deps(deps): update lz4_flex requirement from 0.12 to 0.13

[dependabot]

Updates the requirements on lz4_flex to permit the latest version.

Changelog

Sourced from lz4_flex's changelog.

0.13.0 (2026-03-15)

Features

• Add option to reuse compression dict #207 (thanks @​matthewfollegot)

Fixes

• Fix handling of invalid match offsets during decompression #055502e (thanks @​Marcono1234)

Invalid match offsets (offset == 0) during decompression were not properly
handled, which could lead to invalid memory reads. This is a security fix
that was also backported to 0.12.1 and 0.11.6.

• Fix get_maximum_output_size overflow on 32-bit targets #205 (thanks @​dglittle)

Cast input_len to u64 before multiplying by 110, avoiding overflow on
32-bit targets (e.g. wasm32) where input_len * 110 overflows usize
when input_len > ~39MB.

0.12.1 (2026-03-14)

Security Fix

• Fix handling of invalid match offsets during decompression #a0b9154 (thanks @​Marcono1234)

Invalid match offsets (offset == 0) during decompression were not properly
handled, which could lead to invalid memory reads on untrusted input.
Users on 0.12.x should upgrade to 0.12.1.

0.12.0 (2025-11-11)

• Fix integer overflows when decoding large payloads #192 (thanks @​teh-cmc)

This fixes an u32 integer overflow when decoding large payloads in the block format.
Note: The block format is not suitable for such large payloads, since it
keeps everything in memory. Consider using the frame format for large data.
This change also removes a unsafe fast-path for write_integer to simplify the code.

The performance impact is on incompressible data, which is already fast enough.

0.11.6 (2026-03-14)

Security Fix

• Fix handling of invalid match offsets during decompression #84cdafb (thanks @​Marcono1234)

Invalid match offsets (offset == 0) during decompression were not properly
handled, which could lead to invalid memory reads on untrusted input.
Users on 0.11.x should upgrade to 0.11.6.

... (truncated)

Commits

• bfaae84 release 0.13.0
• 055502e fix handling of invalid match offsets during decompression
• 7191df8 make hashtable visibility crate public
• 1bdafca add doc comments
• c90fc91 lz4_block exposes option to reuse compression dict
• 22e77f9 Delete .github/workflows/typos.yml
• 2991a09 fix get_maximum_output_size overflow on 32-bit targets
• 7b5fb80 add minimal security policy
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Assignees

The following users could not be added as assignees: infinilabs/core-team. Either the username does not exist or it does not have the correct permissions to be added as an assignee.

Labels

The following labels could not be found: dependencies, rust. Please create them before Dependabot can add them to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.