diff --git a/Cargo.lock b/Cargo.lock
index 36d9b9e4376..90a7a4fb7cc 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -3005,7 +3005,7 @@ dependencies = [
  "tokio",
  "tokio-rustls 0.26.1",
  "tower-service",
- "webpki-roots",
+ "webpki-roots 0.26.7",
 ]
 
 [[package]]
@@ -3026,21 +3026,28 @@ dependencies = [
 
 [[package]]
 name = "hyper-util"
-version = "0.1.10"
+version = "0.1.13"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "df2dcfbe0677734ab2f3ffa7fa7bfd4706bfdc1ef393f2ee30184aed67e631b4"
+checksum = "b1c293b6b3d21eca78250dc7dbebd6b9210ec5530e038cbfe0661b5c47ab06e8"
 dependencies = [
+ "base64 0.22.1",
  "bytes",
  "futures-channel",
+ "futures-core",
  "futures-util",
  "http 1.3.1",
  "http-body 1.0.1",
  "hyper 1.6.0",
+ "ipnet",
+ "libc",
+ "percent-encoding",
  "pin-project-lite",
  "socket2",
+ "system-configuration",
  "tokio",
  "tower-service",
  "tracing",
+ "windows-registry",
 ]
 
 [[package]]
@@ -3279,6 +3286,16 @@ version = "0.21.1"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "cf370abdafd54d13e54a620e8c3e1145f28e46cc9d704bc6d94414559df41763"
 
+[[package]]
+name = "iri-string"
+version = "0.7.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dbc5ebe9c3a1a7a5127f920a418f7585e9e758e911d0466ed004f393b0e380b2"
+dependencies = [
+ "memchr",
+ "serde",
+]
+
 [[package]]
 name = "is_terminal_polyfill"
 version = "1.70.1"
@@ -3425,9 +3442,9 @@ dependencies = [
 
 [[package]]
 name = "libc"
-version = "0.2.169"
+version = "0.2.172"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "b5aba8db14291edd000dfcc4d620c7ebfb122c613afb886ca8803fa4e128a20a"
+checksum = "d750af042f7ef4f724306de029d18836c26c1765a54a6a3f094cbd23a7267ffa"
 
 [[package]]
 name = "libgit2-sys"
@@ -4692,9 +4709,9 @@ checksum = "2b15c43186be67a4fd63bee50d0303afffcef381492ebe2c5d87f324e1b8815c"
 
 [[package]]
 name = "reqwest"
-version = "0.12.15"
+version = "0.12.19"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d19c46a6fdd48bc4dab94b6103fccc55d34c67cc0ad04653aad4ea2a07cd7bbb"
+checksum = "a2f8e5513d63f2e5b386eb5106dc67eaf3f84e95258e210489136b8b92ad6119"
 dependencies = [
  "async-compression",
  "base64 0.22.1",
@@ -4722,26 +4739,24 @@ dependencies = [
  "quinn",
  "rustls 0.23.21",
  "rustls-native-certs 0.8.1",
- "rustls-pemfile 2.2.0",
  "rustls-pki-types",
  "serde",
  "serde_json",
  "serde_urlencoded",
  "sync_wrapper",
- "system-configuration",
  "tokio",
  "tokio-native-tls",
  "tokio-rustls 0.26.1",
  "tokio-util",
  "tower",
+ "tower-http",
  "tower-service",
  "url",
  "wasm-bindgen",
  "wasm-bindgen-futures",
  "wasm-streams",
  "web-sys",
- "webpki-roots",
- "windows-registry",
+ "webpki-roots 1.0.0",
 ]
 
 [[package]]
@@ -4865,7 +4880,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "a9aace74cb666635c918e9c12bc0d348266037aa8eb599b5cba565709a8dff00"
 dependencies = [
  "openssl-probe",
- "rustls-pemfile 1.0.4",
+ "rustls-pemfile",
  "schannel",
  "security-framework 2.11.1",
 ]
@@ -4891,15 +4906,6 @@ dependencies = [
  "base64 0.21.7",
 ]
 
-[[package]]
-name = "rustls-pemfile"
-version = "2.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
-dependencies = [
- "rustls-pki-types",
-]
-
 [[package]]
 name = "rustls-pki-types"
 version = "1.11.0"
@@ -5405,9 +5411,9 @@ checksum = "3c5e1a9a646d36c3599cd173a41282daf47c44583ad367b8e6837255952e5c67"
 
 [[package]]
 name = "socket2"
-version = "0.5.8"
+version = "0.5.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c970269d99b64e60ec3bd6ad27270092a5394c4e309314b18ae3fe575695fbe8"
+checksum = "e22376abed350d73dd1cd119b57ffccad95b4e585a7cda43e286245ce23c0678"
 dependencies = [
  "libc",
  "windows-sys 0.52.0",
@@ -5960,12 +5966,14 @@ dependencies = [
  "http-body-util",
  "http-range-header",
  "httpdate",
+ "iri-string",
  "mime",
  "mime_guess",
  "percent-encoding",
  "pin-project-lite",
  "tokio",
  "tokio-util",
+ "tower",
  "tower-layer",
  "tower-service",
  "tracing",
@@ -6464,6 +6472,15 @@ dependencies = [
  "rustls-pki-types",
 ]
 
