Update boring requirement from 4.20.0 to 5.0.0

[dependabot]

Updates the requirements on boring to permit the latest version.

Release notes

Sourced from boring's releases.

v5.0.0

Breaking changes

Upgrade to 4.21.1 first and fix any deprecation warnings.

Cargo features removed/simplified

• FIPS only needs the fips Cargo feature, and the rest is customized via env vars (like BORING_BSSL_FIPS_PATH): cloudflare/boring#383
• Removed the "kx-*" features cloudflare/boring#393
• Post-quantum is enabled by default (X25519MLKEM768 and P256Kyber768Draft00) and the "pq-experimental" Cargo feature flag is not used any more.

Other semver changes

• Updated BoringSSL to a newer version with updated patches by @​nox in cloudflare/boring#419
• Removed SslCurve API. Identifying curves by name is more reliable across different builds of BoringSSL. Use SslRef::curve_name() instead cloudflare/boring#390 cloudflare/boring#396
• Removed deprecated X509CheckFlags cloudflare/boring#425
• X509Store is now cheaply cloneable, but immutable. SslContextBuilder.cert_store_mut() can't be used after .set_cert_store(). If you need .cert_store_mut(), either don't overwrite the default store, or use .set_cert_store_builder() cloudflare/boring#426
• X509StoreBuilder::add_cert takes a reference.
• Hyper version upgraded from v0 to v1
• set_ex_data() will always Drop previous values cloudflare/boring#424
• Removed blanket Eq from FFI types
• BIO_set_retry_write on WouldBlock @​ihciah in cloudflare/boring#118

Added

• Added ML-KEM-768 and ML-KEM-1024 support cloudflare/boring#455 cloudflare/boring#456 cloudflare/boring#462
• Added init-update-finalize API for HMAC cloudflare/boring#459
• set_strict_cipher_list by @​abernardeau-wallix in cloudflare/boring#416
• Added set_ticket_key_callback by @​toidiu in cloudflare/boring#330
• SslCipherRef::protocol_id by @​nox in cloudflare/boring#409

Full Changelog: cloudflare/boring@v4.20.0...v5.0.0

Changelog

Sourced from boring's changelog.

5.0.0

• 2025-12-19 Update vendored boring to a newer version (2023.11 to 2025.11)
• 2025-12-20 Rework RPK/SslMethod (c2f063cf4711f15b8b417b6926496fbf1c2a03ac)
• 2025-09-29 Remove SslCurve API
• 2025-09-30 Remove the "kx-*" features
• 2025-09-25 Remove legacy FIPS options (they're controlled via BORING_BSSL_ env vars instead)
• 2026-01-05 Remove deprecated X509CheckFlags flag
• 2025-09-30 Remove "pq-experimental" Cargo feature, apply PQ patch by default + P256Kyber768Draft00
• 2026-01-05 Safe clone for X509Store
• 2025-03-08 Add set_ticket_key_callback (SSL_CTX_set_tlsext_ticket_key_cb)
• 2025-09-30 Add SslRef::curve_name()
• 2025-09-30 Expose a safe Rust interface for the session resumption callback
• 2026-01-05 Fix leaky set_ex_data() API
• 2025-12-12 Add boring specific api set_strict_cipher_list to SslContextBuilder
• 2025-11-20 Introduce SslCipherRef::protocol_id
• 2023-05-11 fix: BIO_set_retry_write when BIO_CTRL_FLUSH to allow writer returns WouldBlock on flush
• 2025-11-14 Remove blanket Eq from FFI types
• 2025-12-20 Never use the debug CRT on Windows
• 2025-02-19 X509Builder::append_extension2 -> X509Builder::append_extension
• 2025-02-19 Ssl::new_from_ref -> Ssl::new()
• 2025-02-19 Align SslStream APIs with upstream
• 2025-09-26 Remove support for Hyper v0

4.21.0

• 2026-01-05 Warn about set_curves() removal
• 2026-01-05 Deprecate set_ex_data()
• 2026-01-05 Fix build with --no-default-features
• 2026-01-05 Make set_curves_list always available
• 2026-01-19 Use fips-build-compatible ERR_add_error_data

4.20.0

• 2025-08-26 Support TARGET_CC and CC_{target}
• 2025-08-26 Fix swapped host/target args
• 2025-06-13 CStr UTF-8 improvements
• 2025-09-26 Skip Rust version detection for bindgen
• 2025-09-26 Upgrade deps
• 2025-06-13 Ensure that ERR_LIB type can be named
• 2025-06-13 Add more reliable library_reason()
• 2025-09-30 pq: fix MSVC C4146 warning
• 2025-10-14 Freebsd build
• 2025-10-01 Fix string data conversion in ErrorStack::put()

4.19.0

• 2025-09-03 Add binding for X509_check_ip_asc
• 2025-06-13 Use ERR_clear_error
• 2025-06-13 Error descriptions and docs
• 2025-06-13 Boring doesn't use function codes
• 2025-09-03 Fix patched docs.rs builds
• 2025-09-03 Test docs.rs docs
• 2025-09-03 Fix doc links

... (truncated)

Commits

• d47684d v5.0.0
• ae4a737 Update README
• 8ba06e1 rm symlink
• 559fc27 symm: Ensure Cipher::from_nid() handles GCM NIDs
• 7888b0f symm: Add regression test for cipher NIDs
• d60c579 FIXMEs
• 06ca1fd Handle overflows in FFI integer conversions
• 5f4cf54 Bump rust-version to 1.85
• 7cb4c89 Detect bad headers in boring-sys
• 7298c9e Use std helper methods for pointer casts
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Looks like boring is up-to-date now, so this is no longer needed.