Bump http from 5.3.1 to 6.0.3

[dependabot]

Bumps http from 5.3.1 to 6.0.3.

Release notes

Sourced from http's releases.

v6.0.3

Full Changelog: httprb/http@v6.0.2...v6.0.3

v6.0.2

What's Changed

• Fix RBS syntax error by @​hakanensari in httprb/http#837

Full Changelog: httprb/http@v6.0.1...v6.0.2

v6.0.1

Full Changelog: httprb/http@v6.0.0...v6.0.1

v6.0.0

What's Changed

• Fixed incorrect link in CHANGES.md by @​daniel-sabourin in httprb/http#738
• Add Connection#finished_request? by @​c960657 in httprb/http#743
• Bump llhttp-ffi (0.5.0) by @​bryanp in httprb/http#744
• Let the instrumenter log exceptions too by @​foca in httprb/http#746
• Run CI against Ruby 3.2 by @​koheisg in httprb/http#742
• Update README.md by @​sandstrom in httprb/http#751
• Downcase Content-Type charset name by @​paul in httprb/http#753
• Add base64 to runtime dependency by @​koic in httprb/http#759
• DummyServer::Servlet#not_found requires two arguments by @​c960657 in httprb/http#761
• fix: close sockets on connection initialize timeout by @​rpeng in httprb/http#762
• Prevent CRLF injection due to broken URL normalizer by @​c960657 in httprb/http#765
• Do more conservative URL normalization by @​c960657 in httprb/http#758
• Handle responses in the reverse order from the requests by @​souk4711 in httprb/http#766
• Add support for the PURGE HTTP method. by @​renchap in httprb/http#757
• Start 6.0.0 version by @​ixti in httprb/http#768
• SECURITY.md: use private vulnerability reporting feature by @​tarcieri in httprb/http#772
• Goodbye Hash rockets... by @​ixti in httprb/http#769
• Fixes comment typo in errors.rb by @​ajsharma in httprb/http#781
• Update base64 dependency version by @​SleepingInsomniac in httprb/http#780
• Add .retriable feature to Http - Rebased by @​tomprats in httprb/http#775
• Bump rubocop to v1.61 by @​tarcieri in httprb/http#788
• Drop depenency on base64 by @​Earlopain in httprb/http#778
• Add more granularity to ConnectionError through more specific error classes by @​omkarmoghe in httprb/http#783
• Cache header normalization to reduce object allocation by @​alexcwatt in httprb/http#789
• New feature: RaiseError by @​c960657 in httprb/http#792
• Correct typo in comments for retriable method by @​hakanensari in httprb/http#794
• Remove circular require by @​hakanensari in httprb/http#795
• Native llhttp for MRI by @​sebyx07 in httprb/http#800
• feat: introduce better error for wrong mime type by @​TheBlackArroVV in httprb/http#805
• chore: Cleanup and update gemspec by @​ixti in httprb/http#806
• fix: Simplify response and headers inspection by @​ixti in httprb/http#810
• feat: Add bin/console for development convenience by @​ixti in httprb/http#811
• Add ruby 3.4 support by @​ixti in httprb/http#808
• Introduce HTTP::Session for thread-safe request building by @​sferik in httprb/http#829
• Remove Headers::Mixin and [] / []= delegators from Request and Response by @​sferik in httprb/http#831

... (truncated)

Changelog

Sourced from http's changelog.

[6.0.3] - 2026-04-20

Fixed

• Ship RBS signatures for downstream consumers. Previously only sig/http.rbs was packaged, but it referenced LLHttp::Parser and LLHttp::Delegate (defined only in the unshipped sig/deps.rbs), causing Cannot find type LLHttp::Delegate errors in Steep when loading library "http". Public LLHttp stubs are now shipped in sig/llhttp.rbs, and sig/manifest.yaml declares stdlib dependencies so consumers don't need to re-list them.

[6.0.2] - 2026-03-20

Fixed

• Fix RBS syntax error.

Changed

• Improve gem push workflow security and reliability.

[6.0.1] - 2026-03-16

Changed

• Exclude test files from gem package, reducing gem size by 50% (from 175 KB to 87 KB).

[6.0.0] - 2026-03-16

Changed

• Merged http-form_data gem into the main http gem. The HTTP::FormData module (including Part, File, Multipart, Urlencoded, and CompositeIO) is now shipped directly with http instead of being a separate dependency. The public API is unchanged.

Fixed

• Inflater no longer raises Zlib::BufError when a response declares Content-Encoding: gzip (or deflate) but the body is not valid compressed data. This commonly occurred when following redirects with auto_inflate enabled, because the redirect response had a Content-Encoding header but a non-compressed body. (#621)
• Persistent connections now auto-flush unread response bodies before sending the next request, instead of raising StateError. Bodies up to 1 MiB are drained transparently; larger bodies cause the connection to close and reopen. This prevents the silent body clobbering described in #371, where an unread response body would return "" after a subsequent request. (#371)
• Response#content_length now handles duplicate Content-Length headers per RFC 7230 Section 3.3.2. When all values are identical, they are collapsed into

... (truncated)

Commits

• 0d2303d Release v6.0.3
• fd174e2 Ship RBS signatures for downstream consumers
• 10a257a Ignore .mutant directory
• dd89cb1 Work around sigstore-ruby JRuby signing failure
• d0886c9 Release v6.0.2
• 042606b Improve gem push workflow security and reliability
• 8e8eca9 Fix RBS syntax error
• 866cb87 Release v6.0.1
• 1ae2a60 Add mutant to default rake task and pass --since main flag
• c39f85f Reduce gem package size by excluding non-essential files
• Additional commits viewable in compare view

[davidrapson]

Marking as draft to exclude from reminders for now, will possibly need changes similar to https://github.com/citizensadvice/referrals/pull/1718