chore(deps): ignore RustCrypto minor bumps until ecosystem stabilizes#147
Conversation
Dependabot opened #40 (hmac 0.12→0.13) and #41 (sha2 0.10→0.11) as independent PRs, but these bumps are coupled through the `digest` trait: hmac 0.13 and sha2 0.11 both require `digest` 0.11, while our pbkdf2 0.12 and aes-gcm 0.10 sit on `digest` 0.10. `Hmac::<Sha256>` requires matching `digest` trait versions across all three crates, so a lone hmac or sha2 bump fails to compile. pbkdf2 0.13 and aes-gcm 0.11 (the coupled counterparts on digest 0.11) are currently only released as pre-release versions (0.13.0-rc.10 and 0.11.0-rc.3). Taking pre-release crypto crates in a security-relevant path isn't a good trade. Add dependabot ignore rules for hmac/sha2/pbkdf2/aes-gcm minor bumps so the tracker doesn't re-open these stale PRs weekly. Re-enable by deleting these ignore entries once pbkdf2 0.13 and aes-gcm 0.11 ship as stable releases.
|
Warning Rate limit exceeded
Your organization is not enrolled in usage-based pricing. Contact your admin to enable usage-based pricing to continue reviews beyond the rate limit, or try again in 25 minutes and 14 seconds. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: Organization UI Review profile: ASSERTIVE Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Code Review
This pull request updates the Dependabot configuration to ignore minor version updates for specific RustCrypto ecosystem crates, including hmac, sha2, pbkdf2, and aes-gcm. This change prevents build failures caused by version mismatches in the shared digest trait while certain dependencies remain in pre-release. I have no feedback to provide.
Codecov Report✅ All modified and coverable lines are covered by tests. 📢 Thoughts on this report? Let us know! |
Summary
Adds dependabot ignore rules for
hmac,sha2,pbkdf2, andaes-gcmminor bumps so #40 and #41 (and their re-opens) stop cluttering the tracker until the ecosystem stabilizes.The coupling problem
#40 (hmac 0.12→0.13) and #41 (sha2 0.10→0.11) look like independent dep bumps but are coupled through
digest:Hmac::<Sha256>andpbkdf2_hmac_array::<Sha256, _>all require matchingdigesttrait versions. A lone bump breaks compilation because thedigestversions diverge.Moving everything forward requires accepting pre-release crypto crates (pbkdf2 0.13.0-rc.10, aes-gcm 0.11.0-rc.3), which isn't a good trade for a security-relevant path.
Action
semver-minorlevel.Our current pins (hmac 0.12, sha2 0.10, pbkdf2 0.12, aes-gcm 0.10) have no open security advisories; staying put is safe.
Test plan
.github/dependabot.ymlparses (YAML structure unchanged except for theignore:block)@dependabot recreateon any reopened hmac/sha2 PR confirms they're suppressed