chore(deps): Bump rquickjs from 0.11.0 to 0.12.0 in /src/sandbox/runtime

[dependabot]

Bumps rquickjs from 0.11.0 to 0.12.0.

Changelog

Sourced from rquickjs's changelog.

[0.12.0] - 2026-05-26

Breaking Changes

• Added import attributes to the Loader trait #601
• Added half support (f16) for Float16Array # 662
• Value::new_big_int now returns Result<Value> so QuickJS allocation failures are surfaced to the caller #585

Added

• Added #[qjs(prop)] method attribute to declare a JS data property on a class prototype. Unlike #[qjs(get)], which generates an accessor and requires a FromJs<Self> receiver, prop is evaluated at class registration time and emits a plain data descriptor (matching Web IDL semantics for @@toStringTag, @@species, etc.). Honours rename, configurable, enumerable, and a new writable flag (which also gates writable on prop).
• Added FromJs and IntoJs derive macros for plain-data structs
• Added RQUICKJS_SYS_NO_WASI_SDK env variable that skips downloading and setting up the WASI SDK when set to 1 #648
• Added Object::new_proto for creating objects with a custom or null prototype #572
• Added Symbol::new, Symbol::with_description, and Symbol::new_global for creating local and global symbols from Rust #672
• Added ArrayBufferSource trait and ArrayBuffer::from_source / from_source_shared / from_source_immutable safe constructors for wrapping external, caller-owned buffers, with built-in impls for Vec<u8>, Box<[u8]>, Arc<[u8]>, Arc<Vec<u8>>, and (behind the bytes feature) bytes::Bytes
• Add pre-generated bindings for armv7-unknown-linux-gnueabihf
• Add pre-generated bindings for powerpc64-unknown-linux-gnu

Changed

• Bump MSRV to 1.87
• Updated AsyncContext::async_with to use async closure syntax #602

Deprecated

• Deprecated async_with! macro #602

Fixed

• Fixed Property::configurable() / .writable() / .enumerable() not emitting JS_PROP_HAS_* flags, so redefining an existing property silently kept its old attributes #693
• Fixed QuickJS rope strings (JS_TAG_STRING_ROPE) not being recognized as strings, causing type_of(), is_string(), and as_string() to fail on large concatenated strings
• Fixed interrupt handler causing GC assertion failure due to missing JS_DupContext on error context from JS_ExecutePendingJob #664
• Fixed cross-thread stack overflow false positives in parallel mode by updating stack baseline before QuickJS C entry points
• Fixed promise polling not returning Ready variant when exception occurs
• Fixed promise future aborting on stale pending exceptions by only bailing on uncatchable errors (e.g. interrupt handler)
• Fixed iterators to use correct IteratorPrototype chain
• Fixed a latent ABI layout vulnerability in JS_NewPromiseCapability FFI boundary by replacing tuple with strictly compatible array
• #[rquickjs::class] now rejects fields whose type implements JsClass with a clear compile error; such fields silently dropped nested mutations because the generated getter cloned the value. Wrap the field in Class<'js, T> instead #532
• Added missing Trace implementations for Constructor, Promise, Proxy, ArrayBuffer, and TypedArray; added JsLifetime for Proxy; re-exported Constructor at the crate root
• Fixed #[qjs(static, rename = PredefinedAtom::...)] methods failing when the target symbol exists as a non-writable property on Function.prototype (e.g. Symbol.hasInstance) by defining properties directly on the constructor instead of going through the prototype chain #315
• Fixed #[qjs(static, get/set)] accessors being placed on the class prototype instead of the constructor #478
• Fixed Runtime::set_max_stack_size crashing on large values (e.g. usize::MAX) by clamping to avoid a pointer underflow inside QuickJS's stack limit check #437

Commits

• c86334c Merge pull request #698 from richarddd/release/0.12.0
• ef955f4 Bump version to 0.12.0
• 629fe93 Merge pull request #697 from richarddd/fix/changelog-conflict-markers
• 4c98517 Remove leftover merge conflict markers from CHANGELOG
• 0c065d3 Merge pull request #696 from DelSkayn/dependabot/submodules/sys/quickjs-433941b
• 257e1a2 Bump sys/quickjs from 14892f8 to 433941b
• 193e4d8 Merge pull request #692 from DelSkayn/dependabot/submodules/sys/quickjs-14892f8
• 96f121e Merge pull request #694 from richarddd/fix/property-has-flags
• 35f460e Regenerate Windows-MSVC bindings for quickjs-ng 14892f8
• 73a7925 fix: emit JS_PROP_HAS_* flags from Property attribute builders so JS_DefinePr...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.