chore(deps): refresh Rust + npm + GHA dependencies#6
Merged
Conversation
…nstraints Mechanical `cargo update` against existing Cargo.toml constraints to pick up patch-level fixes that have landed since 2026-05-11. No Cargo.toml changes; only Cargo.lock is updated. Notable transitives bumped: - arrow / arrow-* 58.2 → 58.3 - aws-lc-rs 1.16 → 1.17, aws-lc-sys 0.40 → 0.41 - jsonwebtoken 10.3 → 10.4 - napi 3.8 → 3.9, napi-derive 3.5 → 3.5.6, napi-build 2.3.1 → 2.3.2 - parquet 58.2 → 58.3 - rcgen 0.14.7 → 0.14.8 - rmcp / rmcp-macros 1.6 → 1.7 - tokio 1.52.1 → 1.52.3 - tonic / tonic-build / tonic-prost / tonic-prost-build 0.14.5 → 0.14.6 - tower-http 0.6.8 → 0.6.10 - yasna 0.5 → 0.6 (rcgen transitive) Verified: cargo build --workspace, cargo clippy --workspace --all-targets --all-features -- -D warnings, full workspace test suite, hyperdb-bootstrap tests.
…ersions Lift declared minor floors for crates whose `^X.Y` declaration was meaningfully behind what we actually build against. No semver-major changes; lockfile-resolved versions are unaffected. Workspace deps: - bytes 1.5 → 1.11 - tempfile 3.10 → 3.20 Per-crate deps: - hyperdb-api: smallvec 1.13 → 1.15 - hyperdb-mcp: rmcp 1 → 1.7, csv 1.3 → 1.4, schemars 1.0 → 1.2 Other workspace dep declarations (tokio "1", clap "4", chrono "0.4", serde "1.0", serde_json "1.0", url "2.5", regex "1", anyhow "1", prost "0.14", tonic "0.14", tracing "0.1", webpki-roots "1.0", etc.) already accept the latest minor through their existing ^X.Y caret ranges; no declaration changes are needed for those. Verified: cargo build --workspace, cargo clippy --workspace --all-targets --all-features -- -D warnings, full workspace test suite. No code changes.
…13, md-5 0.11 Selective major bump of the RustCrypto traits ecosystem, used in hyperdb-api-core for SCRAM-SHA-256 and MD5 auth and in hyperdb-bootstrap for SHA-256 verification of the downloaded hyperd archive. - sha2: 0.10 → 0.11 - hmac: 0.12 → 0.13 - pbkdf2: 0.12 → 0.13 - md-5: 0.10 → 0.11 Two trivial source adjustments were needed: * hmac 0.13 no longer re-exports `KeyInit::new_from_slice` through the `Mac` trait, so `auth.rs` now imports `KeyInit` explicitly. * sha2 0.11's `finalize()` returns `Array<u8, _>` (replacing `GenericArray<u8, _>`), which does not implement `LowerHex`. The `download.rs` hash formatter now iterates the byte slice and lower-hex encodes each byte itself, mirroring the pattern already used in `hyperdb-api-core::client::auth::hex_encode`. Verified: cargo fmt, cargo clippy --workspace --all-targets --all-features -- -D warnings, workspace tests, hyperdb-bootstrap tests, cargo deny check, cargo audit --deny warnings.
Refresh the floor on hyperdb-api-node's devDependencies to track the latest within-major releases. - @napi-rs/cli: ^3 → ^3.6.2 - tsx: ^4.21.0 → ^4.22.0 - apache-arrow: unchanged (already at latest 21.x) `peerDependencies."apache-arrow": ">=14.0.0"` is intentionally a broad floor and stays as-is. Verified: npm install, npm run build (release napi build), npm test (full smoke suite green).
