update: bump dependencies to latest versions#228
Merged
Conversation
Bring all outdated dependencies current per deps.rs. Manifest bumps: toml 0.9 -> 1, sysinfo 0.38 -> 0.39, russh 0.60 -> 0.61, plus the precise-pinned crates axum 0.8.9, clap 4.6.1, tokio 1.52.3, tower-http 0.6.11, and openssl 0.10.80. A full cargo update brings tar to 0.4.46 and refreshes the remaining within-semver crates (libc, rand, reqwest, serde_json, tonic*, whoami) and their transitive dependencies. No source changes were required. toml 1.x only breaks bare-value parse/serialize and the toml::value Map/Entry re-exports, none of which the config loader uses (it parses documents into toml::Value via toml::map::Map). sysinfo 0.39 has no breaking API changes for the System/Process/Disks/refresh surface we use. russh 0.61 migrates from the internal ssh-key fork to upstream ssh-key 0.7-rc while keeping PublicKey, load_secret_key, and PrivateKeyWithHashAlg intact. Security: the transitive refresh pulls rustls-webpki 0.103.13, resolving RUSTSEC-2026-0104, -0098, and -0099. The remaining rsa advisory (RUSTSEC-2023-0071, Marvin attack via russh -> ssh-key) has no fixed release in any rsa version and is unchanged by this bump. Verified on macOS: cargo build --release --bin all-smi, cargo build --no-default-features --lib, cargo test (all suites pass), and cargo fmt --check all succeed; clippy reports only two pre-existing warnings in macOS- and mock-gated code that are outside the Linux CI clippy path.
This was referenced May 24, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Brings all outdated dependencies current per deps.rs. Four packages required manifest version bumps; the rest were refreshed in the lockfile via
cargo update. No source changes were necessary — every updated API our code touches is unchanged.Version changes
ssh-key0.7-rcWhy no code changes
from_str/to_stringand thetoml::valueMap/Entryre-exports. The config loader (src/common/config_file.rs, the only consumer of thetoml::API) parses documents intotoml::Valueand usestoml::map::Mapdirectly, so none of those apply.System,Process,Disks, or theProcessRefreshKind/ProcessesToUpdate/UpdateKindrefresh surface we use. MSRV bumped to 1.95 (already satisfied).ssh-keyfork to upstreamssh-key0.7-rc; thePublicKey,load_secret_key,PrivateKeyWithHashAlg, andfrom_openssh/to_openssh/fingerprintsurface used by the SSH transport is unchanged.Security
The lockfile refresh pulls rustls-webpki 0.103.13, resolving RUSTSEC-2026-0104, -0098, -0099 (reachable panic + name-constraint bypasses) that affected the previously-locked 0.103.10.
The remaining
rsaadvisory (RUSTSEC-2023-0071, Marvin timing sidechannel, reached viarussh → ssh-key → rsa) has no fixed release in anyrsaversion and is unchanged by this bump.Verification
cargo build --release --bin all-smi✅cargo build --no-default-features --lib✅cargo test✅ (all suites pass)cargo fmt --check✅cargo clippy— only two pre-existing warnings in macOS-gated (ioreport.rs) and mock-gated (mock/server.rs) code, both outside the Linux CI clippy path; this PR introduces none.