chore(deps): bump msrv for aws smithy updates#9295
Conversation
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates the project's Rust version to 1.91 and performs a major cleanup of dependencies, consolidating versions for networking and AWS SDK crates while resolving several security advisories. Feedback focuses on several regressive downgrades in the Cargo.lock file for itertools, windows-sys, and base64 crates, which likely conflict with dependency requirements or introduce unnecessary version duplication.
| "cexpr", | ||
| "clang-sys", | ||
| "itertools 0.13.0", | ||
| "itertools 0.12.1", |
There was a problem hiding this comment.
The downgrade of itertools from 0.13.0 to 0.12.1 for bindgen 0.72.1 appears to be an error. bindgen 0.72.1 specifies a dependency on itertools 0.13. Forcing an older version in the lockfile will likely lead to compilation or resolution failures when cargo validates the graph. It is recommended to let cargo regenerate the lockfile automatically to ensure all version constraints are satisfied.
| dependencies = [ | ||
| "libc", | ||
| "windows-sys 0.61.2", | ||
| "windows-sys 0.45.0", |
There was a problem hiding this comment.
The lockfile contains several suspicious downgrades of the windows-sys crate (e.g., from 0.61.2 to 0.45.0 for os_pipe). These changes are likely unintended and could break platform-specific functionality or introduce regressions. These should be reverted in favor of a standard cargo update which would maintain or advance these versions while satisfying the dependency graph.
| checksum = "51e219e79014df21a225b1860a479e2dcd7cbd9130f4defd4bd0e191ea31d67d" | ||
| dependencies = [ | ||
| "base64 0.22.1", | ||
| "base64 0.21.7", |
There was a problem hiding this comment.
The base64 dependency for oauth2 is being downgraded from 0.22.1 to 0.21.7. Given that the workspace already explicitly depends on base64 0.22 in Cargo.toml, this downgrade creates unnecessary version duplication in the dependency graph and uses an older API. It should be kept at 0.22.x to maintain consistency.
Greptile SummaryBumps the MSRV from Rust Confidence Score: 5/5Safe to merge — well-scoped dependency hygiene with no logic changes and verified packaging targets. All changes are mechanical: MSRV bump, AWS feature-flag rename, lockfile refresh, packaging spec updates, and removal of now-resolved advisory ignores. The PR author validated against all active packaging environments and ran No files require special attention. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
A[aws-config / aws-sdk-s3] -->|feature: default-https-client| B[aws-smithy-http-client]
B --> C[rustls 0.23.x]
C --> D[rustls-webpki 0.103.13]
E[OLD: aws-config / aws-sdk-s3] -->|feature: rustls| F[aws-smithy-http-client legacy]
F --> G[rustls 0.21.12]
G --> H[rustls-webpki 0.101.7]
H -->|RUSTSEC-2026-0098/0099| X[⚠ Advisories]
style E fill:#ffcccc
style F fill:#ffcccc
style G fill:#ffcccc
style H fill:#ffcccc
style X fill:#ff4444,color:#fff
style A fill:#ccffcc
style B fill:#ccffcc
style C fill:#ccffcc
style D fill:#ccffcc
Reviews (2): Last reviewed commit: "Merge branch 'main' into fix/rustls-webp..." | Re-trigger Greptile |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
Reviewed by Cursor Bugbot for commit 15e17b2. Configure here.
| ] | ||
| build = "build.rs" | ||
| rust-version = "1.88" | ||
| rust-version = "1.91" |
There was a problem hiding this comment.
Renovate still blocks AWS SDK updates after MSRV bump
Medium Severity
The MSRV is bumped to 1.91 here, but .github/renovate.json still contains a rule with "enabled": false for aws-config and aws-sdk-* packages, with the description "AWS SDK requires MSRV 1.91.1, project is 1.88.0. Re-enable when MSRV is bumped." Since this PR bumps the MSRV (the exact condition the rule says to act on), the Renovate rule needs to be removed or re-enabled. Without that, future AWS SDK security patches and version updates will silently be suppressed by Renovate.
Reviewed by Cursor Bugbot for commit 15e17b2. Configure here.