…ction-gh-release@v3 All three majors are clean drop-in upgrades; the only breaking change in each is the bump from the Node 20 to Node 24 Actions runtime. The GitHub-hosted runners we use (ubuntu-latest / macos-14 / windows-latest) already ship the required runner version (>= 2.327.1). - actions/cache@v4 → v5 (ci.yml + release.yml hyperd binary cache) - googleapis/release-please-action@v4 → v5 (release-please.yml) - softprops/action-gh-release@v2 → v3 (release.yml GitHub Release publish) `actions-rust-lang/setup-rust-toolchain@v1`, `actions/checkout@v4`, `actions/upload-artifact@v4`, `actions/download-artifact@v4`, and `actions/setup-node@v4` are intentionally left as-is — `@v1`/`@v4` floating tags already pull the latest within-major release. release-please-config.json schema is unchanged between v4 and v5; no config migration needed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Refresh Rust + npm + GHA dependencies
Summary
First deliberate dependency refresh since the open-source cut on 2026-05-11 (deps then were current as of that date; we've shipped two patches since under
v0.1.1). Goal of this PR is to bring the lockfile and direct-dep floors back to current, plus pick up a small number of major bumps where the migration is genuinely trivial — without touching anything that would expand API surface or trigger a downstream-crate audit.Five atomic commits, each with its own verification gate, so any individual commit can be reverted post-merge if a regression appears:
23d53dachore(deps): cargo updateCargo.lockonly.3be229echore(deps): tighten Rust workspace dep floors[workspace.dependencies]floors to lockfile-resolved versions.a6723dfchore(deps): bump RustCrypto traitssha20.11,hmac0.13,pbkdf20.13,md-50.11.dde6698chore(deps): bump npm devDeps@napi-rs/cli^3.6.2,tsx^4.22.0.cbdd87fchore(deps): bump GHA actionsactions/cache@v5,release-please-action@v5,action-gh-release@v3.Commit 1:
chore(deps): cargo updatecargo updateagainst currentCargo.tomlconstraints. TouchesCargo.lockonly — no crate-version policy change.Most of the lockfile drift since 2026-05-11 lands here. Notable transitive bumps picked up by the resolver:
arrow58.2 → 58.3jsonwebtoken10.3 → 10.4napi3.8 → 3.9parquet58.2 → 58.3rmcp1.6 → 1.7tokio1.52.1 → 1.52.3tonic0.14.5 → 0.14.6Smallest commit, biggest leverage on lockfile staleness.
Commit 2:
chore(deps): tighten Rust workspace dep floorsWhere the workspace
Cargo.tomlfloors had drifted noticeably below what the lockfile already resolves to, lift the floor so a freshcargo builddoesn't pick up an old major-internal version on a downstream consumer.bytes1.51.11tempfile3.103.20smallvec(inhyperdb-api/Cargo.toml)1.131.15rmcp(inhyperdb-mcp/Cargo.toml)11.7csv(inhyperdb-mcp/Cargo.toml)1.31.4schemars(inhyperdb-mcp/Cargo.toml)1.01.2No code changes — these are all within-major bumps and the API surface is unchanged.
Commit 3:
chore(deps): bump RustCrypto traits — sha2 0.11, hmac 0.13, pbkdf2 0.13, md-5 0.11The only major-version bump in this PR. The RustCrypto traits ecosystem moves in lockstep, so
sha2/hmac/pbkdf2/md-5all get bumped together. They're used in two places:hyperdb-api-core::client::authfor SCRAM-SHA-256 and MD5 password authentication.hyperdb-bootstrap::downloadfor SHA-256 verification of the downloadedhyperdarchive.sha2hmacpbkdf2md-5Two trivial source adjustments needed
The plan's pre-commit checklist required: "if 0.11/0.13 don't compile cleanly, back out and document the holdback." Both compiled cleanly after these two adapter changes — no API ergonomics fight.
1.
hmac0.13 no longer re-exportsKeyInit::new_from_slicethrough theMactrait.hyperdb-api-core/src/client/auth.rsnow importsKeyInitexplicitly:The compiler suggested this fix automatically.
2.
