Update axum monorepo

[hash-worker]

This PR contains the following updates:

Package	Type	Update	Change
axum	workspace.dependencies	minor	=0.7.5 -> =0.8.6
axum-core	workspace.dependencies	patch	=0.5.0 -> =0.5.5

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

tokio-rs/axum (axum)

v0.8.6

Compare Source

v0.8.5: axum v0.8.5

Compare Source

• fixed: Reject JSON request bodies with trailing characters after the JSON document (#​3453)
• added: Implement OptionalFromRequest for Multipart (#​3220)
• added: Getter methods Location::{status_code, location}
• added: Support for writing arbitrary binary data into server-sent events (#​3425)]
• added: middleware::ResponseAxumBodyLayer for mapping response body to axum::body::Body (#​3469)
• added: impl FusedStream for WebSocket (#​3443)
• changed: The sse module and Sse type no longer depend on the tokio feature (#​3154)
• changed: If the location given to one of Redirects constructors is not a valid header value, instead of panicking on construction, the IntoResponse impl now returns an HTTP 500, just like Json does when serialization fails (#​3377)
• changed: Update minimum rust version to 1.78 (#​3412)

v0.8.4: axum v0.8.4

Compare Source

• added: Router::reset_fallback (#​3320)
• added: WebSocketUpgrade::selected_protocol (#​3248)
• fixed: Panic location for overlapping method routes (#​3319)
• fixed: Don't leak a tokio task when using serve without graceful shutdown (#​3129)

v0.8.3: axum v0.8.3

Compare Source

• added: Implement From<Bytes> for Message (#​3273)
• added: Implement OptionalFromRequest for Json (#​3142)
• added: Implement OptionalFromRequest for Extension (#​3157)
• added: Allow setting the read buffer capacity of WebSocketUpgrade (#​3178)
• changed: Improved code size / compile time of dependent crates (#​3285, #​3294)

v0.8.2: axum v0.8.2

Yanked from crates.io due to unforeseen breaking change, see #​3190 for details

---

• added: Implement OptionalFromRequest for Json (#​3142)
• added: Implement OptionalFromRequest for Extension (#​3157)
• changed: Make the status function of rejections a const function, such
  as JsonRejection, QueryRejection and PathRejection (#​3168)

v0.8.0: axum v0.8.0

Compare Source

since rc.1

• breaking: axum::extract::ws::Message now uses Bytes in place of Vec<u8>,
  and a new Utf8Bytes type in place of String, for its variants (#​3078)
• breaking: Remove OptionalFromRequestParts impl for Query (#​3088)
• changed: Upgraded tokio-tungstenite to 0.26 (#​3078)
• changed: Query/Form: Use serde_path_to_error to report fields that failed to parse (#​3081)

full changelog

You can also read the blog post on tokio

Note: there are further relevant changes in axum-core's changelog

• breaking: Upgrade matchit to 0.8, changing the path parameter syntax from /:single and /*many to /{single} and /{*many}; the old syntax produces a panic to avoid silent change in behavior (#​2645)
• breaking: Require Sync for all handlers and services added to Router and MethodRouter (#​2473)
• breaking: The tuple and tuple_struct Path extractor deserializers now check that the number of parameters matches the tuple length exactly (#​2931)
• breaking: Move Host extractor to axum-extra (#​2956)
• breaking: Remove WebSocket::close. Users should explicitly send close messages themselves. (#​2974)
• breaking: Make serve generic over the listener and IO types (#​2941)
• breaking: Remove Serve::tcp_nodelay and WithGracefulShutdown::tcp_nodelay.
  See serve::ListenerExt for an API that let you set arbitrary TCP stream properties. (#​2941)
• breaking: Option<Path<T>> no longer swallows all error conditions,
  instead rejecting the request in many cases; see its documentation for details (#​2475)
• breaking: axum::extract::ws::Message now uses Bytes in place of Vec<u8>,
  and a new Utf8Bytes type in place of String, for its variants (#​3078)
• fixed: Skip SSE incompatible chars of serde_json::RawValue in Event::json_data (#​2992)
• fixed: Don't panic when array type is used for path segment (#​3039)
• fixed: Avoid setting content-length before middleware.
  This allows middleware to add bodies to requests without needing to manually set content-length (#​2897)
• change: Update minimum rust version to 1.75 (#​2943)
• changed: Upgraded tokio-tungstenite to 0.26 (#​3078)
• changed: Query/Form: Use serde_path_to_error to report fields that failed to parse (#​3081)
• added: Add method_not_allowed_fallback to set a fallback when a path matches but there is no handler for the given HTTP method (#​2903)
• added: Add NoContent as a self-described shortcut for StatusCode::NO_CONTENT (#​2978)
• added: Add support for WebSockets over HTTP/2. They can be enabled by changing get(ws_endpoint) handlers to any(ws_endpoint) (#​2894)
• added: Add MethodFilter::CONNECT, routing::connect[_service] and MethodRouter::connect[_service] (#​2961)
• added: Extend FailedToDeserializePathParams::kind enum with (ErrorKind::DeserializeError). This new variant captures both key, value, and message from named path parameters parse errors, instead of only deserialization error message in ErrorKind::Message. (#​2720)

