Skip to content

update: bump dependencies to latest versions#228

Merged
inureyes merged 1 commit into
mainfrom
update/bump-dependencies-to-latest
May 24, 2026
Merged

update: bump dependencies to latest versions#228
inureyes merged 1 commit into
mainfrom
update/bump-dependencies-to-latest

Conversation

@inureyes

Copy link
Copy Markdown
Member

Summary

Brings all outdated dependencies current per deps.rs. Four packages required manifest version bumps; the rest were refreshed in the lockfile via cargo update. No source changes were necessary — every updated API our code touches is unchanged.

Version changes

Crate From To Notes
toml 0.9.12 1.1.2 Major bump; breaking changes don't affect us (see below)
sysinfo 0.38.4 0.39.2 No breaking API changes
russh 0.60.1 0.61.1 Migrates to upstream ssh-key 0.7-rc
tar 0.4.45 0.4.46 Within-semver refresh
axum 0.8.8 0.8.9
clap 4.6.0 4.6.1
tokio 1.51.1 1.52.3
tower-http 0.6.8 0.6.11
openssl 0.10.76 0.10.80 musl / aarch64-gnu targets
libc, rand, reqwest, serde_json, tonic*, whoami latest lockfile refresh

Why no code changes

  • toml 1.x: the breaking changes affect bare-value from_str/to_string and the toml::value Map/Entry re-exports. The config loader (src/common/config_file.rs, the only consumer of the toml:: API) parses documents into toml::Value and uses toml::map::Map directly, so none of those apply.
  • sysinfo 0.39: no breaking changes to System, Process, Disks, or the ProcessRefreshKind/ProcessesToUpdate/UpdateKind refresh surface we use. MSRV bumped to 1.95 (already satisfied).
  • russh 0.61: moves from the internal ssh-key fork to upstream ssh-key 0.7-rc; the PublicKey, load_secret_key, PrivateKeyWithHashAlg, and from_openssh/to_openssh/fingerprint surface used by the SSH transport is unchanged.

Security

The lockfile refresh pulls rustls-webpki 0.103.13, resolving RUSTSEC-2026-0104, -0098, -0099 (reachable panic + name-constraint bypasses) that affected the previously-locked 0.103.10.

The remaining rsa advisory (RUSTSEC-2023-0071, Marvin timing sidechannel, reached via russh → ssh-key → rsa) has no fixed release in any rsa version and is unchanged by this bump.

Verification

  • cargo build --release --bin all-smi
  • cargo build --no-default-features --lib
  • cargo test ✅ (all suites pass)
  • cargo fmt --check
  • cargo clippy — only two pre-existing warnings in macOS-gated (ioreport.rs) and mock-gated (mock/server.rs) code, both outside the Linux CI clippy path; this PR introduces none.

Bring all outdated dependencies current per deps.rs. Manifest bumps: toml 0.9 -> 1, sysinfo 0.38 -> 0.39, russh 0.60 -> 0.61, plus the precise-pinned crates axum 0.8.9, clap 4.6.1, tokio 1.52.3, tower-http 0.6.11, and openssl 0.10.80. A full cargo update brings tar to 0.4.46 and refreshes the remaining within-semver crates (libc, rand, reqwest, serde_json, tonic*, whoami) and their transitive dependencies.

No source changes were required. toml 1.x only breaks bare-value parse/serialize and the toml::value Map/Entry re-exports, none of which the config loader uses (it parses documents into toml::Value via toml::map::Map). sysinfo 0.39 has no breaking API changes for the System/Process/Disks/refresh surface we use. russh 0.61 migrates from the internal ssh-key fork to upstream ssh-key 0.7-rc while keeping PublicKey, load_secret_key, and PrivateKeyWithHashAlg intact.

Security: the transitive refresh pulls rustls-webpki 0.103.13, resolving RUSTSEC-2026-0104, -0098, and -0099. The remaining rsa advisory (RUSTSEC-2023-0071, Marvin attack via russh -> ssh-key) has no fixed release in any rsa version and is unchanged by this bump.

Verified on macOS: cargo build --release --bin all-smi, cargo build --no-default-features --lib, cargo test (all suites pass), and cargo fmt --check all succeed; clippy reports only two pre-existing warnings in macOS- and mock-gated code that are outside the Linux CI clippy path.
@inureyes inureyes added type:dependency Dependency updates status:review Under review priority:medium Medium priority issue labels May 24, 2026
@inureyes inureyes self-assigned this May 24, 2026
@inureyes inureyes merged commit 2b2c565 into main May 24, 2026
4 checks passed
@inureyes inureyes deleted the update/bump-dependencies-to-latest branch May 24, 2026 06:54
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

priority:medium Medium priority issue status:review Under review type:dependency Dependency updates

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant