fix(deps): update rust crate lru to 0.16.0 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
lru	dependencies	minor	0.12.3 → 0.16.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

IterMut violates Stacked Borrows by invalidating internal pointer

GHSA-rhfx-m35p-ff5j

More information

Details

Affected versions of this crate contain a soundness issue in the IterMut iterator implementation. The IterMut::next and IterMut::next_back methods temporarily create an exclusive reference to the key when dereferencing the internal node pointer.

This invalidates the shared pointer held by the internal HashMap, violating Stacked Borrows rules.

Severity

• CVSS Score: 2.7 / 10 (Low)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U

References

• https://github.com/jeromefroe/lru-rs/pull/224
• https://rustsec.org/advisories/RUSTSEC-2026-0002.html
• https://github.com/advisories/GHSA-rhfx-m35p-ff5j

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

jeromefroe/lru-rs (lru)

v0.16.3

Compare Source

• Fix Stacked Borrows violation in IterMut.

v0.16.2

Compare Source

• Upgrade hashbrown dependency to 0.16.0.

v0.16.1

Compare Source

• Fix Clone for unbounded cache.

v0.16.0

Compare Source

• Implement Clone for caches with custom hashers.

v0.15.0

Compare Source

• Return bool from promote and demote to indicate whether key was found.

v0.14.0

Compare Source

• Use NonZeroUsize::MAX instead of unwrap(), and update MSRV to 1.70.0.

v0.13.0

Compare Source

• Add peek_mru and pop_mru methods, upgrade dependency on hashbrown to 0.15.2, and update MSRV to 1.65.0.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Action required: PR inactive for 5 days.
Status update or closure in 10 days.

[github-actions]

Action required: PR inactive for 5 days.
Status update or closure in 10 days.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.08%. Comparing base (d5b42e4) to head (72cc5b4).

Additional details and impacted files

@@           Coverage Diff            @@
##             main    #3484    +/-   ##
========================================
  Coverage   86.07%   86.08%            
========================================
  Files         265      270     +5     
  Lines       25943    26223   +280     
========================================
+ Hits        22331    22574   +243     
- Misses       3612     3649    +37     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Action required: PR inactive for 5 days.
Status update or closure in 10 days.