v0.7.9: axum - v0.7.9

Compare Source

• fixed: Avoid setting content-length before middleware (#​3031)

v0.7.8: axum - v0.7.8

Compare Source

• fixed: Skip SSE incompatible chars of serde_json::RawValue in Event::json_data (#​2992)
• added: Add method_not_allowed_fallback to set a fallback when a path matches but there is no handler for the given HTTP method (#​2903)
• added: Add MethodFilter::CONNECT, routing::connect[_service]
  and MethodRouter::connect[_service] (#​2961)
• added: Add NoContent as a self-described shortcut for StatusCode::NO_CONTENT (#​2978)

v0.7.7: axum - v0.7.7

Compare Source

• change: Remove manual tables of content from the documentation, since
  rustdoc now generates tables of content in the sidebar (#​2921)

v0.7.6: axum - v0.7.6

Compare Source

• change: Avoid cloning Arc during deserialization of Path
• added: axum::serve::Serve::tcp_nodelay and axum::serve::WithGracefulShutdown::tcp_nodelay (#​2653)
• added: Router::has_routes function (#​2790)
• change: Update tokio-tungstenite to 0.23 (#​2841)
• added: Serve::local_addr and WithGracefulShutdown::local_addr functions (#​2881)

---

Configuration

📅 Schedule: Branch creation - "before 4am every weekday,every weekend" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[hash-worker]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock

Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --package [email protected] --precise 0.8.6
info: syncing channel updates for 'nightly-2025-09-23-x86_64-unknown-linux-gnu'
info: latest update on 2025-09-23, rust version 1.92.0-nightly (f6092f224 2025-09-22)
info: downloading component 'cargo'
info: downloading component 'clippy'
info: downloading component 'llvm-tools'
info: downloading component 'miri'
info: downloading component 'rust-analyzer'
info: downloading component 'rust-src'
info: downloading component 'rust-std'
info: downloading component 'rustc'
info: downloading component 'rustc-codegen-cranelift'
info: downloading component 'rustfmt'
info: installing component 'cargo'
info: installing component 'clippy'
info: installing component 'llvm-tools'
info: installing component 'miri'
info: installing component 'rust-analyzer'
info: installing component 'rust-src'
info: installing component 'rust-std'
info: installing component 'rustc'
info: installing component 'rustc-codegen-cranelift'
info: installing component 'rustfmt'
    Updating git repository `https://github.com/TimDiekmann/oxc`
From https://github.com/TimDiekmann/oxc
 * [new ref]             333f583e3f20d40530ca414fbf9c14e49d066fff -> refs/commit/333f583e3f20d40530ca414fbf9c14e49d066fff
    Updating git repository `https://github.com/specta-rs/specta`
From https://github.com/specta-rs/specta
 * [new ref]         ab7d9245d5e2ace951707c3c383b0211ca7fc8ce -> refs/commit/ab7d9245d5e2ace951707c3c383b0211ca7fc8ce
    Updating crates.io index
    Updating git repository `https://github.com/google/tarpc`
From https://github.com/google/tarpc
 * [new ref]         f55f36d2d876b1868cfcf52f41d0456a60cf726c -> refs/commit/f55f36d2d876b1868cfcf52f41d0456a60cf726c
    Updating git repository `https://github.com/temporalio/sdk-core`
From https://github.com/temporalio/sdk-core
 * [new ref]         4a2368d19f57e971ca9b2465f1dbeede7a861c34 -> refs/commit/4a2368d19f57e971ca9b2465f1dbeede7a861c34
error: failed to select a version for the requirement `axum = "^0.7"`
candidate versions found which didn't match: 0.8.6
location searched: crates.io index
required by package `tonic v0.12.0`
    ... which satisfies dependency `tonic = "^0.12"` of package `temporal-client v0.1.0 (https://github.com/temporalio/sdk-core?rev=4a2368d#4a2368d1)`
    ... which satisfies git dependency `temporal-client` (locked to 0.1.0) of package `hash-temporal-client v0.0.0 (/tmp/renovate/repos/github/hashintel/hash/libs/@local/temporal-client)`
    ... which satisfies path dependency `hash-temporal-client` (locked to 0.0.0) of package `hash-graph v0.0.0 (/tmp/renovate/repos/github/hashintel/hash/apps/hash-graph)`

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 54.68%. Comparing base (98954b3) to head (efa4b08).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #6816      +/-   ##
==========================================
- Coverage   54.68%   54.68%   -0.01%     
==========================================
  Files        1093     1093              
  Lines       97283    97283              
  Branches     4544     4544              
==========================================
- Hits        53200    53199       -1     
- Misses      43495    43496       +1     
  Partials      588      588              

