Conversation
Greptile SummaryThis PR bumps the direct Key observations:
Confidence Score: 5/5Safe to merge; cargo check passes and no API-breaking changes exist between zip v3 and v8 for the call sites in use. The only behavioural concern (deflate-only feature set) was already addressed in a prior review thread. No new P0/P1 issues are identified. The change is a straightforward version bump with verified compilation. No files require special attention beyond what has already been discussed. Important Files Changed
Flowchart%%{init: {'theme': 'neutral'}}%%
flowchart TD
mise["mise binary"] -->|"zip 8.5.0\n(deflate only)"| Z8["zip 8.5.0"]
mise -->|"zip 2.4.2"| Z2["zip 2.4.2"]
SU["self_update crate"] --> Z2
ZS["zipsign-api"] --> Z2
UBI["ubi 0.9.0"] -->|"zip 3.0.0"| Z3["zip 3.0.0"]
OTHER["other transitive deps"] -->|"zip 6.0.0"| Z6["zip 6.0.0"]
style mise fill:#4a90d9,color:#fff
style Z8 fill:#27ae60,color:#fff
style Z3 fill:#e67e22,color:#fff
style Z2 fill:#95a5a6,color:#fff
style Z6 fill:#95a5a6,color:#fff
Reviews (2): Last reviewed commit: "chore(deps): bump zip from 3 to 8, xx to..." | Re-trigger Greptile |
This eliminates the lzma-rust2 0.15.x / crc version conflict by removing zip 7 and lzma-rust2 0.15.x from the dependency tree entirely. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Code Review
This pull request updates the zip dependency from version 3.0.0 to 8.5.0 in Cargo.toml and Cargo.lock. The reviewer highlighted that this major version bump changes the default behavior regarding file modification time preservation, which could impact build caching and consistency with other archive handling in the codebase. It is recommended to explicitly configure preserve_mtime: false in src/backend/aqua.rs to maintain existing behavior.
| xx = { version = "2.5", default-features = false, features = ["glob"] } | ||
| xz2 = "0.1" | ||
| zip = { version = "3", default-features = false, features = ["deflate"] } | ||
| zip = { version = "8", default-features = false, features = ["deflate"] } |
There was a problem hiding this comment.
Bumping zip to v8 is a significant major version change. One notable breaking change is that file extraction now preserves modification times by default (preserve_mtime: true in zip::ExtractOptions). This can cause subtle issues with build systems or caching mechanisms that rely on file timestamps.
This change affects the file::unzip call in src/backend/aqua.rs:1766, which currently passes default options. This will now preserve mtime, which is inconsistent with how other archives are handled in the codebase (e.g., http.rs sets preserve_mtime: false for tarballs).
To prevent potential issues and maintain consistency, I recommend updating the unzip call to explicitly disable preserving modification times.
For example, in src/backend/aqua.rs, the call could be updated like this:
// src/backend/aqua.rs:1765
} else if format == "zip" {
let opts = file::UnzipOptions {
preserve_mtime: false,
..Default::default()
};
file::unzip(&tarball_path, &install_path, &opts)?;
make_executable = true;(Note: The exact struct name file::UnzipOptions is an assumption based on file::TarOptions. Please adjust if the actual implementation differs.)
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
Hyperfine Performance
|
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.3 x -- echo |
22.4 ± 0.5 | 21.4 | 26.0 | 1.00 |
mise x -- echo |
22.9 ± 0.6 | 21.9 | 26.3 | 1.02 ± 0.03 |
mise env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.3 env |
21.7 ± 0.6 | 20.8 | 25.7 | 1.00 |
mise env |
22.5 ± 0.8 | 21.4 | 32.7 | 1.04 ± 0.05 |
mise hook-env
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.3 hook-env |
23.0 ± 0.7 | 21.7 | 28.8 | 1.00 |
mise hook-env |
23.5 ± 0.6 | 22.6 | 28.1 | 1.02 ± 0.04 |
mise ls
| Command | Mean [ms] | Min [ms] | Max [ms] | Relative |
|---|---|---|---|---|
mise-2026.4.3 ls |
20.1 ± 0.5 | 19.2 | 22.5 | 1.00 |
mise ls |
20.4 ± 0.5 | 19.4 | 22.2 | 1.01 ± 0.04 |
xtasks/test/perf
| Command | mise-2026.4.3 | mise | Variance |
|---|---|---|---|
| install (cached) | 151ms | 151ms | +0% |
| ls (cached) | 78ms | 79ms | -1% |
| bin-paths (cached) | 84ms | 82ms | +2% |
| task-ls (cached) | 805ms | 803ms | +0% |