There was a problem hiding this comment.
eh aws updates aggressively, it'll just break again
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.18 x -- echo |
21.6 ± 0.7 | 20.9 | 35.0 | 1.00 |
mise x -- echo |
22.1 ± 0.5 | 21.4 | 26.1 | 1.02 ± 0.04 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.18 env |
21.2 ± 0.6 | 20.3 | 27.5 | 1.00 |
mise env |
21.6 ± 0.4 | 21.0 | 24.7 | 1.02 ± 0.04 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.18 hook-env |
21.8 ± 0.4 | 21.2 | 24.3 | 1.00 |
mise hook-env |
22.2 ± 0.4 | 21.5 | 24.7 | 1.02 ± 0.03 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.18 ls |
19.1 ± 0.4 | 18.5 | 22.1 | 1.00 |
mise ls |
19.7 ± 0.4 | 19.0 | 22.3 | 1.03 ± 0.03 |
xtasks/test/perf
| Command | mise-2026.4.18 | mise | Variance |
|---|---|---|---|
| install (cached) | 142ms | 146ms | -2% |
| ls (cached) | 74ms | 77ms | -3% |
| bin-paths (cached) | 80ms | 82ms | -2% |
| task-ls (cached) | 808ms | 793ms | +1% |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
## Summary - EPEL 9 / RHEL 9 ship rust below 1.91, so the spec's `BuildRequires: rust >= 1.91` (set after the MSRV bump in #9295) makes every `epel-9-aarch64` / `epel-9-x86_64` build fail at dependency resolution before `rpmbuild` ever runs. - Drop both `epel-9` chroots from the release event list and the `workflow_dispatch` default in `copr-publish.yml`. EPEL 10 stays — it has rust 1.91+. Example failure ([epel-9-aarch64 build 10411552](https://download.copr.fedorainfracloud.org/results/jdxcode/mise/epel-9-aarch64/10411552-mise/builder-live.log.gz)): > No matching package to install: 'rust >= 1.91' > Not all dependencies satisfied > Error: Some packages could not be found. The `epel-9-*` chroots may also want to be disabled in the COPR project's web settings to clean up the prior failed build state — that's outside this repo. ## Test plan - [ ] Next release-triggered (or manually dispatched) `copr-publish` run no longer attempts `epel-9-aarch64` / `epel-9-x86_64` - [ ] Fedora 42/43/44/rawhide and EPEL 10 builds still complete successfully 🤖 Generated with [Claude Code](https://claude.com/claude-code) <!-- CURSOR_SUMMARY --> --- > [!NOTE] > **Low Risk** > Low risk workflow-only change that just narrows the COPR build matrix; main risk is reduced build coverage for EPEL 9 rather than functional regressions. > > **Overview** > `copr-publish` no longer targets `epel-9-aarch64`/`epel-9-x86_64` by default. The workflow’s `workflow_dispatch` default `chroots` list and the release-triggered `CHROOTS` env now only include Fedora (rawhide/42-44) and `epel-10` chroots, avoiding EPEL 9 builds. > > <sup>Reviewed by [Cursor Bugbot](https://cursor.com/bugbot) for commit 2ab1354. Bugbot is set up for automated code reviews on this repo. Configure [here](https://www.cursor.com/dashboard/bugbot).</sup> <!-- /CURSOR_SUMMARY --> Co-authored-by: Claude Opus 4.7 (1M context) <[email protected]>
1 participant
Summary
default-https-clientand refresh the lockfile to remove the legacyrustls 0.21/rustls-webpki 0.101.7pathcargo denyignoresWhy
cargo denystarted failing onRUSTSEC-2026-0104for tworustls-webpkilines.The
0.103.xline could be updated in place, but the older0.101.7path was coming from the legacy AWS Smithy TLS client chain. The repo had been held at Rust 1.88, which prevented moving to the newer AWS Smithy releases needed to refresh that dependency graph.I verified the current packaging targets first:
rustc 1.94.1rust 1.94.1resolute:rustc 1.93.1ubuntu1So the active COPR/PPA targets already satisfy Rust 1.91+ and do not need to be dropped for this bump.
Changes
Cargo.tomlrust-versionto1.91default-https-clientCargo.lockrustls 0.21/rustls-webpki 0.101.7pathrustls-webpki 0.103.12 -> 0.103.13packaging/copr/build-copr.shBuildRequires: rust >= 1.91.github/workflows/ppa-publish.ymlrustc (>= 1.91)build dependencydeny.tomlValidation
cargo deny checkcargo check --all-featuresghcr.io/jdx/mise:copr@sha256:90db6cd...quay.io/centos/centos:stream9quay.io/centos/centos:stream10ubuntu:resoluteThis PR was generated by an AI coding assistant.
Note
Medium Risk
Primarily a dependency/toolchain bump, but it changes the AWS HTTP/TLS client stack and minimum compiler version, which can affect build/packaging and runtime networking behavior.
Overview
Bumps the project MSRV to Rust 1.91 and updates Linux packaging requirements to match (Debian PPA
rustc (>= 1.91)and COPRBuildRequires: rust >= 1.91).Updates AWS dependencies to use
default-https-clientand refreshesCargo.lockto newer AWS Smithy/runtime crates, removing the legacy TLS dependency chain (including olderrustls/rustls-webpki) and cleaning up now-unneededcargo-denyadvisory ignores.Reviewed by Cursor Bugbot for commit 913507f. Bugbot is set up for automated code reviews on this repo. Configure here.