Bump lz4_flex from 0.9.5 to 0.11.6

[dependabot]

Bumps lz4_flex from 0.9.5 to 0.11.6.

Release notes

Sourced from lz4_flex's releases.

0.11

Documentation

• Docs: add decompress block example

Fixes

• Handle empty input in Frame Format #120

Empty input was ignored previously and didn't write anything. Now an empty Frame is written. This improves compatibility with the reference implementation and some corner cases.

• Fix: Small dict leads to panic #133

compress_into_with_dict panicked when the dict passed was smaller than 4 bytes. A match has the minimum length of 4 bytes, smaller dicts will be ignored now.

Features

• [breaking] invert checked-decode to unchecked-decode #134

invert `checked-decode` feature flag to `unchecked-decode`
Previously setting `default-features=false` removed the bounds checks from the
`checked-decode` feature flag. `unchecked-decode` inverts this, so it will needs to be
deliberately deactivated.
To migrate, just remove the checked-decode feature flag.

• Allow to pass buffer larger than size #78

This removes an unnecessary check in the decompression, when the passed buffer is too big.

• Add auto_finish to FrameEncoder #95 #100

Empty input was ignored previously and didn't write anything. Now an empty Frame is written. This improves compatibility with the reference implementation and some corner cases.

• Autodetect frame blocksize #81

The default blocksize of FrameInfo is now auto instead of 64kb, it will detect the blocksize
depending of the size of the first write call. This increases
compression ratio and speed for use cases where the data is larger than
64kb.

• Add fluent API style contruction for FrameInfo #99 (thanks @​CosmicHorrorDev)

This adds in fluent API style construction for FrameInfo. Now you can do
let info = FrameInfo::new()
.block_size(BlockSize::Max1MB)
.content_checksum(true);

... (truncated)

Changelog

Sourced from lz4_flex's changelog.

0.11.6 (2026-03-14)

Security Fix

• Fix handling of invalid match offsets during decompression #84cdafb (thanks @​Marcono1234)

Invalid match offsets (offset == 0) during decompression were not properly
handled, which could lead to invalid memory reads on untrusted input.
Users on 0.11.x should upgrade to 0.11.6.

0.11.5 (2025-06-19)

• Fix incorrect rust-version field name in Cargo.toml #187

0.11.4 (2025-06-14)

• Upgrade to twox-hash 2.0#175
• Better no_std compatibility #180

0.11.3 (2024-03-30)

• Fix support for --deny=unsafe_code compilation #152
• make get_maximum_output_size const #153

0.11.2 (2024-01-11)

• Include license file in the published crate

0.11.1 (2023-06-19)

• [breaking] remove unchecked-decode Remove unchecked-decode feature-flag, because of feature unification: https://doc.rust-lang.org/cargo/reference/features.html#feature-unification

0.11.0 (2023-06-18)

Documentation

• Docs: add decompress block example

Fixes

• Handle empty input in Frame Format #120

Empty input was ignored previously and didn't write anything. Now an empty Frame is written. This improves compatibility with the reference implementation and some corner cases.

• Fix: Small dict leads to panic #133

</tr></table> 

... (truncated)

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[Radonirinaunimi]

This PR requires the MSRV to be updated. I think we should now update it to at least v1.85.0 as that's also what is blocking #370 (the core implementation is more or less done). If we agree on this, I can do so and also update the version in the container. cc @cschwan

[cschwan]

I can't remember the last time we increased the MSRV, so I agree it's time we allow ourselves to do that. I have no strong opinion to which version we should upgrade, although

pineappl/pineappl/src/boc.rs

Lines 541 to 543 in 7542df5

	// // MSRV 1.86: replace the previous line with the following
	// let [lhs, rhs] = vec.get_disjoint_mut([i, i - 1]).unwrap();
	// lhs.clone_from(rhs);

suggests that we at least go up to 1.86.0. On the other hand, I wouldn't be opposed to use the current version - the MSRV has to 'hold' a while.

When you update our container, remove the version 1.70.0 and add the newest after 1.80.1 and before the nightly version.

When making a release, I think it is suggested to increase the minor version, so it should be released as 1.4.0, for instance. Let's do this after the patches are included.

[Radonirinaunimi]

Perfect! I will do so.