chore: release v1.46.0

[jdx]

🚀 Features

• (builtins) add oxfmt config to hk builtin config by @hituzi-no-sippo in #914
• (builtins) add vite-plus builtin configs to hk by @hituzi-no-sippo in #913
• (install) skip local install when hk is configured globally by @jdx in #934
• update oxlint hook by @hituzi-no-sippo in #911

🐛 Bug Fixes

• (install) use absolute commands for global hooks by @jdx in #939
• (pre-push) correct inverted ref filter and handle new-branch pushes by @jdx in #932
• (stash) preserve fail_on_fix output with git stash by @jdx in #909
• (stash) preserve staged deletions across pop_stash by @jdx in #927
• (stash) preserve fixer tail-line deletions in three-way merge by @jdx in #931

🛡️ Security

• (ci) add zizmor workflow for github actions security analysis by @jdx in #925

🔍 Other Changes

• (ci) remove autofix.ci workflow by @jdx in #923
• (ci) assert mise run render produces no diff by @jdx in #924
• (ci) close failing or conflicted PRs sooner by @jdx in #936
• remove pull_request_target workflow by @jdx in #921
• remove caching from publishing workflows by @jdx in #922

📦️ Dependency Updates

• update anthropics/claude-code-action digest to 939ae9c by @renovate[bot] in #912
• update anthropics/claude-code-action digest to 034cbdb by @renovate[bot] in #916
• update actions-rust-lang/setup-rust-toolchain digest to 46268bd by @renovate[bot] in #915
• update anthropics/claude-code-action digest to ad67978 by @renovate[bot] in #917
• lock file maintenance by @renovate[bot] in #918
• lock file maintenance by @renovate[bot] in #938

---

Note

Medium Risk
Mostly a release/version bump, but Cargo.lock includes notable dependency upgrades (e.g., zip 2.x → 8.x and related TLS/HTTP transitive changes) which could affect archive/network behavior at runtime.

Overview
Bumps hk from v1.45.0 to v1.46.0 and publishes the corresponding release notes in CHANGELOG.md.

Updates all versioned documentation references and generated CLI docs (docs/cli/*, examples, hk.usage.kdl) to point at v1.46.0 artifacts.

Refreshes Cargo.lock with dependency updates, including major bumps like zip and reqwest and related transitive crate changes.

^{Reviewed by Cursor Bugbot for commit f10838c. Bugbot is set up for automated code reviews on this repo. Configure here.}

[greptile-apps]

Greptile Summary

This is a standard release PR bumping hk from v1.45.0 to v1.46.0. All version references across documentation, PKL files, and the KDL usage file are consistently updated, and the CHANGELOG has been populated with the full set of changes since v1.45.0.

• Version bump: Cargo.toml and all documentation/example PKL package URLs updated from v1.45.0 to v1.46.0.
• Dependency updates: Lock file reflects removal of the duplicate reqwest 0.12.28 (consolidated to 0.13.3), a major zip version bump (2.4.2 → 8.6.0), and several minor dependency updates (pklr, tower-http, num-conv); unused crates (arbitrary, derive_arbitrary, webpki-roots, ring) are dropped.
• Changelog correction: The v1.45.0 release date was also corrected from 2026-05-04 to 2026-05-05.

Confidence Score: 5/5

Safe to merge — purely a version bump and lock-file update with no logic changes.

All changes are mechanical: version strings updated across docs and config files, CHANGELOG populated, and Cargo.lock refreshed with consolidated and updated dependencies. No source logic was modified.

No files require special attention.

Important Files Changed

Filename	Overview
Cargo.toml	Version bumped from 1.45.0 to 1.46.0
Cargo.lock	Lock file updated: pklr 0.4.2→0.4.3, zip 2.4.2→8.6.0 (major), tower-http 0.6.10→0.6.11, num-conv 0.2.1→0.2.2; removed duplicate reqwest 0.12.28 and arbitrary/webpki-roots/ring; added zlib-rs and typed-path
CHANGELOG.md	Added v1.46.0 release notes; also corrected v1.45.0 date from 2026-05-04 to 2026-05-05
hk-example.pkl	Package URLs updated to reference v1.46.0
docs/builtins.md	Package URL references updated to v1.46.0

_{Reviews (22): Last reviewed commit: "chore: release v1.46.0" | Re-trigger Greptile}

[gemini-code-assist]

Code Review

This pull request bumps the version of hk from 1.45.0 to 1.45.1 and includes a bug fix to preserve fail_on_fix output when using git stash. The changes also involve updating several dependencies in Cargo.lock, notably replacing iri-string with url for tower-http, and updating all documentation and Pkl configuration files to reference the new version. I have no feedback to provide as there were no review comments.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	cargo/​pklr@​0.4.2 ⏵ 0.4.3

View full report