sha20.11'sfinalize()returnsArray<u8, _>(replacingGenericArray<u8, _>), which doesn't implementLowerHex.hyperdb-bootstrap/src/download.rs:hash_filenow hex-encodes the digest by iterating bytes itself, mirroring the pattern already used inhyperdb-api-core::client::auth::hex_encode:The corresponding
#[expect(clippy::format_collect, …)]annotation onhash_filematches the one already onhex_encode—clippy::format_collectwould otherwise demand afold!-based rewrite that obscures intent.Why bump these and nothing else major
Each remaining major-version-pending dep (
arrow58→59,tonic0.14→0.15,rmcp1→2,napi3→4) touches API surface that downstream consumers see, would require its own audit, and is best kept out of a periodic refresh PR. The RustCrypto traits, by contrast, are entirely internal to the workspace and the migration was confined to the two adapter changes above.Commit 4:
chore(deps): bump npm devDepshyperdb-api-node/package.jsondevDependencies refreshed to current within-major:@napi-rs/cli^3^3.6.2tsx^4.21.0^4.22.0apache-arrow^21.1.0peerDependencies."apache-arrow": ">=14.0.0"floor stays broad on purpose — keeping that floor wide lets consumers paired with older Arrow builds continue to install the bindings.package-lock.jsonregenerated vianpm install. The release napi build (npm run build) and full smoke test suite (npm test, 19 cases through__test__/smoke.mjs) both pass locally.Commit 5:
chore(deps): bump GHA actionsThree GitHub Actions had new majors with verified-clean migration paths. The only breaking change in each is the bump from the Node 20 to Node 24 Actions runtime — a runner-side requirement, not a config change. All three GitHub-hosted runner images we use (
ubuntu-latest/macos-14/windows-latest) already ship Actions runner ≥2.327.1, the floor required for Node 24.actions/cache@v4@v5ci.yml(hyperd binary cache),release.yml(hyperd binary cache)googleapis/release-please-action@v4@v5release-please.ymlsoftprops/action-gh-release@v2@v3release.yml(GitHub Release publish)What I checked in each release's notes
actions/cache@v5: only breaking change is Node 20 → Node 24 runtime. Otherwise drop-in.release-please-action@v5: only breaking change is Node 20 → Node 24 runtime. The release-please config schema is unchanged —release-please-config.jsonand.release-please-manifest.jsonneed no edits. (This was the most likely failure mode going in; verified directly from the v5 release notes before bumping.)action-gh-release@v3: only breaking change is Node 20 → Node 24 runtime. Existingtag_name/prerelease/generate_release_notesinputs unchanged.Deliberately NOT bumped
actions-rust-lang/setup-rust-toolchain@v1— already pulls latest1.xvia the floating major tag (currentlyv1.16.1).actions/checkout@v4,actions/upload-artifact@v4,actions/download-artifact@v4,actions/setup-node@v4— same: floating-major tags, already current within-major. No new majors out yet.Existing waivers — preserved as-is
These have full rationale documented in
deny.toml,.cargo/audit.toml, anddocs/SECURITY.md. None of them were touched by this PR:RUSTSEC-2024-0436pasteparquet, macro-only — no replacement available.RUSTSEC-2025-0134rustls-pemfileRUSTSEC-2023-0071rsathriftdeny.tomlfor when RustSec ingests this asRUSTSEC-2026-NNNN. See PR #4.Out of scope
Each of these would benefit from a dedicated PR with its own audit and is intentionally deferred:
hyperd-version.tomlpin (0.0.25080from 2026-05-11) — separate decision tied to whether we want to ride latest hyperd or stay on a tested baseline.rust-toolchain.toml— staying onstable; toolchain bumps come automatically with eachstablerelease on the runner image.arrow58 → 59 (when released).tonic0.14 → 0.15+.rmcp1 → 2.napi3 → 4.Verification
End-to-end gate run after each commit (so a regression is bisectable to a specific commit), and again on the integrated branch:
cargo fmt --all --checkcargo clippy --workspace --all-targets --all-features -- -D warningsHYPERD_PATH="$PWD/.hyperd/current" cargo test --workspace --exclude hyperdb-api-node --exclude hyperdb-bootstrap(matchesci.yml's test job scope)cargo test -p hyperdb-bootstrapcargo deny checkcargo audit --deny warningscd hyperdb-api-node && npm install && npm run build && npm testTest plan
ubuntu-latest/macos-14/windows-latest) green on this PR.clippyjob remains clean across the workspace under-D warnings.cargo deny checkandcargo audit --deny warningscontinue to pass — the known-waiver list and[advisories].ignoreare unchanged by this PR.npm-build-publish.ymlstill has access to a working napi build (will only be verified on the next release after merge).release-please.yml— verify after merge that the next release-please run onmainopens a PR cleanly undergoogleapis/release-please-action@v5(config schema is unchanged, so this is just exercising the runtime bump).