+[[package]]
+name = "webpki-roots"
+version = "1.0.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "2853738d1cc4f2da3a225c18ec6c3721abb31961096e9dbf5ab35fa88b19cfdb"
+dependencies = [
+ "rustls-pki-types",
+]
+
 [[package]]
 name = "which"
 version = "4.4.2"
diff --git a/Cargo.toml b/Cargo.toml
index ccf235d628d..1ec6a9879d8 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -111,7 +111,7 @@ paste = "=1.0.15"
 postgres-native-tls = "=0.5.1"
 prometheus = { version = "=0.14.0", default-features = false }
 rand = "=0.9.1"
-reqwest = { version = "=0.12.15", features = ["gzip", "json"] }
+reqwest = { version = "=0.12.19", features = ["gzip", "json"] }
 rss = { version = "=2.0.12", default-features = false, features = ["atom"] }
 secrecy = "=0.10.3"
 semver = { version = "=1.0.26", features = ["serde"] }
diff --git a/crates/crates_io_docs_rs/Cargo.toml b/crates/crates_io_docs_rs/Cargo.toml
index 4181f435b8e..400ba1fc457 100644
--- a/crates/crates_io_docs_rs/Cargo.toml
+++ b/crates/crates_io_docs_rs/Cargo.toml
@@ -16,7 +16,7 @@ async-trait = "=0.1.88"
 crates_io_env_vars = { path = "../crates_io_env_vars" }
 http = "=1.3.1"
 mockall = { version = "=0.13.1", optional = true }
-reqwest = { version = "=0.12.15", features = ["json"] }
+reqwest = { version = "=0.12.19", features = ["json"] }
 serde = { version = "=1.0.219", features = ["derive"] }
 thiserror = "=2.0.12"
 tracing = "=0.1.41"
diff --git a/crates/crates_io_github/Cargo.toml b/crates/crates_io_github/Cargo.toml
index 5cbd0fec519..fb241e84080 100644
--- a/crates/crates_io_github/Cargo.toml
+++ b/crates/crates_io_github/Cargo.toml
@@ -15,7 +15,7 @@ anyhow = "=1.0.98"
 async-trait = "=0.1.88"
 mockall = { version = "=0.13.1", optional = true }
 oauth2 = { version = "=5.0.0", default-features = false }
-reqwest = { version = "=0.12.15", features = ["json"] }
+reqwest = { version = "=0.12.19", features = ["json"] }
 serde = { version = "=1.0.219", features = ["derive"] }
 thiserror = "=2.0.12"
 tracing = "=0.1.41"
diff --git a/crates/crates_io_pagerduty/Cargo.toml b/crates/crates_io_pagerduty/Cargo.toml
index 243adfca09a..bf60f9bae7e 100644
--- a/crates/crates_io_pagerduty/Cargo.toml
+++ b/crates/crates_io_pagerduty/Cargo.toml
@@ -9,7 +9,7 @@ workspace = true
 
 [dependencies]
 anyhow = "=1.0.98"
-reqwest = { version = "=0.12.15", features = ["gzip", "json"] }
+reqwest = { version = "=0.12.19", features = ["gzip", "json"] }
 secrecy = "=0.10.3"
 serde = { version = "=1.0.219", features = ["derive"] }
 
diff --git a/crates/crates_io_smoke_test/Cargo.toml b/crates/crates_io_smoke_test/Cargo.toml
index a25b1d0464e..cde06a6362d 100644
--- a/crates/crates_io_smoke_test/Cargo.toml
+++ b/crates/crates_io_smoke_test/Cargo.toml
@@ -13,7 +13,7 @@ bytes = "=1.10.1"
 clap = { version = "=4.5.39", features = ["derive", "env", "unicode", "wrap_help"] }
 crates_io_index = { path = "../crates_io_index" }
 rand = "=0.9.1"
-reqwest = { version = "=0.12.15", features = ["gzip", "json"] }
+reqwest = { version = "=0.12.19", features = ["gzip", "json"] }
 secrecy = "=0.10.3"
 semver = { version = "=1.0.26", features = ["serde"] }
 serde = { version = "=1.0.219", features = ["derive"] }
diff --git a/crates/crates_io_team_repo/Cargo.toml b/crates/crates_io_team_repo/Cargo.toml
index e88936b6465..e0cbaffdeb1 100644
--- a/crates/crates_io_team_repo/Cargo.toml
+++ b/crates/crates_io_team_repo/Cargo.toml
@@ -14,7 +14,7 @@ mock = ["mockall"]
 anyhow = "=1.0.98"
 async-trait = "=0.1.88"
 mockall = { version = "=0.13.1", optional = true }
-reqwest = { version = "=0.12.15", features = ["gzip", "json"] }
+reqwest = { version = "=0.12.19", features = ["gzip", "json"] }
 serde = { version = "=1.0.219", features = ["derive"] }
 
 [dev-dependencies]
diff --git a/crates/crates_io_trustpub/Cargo.toml b/crates/crates_io_trustpub/Cargo.toml
index 8d9adcc64b6..112bdfdb5f6 100644
--- a/crates/crates_io_trustpub/Cargo.toml
+++ b/crates/crates_io_trustpub/Cargo.toml
@@ -18,7 +18,7 @@ chrono = { version = "=0.4.41", features = ["serde"] }
 jsonwebtoken = "=9.3.1"
 mockall = { version = "=0.13.1", optional = true }
 rand = "=0.9.1"
-reqwest = { version = "=0.12.15", features = ["gzip", "json"] }
+reqwest = { version = "=0.12.19", features = ["gzip", "json"] }
 regex = "=1.11.1"
 secrecy = "=0.10.3"
 serde = { version = "=1.0.219", features = ["derive"] }
diff --git a/deny.toml b/deny.toml
index c5f86ca5f32..be5e90df307 100644
--- a/deny.toml
+++ b/deny.toml
@@ -104,6 +104,7 @@ allow = [
     "BSD-2-Clause",
     "BSD-3-Clause",
     "BSL-1.0",
+    "CDLA-Permissive-2.0",
     "ISC",
     "MIT",
     "MPL-2.0",