Bump zip from 5.1.1 to 6.0.0

[dependabot]

Bumps zip from 5.1.1 to 6.0.0.

Release notes

Sourced from zip's releases.

v6.0.0

🐛 Bug Fixes

• panic when reading empty extended-timestamp field (#404) (#422)
• Restore original file timestamp when unzipping with chrono (#46)

⚙️ Miscellaneous Tasks

• Configure Amazon Q rules (#421)

Changelog

Sourced from zip's changelog.

6.0.0 - 2025-10-09

🚀 Features

• Add by_index_with_options(), which can be used to ignore encryption in a file's metadata (#439) and may be used for other file-specific overrides in the future.

⚙️ Miscellaneous Tasks

• [breaking] FileOptions::add_extra_data is now generic and accepts any AsRef<[u8]>. (#435)

Commits

• abfc23d feat: Upgrade [Extended]FileOptions::add_extra_data() data from Box<[u8]> to ...
• eb1b586 docs: Update zip_writer documentation example (#431)
• 26e6e08 feat: Add by_index_with_options() for ignoring encryption (#439)
• 165415d chore(deps): update nt-time requirement from 0.10.6 to 0.12.1 (#429)
• 1d5d4ed chore(deps): update lzma-rust2 requirement from 0.13 to 0.14 (#432)
• 72cce40 chore(deps): update nt-time requirement from 0.10.6 to 0.12.1 (#428)
• 2ef4d3e chore(deps): update nt-time requirement from 0.10.6 to 0.12.1 (#427)
• 9cf28cb test(ci): Fix: rename can't be skipped
• 5987cdd test(ci): Fix: need recursive rename
• 74f8a3c test(ci): Need to rename more files during fuzz runs
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[phylum-io]

Phylum OSS Supply Chain Risk Analysis - INCOMPLETE

The analysis contains 1 package(s) Phylum has not yet processed,
preventing a complete risk analysis. Phylum is processing these
packages currently and should complete soon.
Please wait for up to 30 minutes, then re-run the analysis.

View this project in the Phylum UI

[maxrake]

This does not actually appear to be a breaking change release...not sure why the major version changed. LGTM.

@dependabot merge

[dependabot]

Beginning January 27, 2026, Dependabot will no longer support the @dependabot merge command. Please use GitHub's native pull request controls instead. Please see the changelog announcement for additional details.