the inner body after compression finishes, fixing dropped gRPC status trailers (#​685)
• trace: fire on_eos when the inner body reports is_end_stream with a precise content-length (#​687)
• on-early-drop: suppress the early-drop guard when is_end_stream is reported after a data frame (#​687)
• set-header: make SetMultipleRequestHeaders and SetMultipleResponseHeaders Clone for non-Clone HTTP bodies (#​703)

Thanks

• @​jlizen
• @​seun-ja
• @​Oliboy50

New Contributors

• @​muhamadazmy made their first contribution in #​679
• @​Isvane made their first contribution in #​678
• @​xiaoyawei made their first contribution in #​422
• @​dependabot[bot] made their first contribution in #​696
• @​its-the-shrimp made their first contribution in #​519
• @​yawn made their first contribution in #​699
• @​Jesse-Bakker made their first contribution in #​703
• @​junghwan16 made their first contribution in #​705
• @​claraphyll made their first contribution in #​486

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.