build(deps): bump hickory dns stack

[jdx]

Summary

• bump workspace reqwest to 0.13 and use the renamed rustls feature
• keep OS/platform certificate verification primary, and merge Mozilla baked-in roots as a fallback on supported platforms
• refresh Cargo.lock, moving hickory-proto and hickory-resolver to 0.26.1
• collapse the duplicate reqwest entries to reqwest 0.13.4

Verification

• cargo check
• git diff --check
• cargo tree -i hickory-proto@0.26.1
• cargo tree -i webpki-root-certs

Note: cargo clippy --all-targets -- -D warnings was attempted, but current main has unrelated clippy warnings in crates/aube-resolver/src/tests.rs and crates/aube/src/commands/update.rs.

---

Note

High Risk
Changes TLS trust configuration and the HTTP/DNS stack used for registry, OSV, login, and update checks—any mis-merge of roots or reqwest 0.13 behavior could break installs or auth in production.

Overview
Bumps the workspace reqwest stack to 0.13 (feature rename rustls-tls → rustls) and refreshes Cargo.lock, including hickory-proto / hickory-resolver 0.26.1 and a single reqwest 0.13.4 entry instead of duplicate 0.12/0.13 pins.

Adds webpki-root-certs and aube_util::http::with_webpki_root_fallback, which merges Mozilla’s baked-in roots with rustls-platform-verifier on Unix (except Android) and Windows. Registry HTTP clients, OSV/supply-chain probes, OSV bloom/mirror builders, aube login, and the update notifier all build reqwest::Client through that helper so TLS behavior stays consistent after the upgrade.

^{Reviewed by Cursor Bugbot for commit 2219951. Bugbot is set up for automated code reviews on this repo. Configure here.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 5a8a406. Configure here.}

[greptile-apps]

Greptile Summary

This PR bumps the workspace reqwest dependency from 0.12 to 0.13, renames the TLS feature from rustls-tls to rustls, and refreshes Cargo.lock to resolve the entire tree to a single reqwest 0.13.4 while pulling in Hickory DNS 0.26.1.

• Adds webpki-root-certs = \"1\" and a new with_webpki_root_fallback helper in aube-util that merges Mozilla's root bundle alongside the OS trust store via tls_certs_merge; the helper is applied to all six ClientBuilder sites across the workspace.
• Cargo.lock removes the duplicate reqwest 0.12.28 entry and the now-unused enum-as-inner crate, and adds the new hickory-net 0.26.1 crate.
• .cargo/audit.toml still carries the RUSTSEC-2026-0118 / RUSTSEC-2026-0119 ignores that were needed for hickory-proto 0.25.2; those are now stale since 0.26.1 is in the tree, and the PR description flags them for a follow-up cleanup.

Confidence Score: 5/5

Safe to merge — no app logic changed, all client builder sites updated consistently, and the webpki fallback is well-guarded by correct cfg conditions.

The change is purely a dependency bump with no Rust source logic changes beyond the new with_webpki_root_fallback helper and its six call sites. The cfg conditions match the platforms where tls_certs_merge is available in reqwest 0.13. The stale advisory ignores in .cargo/audit.toml are acknowledged in the PR description as a follow-up item and do not affect runtime behavior.

No files require special attention. The stale .cargo/audit.toml advisory ignores are the only loose end, and the author has flagged them for a follow-up.

Important Files Changed

Filename	Overview
crates/aube-util/src/http/mod.rs	Adds with_webpki_root_fallback helper that merges Mozilla's baked-in root bundle via tls_certs_merge on Unix (non-Android) and Windows; no-ops on other targets. Logic and cfg conditions are correct.
Cargo.toml	Bumps reqwest from 0.12 → 0.13, renames rustls-tls feature to rustls, and adds webpki-root-certs = "1" as a new workspace dependency to supply the Mozilla root bundle fallback.
Cargo.lock	Collapses duplicate reqwest entries to a single reqwest 0.13.4, updates Hickory DNS to 0.26.1 (adding hickory-net), and removes the now-unused enum-as-inner crate.
crates/aube-registry/src/client/http.rs	Wraps ClientBuilder with with_webpki_root_fallback before adding user-agent and other options; straightforward and consistent with other sites.
crates/aube/src/commands/login.rs	Applies with_webpki_root_fallback to the login web-flow client; no other changes.

_{Reviews (2): Last reviewed commit: "build(deps): bump hickory dns stack" | Re-trigger Greptile}