Flag	Coverage Δ
blockprotocol.type-system	35.85% <ø> (ø)
local.harpc-client	50.93% <ø> (ø)
rust.antsi	0.00% <ø> (ø)
rust.error-stack	88.77% <ø> (ø)
rust.harpc-codec	84.22% <ø> (ø)
rust.harpc-net	96.08% <ø> (-0.02%)	⬇️
rust.harpc-tower	66.80% <ø> (ø)
rust.harpc-types	0.00% <ø> (ø)
rust.harpc-wire-protocol	92.23% <ø> (ø)
rust.hash-codec	71.25% <ø> (ø)
rust.hash-graph-authorization	62.58% <ø> (ø)
rust.hash-graph-postgres-store	19.83% <ø> (ø)
rust.hash-graph-store	30.93% <ø> (ø)
rust.hash-graph-temporal-versioning	48.22% <ø> (ø)
rust.hash-graph-types	0.00% <ø> (ø)
rust.hash-graph-validation	83.29% <ø> (ø)
rust.hashql-ast	87.16% <ø> (ø)
rust.hashql-compiletest	53.03% <ø> (ø)
rust.hashql-core	81.76% <ø> (ø)
rust.hashql-diagnostics	74.36% <ø> (ø)
rust.hashql-eval	69.81% <ø> (ø)
rust.hashql-hir	85.87% <ø> (ø)
rust.hashql-syntax-jexpr	94.04% <ø> (ø)
rust.sarif	97.93% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[vercel]

Additional Comments:

libs/@local/graph/api/src/rest/principal.rs (line 128):

Axum 0.8 changed path parameter syntax from /:param to /{param}, but the code still uses the old syntax which will cause compilation errors.

View Details

📝 Patch Details

diff --git a/libs/@local/graph/api/src/rest/principal.rs b/libs/@local/graph/api/src/rest/principal.rs
index f22269ce0..123d892c8 100644
--- a/libs/@local/graph/api/src/rest/principal.rs
+++ b/libs/@local/graph/api/src/rest/principal.rs
@@ -102,9 +102,9 @@ impl PrincipalResource {
                         Router::new().nest(
                             "/identifier",
                             Router::new()
-                                .route("/:identifier", get(get_machine_by_identifier::<S>))
+                                .route("/{identifier}", get(get_machine_by_identifier::<S>))
                                 .route(
-                                    "/system/:identifier",
+                                    "/system/{identifier}",
                                     get(get_or_create_system_machine::<S>),
                                 ),
                         ),
@@ -113,7 +113,7 @@ impl PrincipalResource {
                         "/ai",
                         Router::new().route("/", post(create_ai_actor::<S>)).nest(
                             "/identifier",
-                            Router::new().route("/:identifier", get(get_ai_by_identifier::<S>)),
+                            Router::new().route("/{identifier}", get(get_ai_by_identifier::<S>)),
                         ),
                     ),
             )
@@ -125,34 +125,34 @@ impl PrincipalResource {
                         Router::new()
                             .route("/", post(create_org_web::<S>))
                             .nest(
-                                "/:web_id",
+                                "/{web_id}",
                                 Router::new()
                                     .route("/", get(get_web_by_id::<S>))
                                     .route("/roles", get(get_web_roles::<S>)),
                             )
-                            .route("/shortname/:shortname", get(get_web_by_shortname::<S>)),
+                            .route("/shortname/{shortname}", get(get_web_by_shortname::<S>)),
                     )
                     .nest(
                         "/teams",
                         Router::new()
                             .nest(
-                                "/:team_id",
+                                "/{team_id}",
                                 Router::new().route("/roles", get(get_team_roles::<S>)),
                             )
-                            .route("/name/:name", get(get_team_by_name::<S>)),
+                            .route("/name/{name}", get(get_team_by_name::<S>)),
                     )
                     .nest(
-                        "/:actor_group_id",
+                        "/{actor_group_id}",
                         Router::new().nest(
                             "/roles",
                             Router::new()
-                                .route("/actors/:actor_id", get(get_actor_group_role::<S>))
+                                .route("/actors/{actor_id}", get(get_actor_group_role::<S>))
                                 .nest(
-                                    "/:role/actors",
+                                    "/{role}/actors",
                                     Router::new()
                                         .route("/", get(get_actor_group_role_assignments::<S>))
                                         .route(
-                                            "/:actor_id",
+                                            "/{actor_id}",
                                             post(assign_actor_group_role::<S>)
                                                 .delete(unassign_actor_group_role::<S>),
                                         ),

Analysis

Axum 0.8 runtime panic due to deprecated path parameter syntax

What fails: Router creation in PrincipalResource::routes() panics at runtime with 11 route definitions using the old :param syntax (lines 105, 107, 116, 128, 133, 139, 142, 145, 149, 151, 155)

How to reproduce:

# Start the graph API server - it will panic immediately on router creation
cargo run --bin hash-graph

Result: Runtime panic: "Path segments must not start with :. For capture groups, use {capture}. If you meant to literally match a segment starting with a colon, call without_v07_checks on the router."

Expected: Server should start without panic using the new Axum 0.8 syntax {param} instead of :param

Per Axum 0.8 announcement, path parameter syntax changed from /:single to /{single}. The old syntax now causes runtime panics unless .without_v07_checks() is called on the router.