### 🚀 Features - **(ci)** auto-convert external PRs to draft mode by @jdx in [#8896](#8896) - **(deps)** add `depends` field for user-specified tool dependencies by @cprecioso in [#8776](#8776) - **(dotnet)** support runtime-only installs by @fragon10 in [#8524](#8524) - **(npm)** apply install_before to transitive dependencies by @risu729 in [#8851](#8851) - **(task)** allow passing arguments to task dependencies via {{usage.*}} templates by @jdx in [#8893](#8893) - add options field to BackendListVersionsCtx by @esteve in [#8875](#8875) ### 🐛 Bug Fixes - **(backend)** filter PEP 440 .dev versions in fuzzy version matching by @richardthe3rd in [#8849](#8849) - **(ci)** update COPR BuildRequires rust version to match MSRV 1.88 by @jdx in [#8911](#8911) - **(ci)** add Ruby build dependencies to e2e Docker image by @jdx in [#8910](#8910) - **(ci)** add missing build dependencies to e2e Docker image by @jdx in [#8912](#8912) - **(ci)** add missing build dependencies to e2e Docker image by @jdx in [#8914](#8914) - **(ci)** use Node 24 LTS for corepack e2e test by @jdx in [#8915](#8915) - **(ci)** add libxml2 and pkg-config to e2e Docker image by @jdx in [#8917](#8917) - **(ci)** add libxml2-dev to e2e image and disable Swift SPM tests by @jdx in [#8918](#8918) - **(docs)** use sans-serif font for badges by @jdx in [#8887](#8887) - **(env)** parse --env=VALUE and -E=VALUE flag forms correctly by @jdx in [#8889](#8889) - **(exec)** use i64::from() for seccomp syscall numbers to survive autofix by @jdx in [#8882](#8882) - **(github)** preserve tool options like filter_bins when version specified via CLI by @jdx in [#8888](#8888) - **(github)** use alias-specific options when tool_alias has its own config by @jdx in [#8892](#8892) - **(install)** add locked_verify_provenance setting and detect github attestations at lock time by @jdx in [#8901](#8901) - **(lock)** prune stale version entries during filtered `mise lock <tool>` runs by @altendky in [#8599](#8599) - **(python)** use lockfile URL for precompiled installs by @hehaoqian in [#8750](#8750) - **(release)** verify all build targets succeed before releasing by @jdx in [#8886](#8886) - **(ruby)** support build revisions for precompiled binaries in mise.lock by @jdx in [#8900](#8900) - **(swift)** fall back to Ubuntu 24.04 for unsupported Ubuntu versions by @jdx in [#8916](#8916) - **(zsh)** avoid duplicate trust warning after cd by @timothysparg in [#8898](#8898) - update flake.lock and add fix for rust-bindgen to default.nix by @esteve in [#8874](#8874) - when direnv diff is empty, do not try to parse it by @yaleman in [#8857](#8857) - skip trust check for plain .tool-versions in task list by @dportalesr in [#8876](#8876) ### 🚜 Refactor - **(go)** rename go_* settings to go.* namespace by @jdbruijn in [#8598](#8598) ### 📚 Documentation - **(tasks)** clarify task_config.includes behavior by @risu729 in [#8905](#8905) ### 🧪 Testing - **(ci)** run e2e tests inside Docker containers by @jdx in [#8899](#8899) ### 📦️ Dependency Updates - bump ubi from 0.8 to 0.9 by @jdx in [#8906](#8906) - bump zip from 3 to 8 by @jdx in [#8908](#8908) - update lockfile deps (hold back rattler) by @jdx in [#8909](#8909) - update bun.lock by @jdx in [#8913](#8913) ### 📦 Registry - add turso ([github:tursodatabase/turso-cli](https://github.com/tursodatabase/turso-cli)) by @kenn in [#8884](#8884) - remove carp test by @jdx in [#8894](#8894) ### Chore - **(ci)** add workflow to warn PRs modifying vendored aqua-registry by @jdx in [#8897](#8897) - **(ci)** use github.token for draft conversion in auto-draft workflow by @jdx in [#8903](#8903) - remove deprecated settings older than 12 months by @jdx in [#8904](#8904) ### New Contributors - @dportalesr made their first contribution in [#8876](#8876) - @timothysparg made their first contribution in [#8898](#8898) - @hehaoqian made their first contribution in [#8750](#8750) - @jdbruijn made their first contribution in [#8598](#8598) - @cprecioso made their first contribution in [#8776](#8776) - @yaleman made their first contribution in [#8857](#8857) - @kenn made their first contribution in [#8884](#8884) - @fragon10 made their first contribution in [#8524](#8524) ## 📦 Aqua Registry Updates #### New Packages (6) - [`ahkohd/oyo`](https://github.com/ahkohd/oyo) - [`bellicose100xp/jiq`](https://github.com/bellicose100xp/jiq) - [`kurama/dealve-tui`](https://github.com/kurama/dealve-tui) - [`micahkepe/jsongrep`](https://github.com/micahkepe/jsongrep) - [`textfuel/lazyjira`](https://github.com/textfuel/lazyjira) - [`ubugeeei/vize`](https://github.com/ubugeeei/vize) #### Updated Packages (1) - [`sigstore/cosign`](https://github.com/sigstore/cosign)
Summary
zipdependency from 3.0.0 to 8.5.0lzma-rust2/crcversion conflict in chore(deps): lock file maintenance #8416 by reducing the number of separatezipversions in the dependency treeTest plan
cargo checkpasses locally🤖 Generated with Claude Code
Note
Medium Risk
Updates the ZIP/archive dependency stack (including crypto/RNG/transitive compression crates), which can change archive compatibility and introduce subtle behavior changes. No application logic changes are present beyond dependency resolution/lockfile updates.
Overview
Bumps the direct
zipdependency from3.xto8.5.0inCargo.toml.Refreshes
Cargo.lockto reflect the newzipversion and its updated transitive tree (notably newergetrandom/rand/lzma-rust2and related WASI/WIT/wasm tooling crates), reducing duplicate/conflicting versions in the dependency graph.Reviewed by Cursor Bugbot for commit 42adf24. Bugbot is set up for automated code reviews on this repo. Configure here.