Skip to content

fix: refresh lockfile for cargo audit#100

Merged
jdx merged 1 commit intomainfrom
fix/cargo-audit-lockfile
Apr 19, 2026
Merged

fix: refresh lockfile for cargo audit#100
jdx merged 1 commit intomainfrom
fix/cargo-audit-lockfile

Conversation

@jdx
Copy link
Copy Markdown
Owner

@jdx jdx commented Apr 19, 2026
edited by cursor Bot
Loading

Summary

  • refresh Cargo.lock to pick up patched transitive dependencies
  • resolve current cargo audit failures in CI
  • keep the change scoped to the lockfile only

Validation

  • cargo audit
  • cargo test

This unblocks dependency-only PRs like #99 that are failing on newly published advisories rather than their own changes.

Note

Low Risk
Lockfile-only dependency bumps (notably aws-lc-*, rustls-webpki, and tokio) may slightly change runtime/crypto behavior, but code is untouched and changes are limited to transitive updates.

Overview
Updates Cargo.lock to pick up newer patched transitive crates and clear cargo audit findings. This bumps several networking/crypto/runtime dependencies (e.g., aws-lc-*, rustls-webpki, hyper-rustls, tokio, rand*) and adds an additional wit-bindgen version to satisfy WASI deps.

Reviewed by Cursor Bugbot for commit a110cb2. Bugbot is set up for automated code reviews on this repo. Configure here.

@greptile-apps
Copy link
Copy Markdown

greptile-apps Bot commented Apr 19, 2026

No reviewable files after applying ignore patterns.

gemini-code-assist[bot]
gemini-code-assist Bot reviewed Apr 19, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request updates several dependencies in Cargo.lock to their latest versions, including aws-lc-rs, bitflags, clap, libc, rand, tokio, and rustls-webpki. Additionally, it explicitly adds wit-bindgen version 0.57.1 and specifies bindgen versions for WASI-related packages. I have no feedback to provide.

@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 19, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 93.90%. Comparing base (21e36f2) to head (a110cb2).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files 
@@           Coverage Diff           @@
##             main     #100   +/-   ##
=======================================
  Coverage   93.90%   93.90%           
=======================================
  Files          26       26           
  Lines        3953     3953           
  Branches     3953     3953           
=======================================
  Hits         3712     3712           
  Misses        154      154           
  Partials       87       87

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@jdx jdx merged commit ce800a7 into main Apr 19, 2026
8 checks passed
@jdx jdx deleted the fix/cargo-audit-lockfile branch April 19, 2026 03:15
@jdx jdx mentioned this pull request Apr 19, 2026
Merged
jdx added a commit that referenced this pull request Apr 19, 2026
@jdx
v1.0.0: Dependency Maintenance (#91)
b663f13 
A dependency-only maintenance release with no changes to communiqué's
own code. Key Rust crate dependencies (`clx`, `toml`) were bumped to
their latest major versions, and the lockfile was refreshed to pull in
patched transitive dependencies and resolve `cargo audit` findings.

### Changed

- **Updated `clx` to v2** — Picks up the new `ProgressOutput::Quiet`
variant and an updated `strum` dependency from the upstream clx library.
([#98](#98))
- **Updated `toml` to v1** — Bumped from 0.8 through 0.9 to the stable
1.0 release. ([#65](#65),
[#90](#90))
- **Refreshed lockfile for `cargo audit`** — Updated transitive
dependencies including `aws-lc-rs`, `rustls-webpki`, `tokio`, and `rand`
to their latest patched versions, clearing CI audit failures.
([#100](#100)) (@jdx)

<!-- CURSOR_SUMMARY -->
---

> [!NOTE]
> **Medium Risk**
> Medium risk due to major-version dependency upgrades (`clx` v2 and
`toml` v1.0) and a refreshed lockfile that could change runtime behavior
or introduce subtle regressions. Also updates the changelog, where a
formatting/merge issue around older entries may need review.
> 
> **Overview**
> Prepares the `1.0.0` release by bumping the crate/CLI version from
`0.1.9` → `1.0.0`, refreshing `Cargo.lock`, and updating generated CLI
docs/specs to match.
> 
> Updates the changelog with a new `1.0.0` entry covering dependency
maintenance (`clx` v2, `toml` 1.0, and transitive patch updates), but
introduces a likely formatting issue where the `0.1.8` fixed entry runs
into the `0.1.7` heading.
> 
> <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit
3cdbfaa. Bugbot is set up for automated
code reviews on this repo. Configure
[here](https://www.cursor.com/dashboard/bugbot).</sup>
<!-- /CURSOR_SUMMARY -->
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdx