chore(deps): refresh Rust + npm + GHA dependencies#6
Merged
Conversation
…nstraints Mechanical `cargo update` against existing Cargo.toml constraints to pick up patch-level fixes that have landed since 2026-05-11. No Cargo.toml changes; only Cargo.lock is updated. Notable transitives bumped: - arrow / arrow-* 58.2 → 58.3 - aws-lc-rs 1.16 → 1.17, aws-lc-sys 0.40 → 0.41 - jsonwebtoken 10.3 → 10.4 - napi 3.8 → 3.9, napi-derive 3.5 → 3.5.6, napi-build 2.3.1 → 2.3.2 - parquet 58.2 → 58.3 - rcgen 0.14.7 → 0.14.8 - rmcp / rmcp-macros 1.6 → 1.7 - tokio 1.52.1 → 1.52.3 - tonic / tonic-build / tonic-prost / tonic-prost-build 0.14.5 → 0.14.6 - tower-http 0.6.8 → 0.6.10 - yasna 0.5 → 0.6 (rcgen transitive) Verified: cargo build --workspace, cargo clippy --workspace --all-targets --all-features -- -D warnings, full workspace test suite, hyperdb-bootstrap tests.
…ersions Lift declared minor floors for crates whose `^X.Y` declaration was meaningfully behind what we actually build against. No semver-major changes; lockfile-resolved versions are unaffected. Workspace deps: - bytes 1.5 → 1.11 - tempfile 3.10 → 3.20 Per-crate deps: - hyperdb-api: smallvec 1.13 → 1.15 - hyperdb-mcp: rmcp 1 → 1.7, csv 1.3 → 1.4, schemars 1.0 → 1.2 Other workspace dep declarations (tokio "1", clap "4", chrono "0.4", serde "1.0", serde_json "1.0", url "2.5", regex "1", anyhow "1", prost "0.14", tonic "0.14", tracing "0.1", webpki-roots "1.0", etc.) already accept the latest minor through their existing ^X.Y caret ranges; no declaration changes are needed for those. Verified: cargo build --workspace, cargo clippy --workspace --all-targets --all-features -- -D warnings, full workspace test suite. No code changes.
…13, md-5 0.11 Selective major bump of the RustCrypto traits ecosystem, used in hyperdb-api-core for SCRAM-SHA-256 and MD5 auth and in hyperdb-bootstrap for SHA-256 verification of the downloaded hyperd archive. - sha2: 0.10 → 0.11 - hmac: 0.12 → 0.13 - pbkdf2: 0.12 → 0.13 - md-5: 0.10 → 0.11 Two trivial source adjustments were needed: * hmac 0.13 no longer re-exports `KeyInit::new_from_slice` through the `Mac` trait, so `auth.rs` now imports `KeyInit` explicitly. * sha2 0.11's `finalize()` returns `Array<u8, _>` (replacing `GenericArray<u8, _>`), which does not implement `LowerHex`. The `download.rs` hash formatter now iterates the byte slice and lower-hex encodes each byte itself, mirroring the pattern already used in `hyperdb-api-core::client::auth::hex_encode`. Verified: cargo fmt, cargo clippy --workspace --all-targets --all-features -- -D warnings, workspace tests, hyperdb-bootstrap tests, cargo deny check, cargo audit --deny warnings.
Refresh the floor on hyperdb-api-node's devDependencies to track the latest within-major releases. - @napi-rs/cli: ^3 → ^3.6.2 - tsx: ^4.21.0 → ^4.22.0 - apache-arrow: unchanged (already at latest 21.x) `peerDependencies."apache-arrow": ">=14.0.0"` is intentionally a broad floor and stays as-is. Verified: npm install, npm run build (release napi build), npm test (full smoke suite green).
…ction-gh-release@v3 All three majors are clean drop-in upgrades; the only breaking change in each is the bump from the Node 20 to Node 24 Actions runtime. The GitHub-hosted runners we use (ubuntu-latest / macos-14 / windows-latest) already ship the required runner version (>= 2.327.1). - actions/cache@v4 → v5 (ci.yml + release.yml hyperd binary cache) - googleapis/release-please-action@v4 → v5 (release-please.yml) - softprops/action-gh-release@v2 → v3 (release.yml GitHub Release publish) `actions-rust-lang/setup-rust-toolchain@v1`, `actions/checkout@v4`, `actions/upload-artifact@v4`, `actions/download-artifact@v4`, and `actions/setup-node@v4` are intentionally left as-is — `@v1`/`@v4` floating tags already pull the latest within-major release. release-please-config.json schema is unchanged between v4 and v5; no config migration needed.
4 tasks
StefanSteiner
added a commit
that referenced
this pull request
May 18, 2026
Replaces "remember to run cargo search every few months" with weekly automated PRs across the three ecosystems this repo uses. Configuration choices and why: - **Weekly cadence.** Daily generates churn that crowds out human PRs; monthly misses urgent advisories. - **`open-pull-requests-limit`** capped per ecosystem (cargo: 5, npm: 3, gha: 3) to prevent an avalanche on first activation and on backlog catch-ups. - **`groups`** for lockstep dep families. Bumping `tonic` without `prost` is rarely useful, and arrow-rs ships `arrow` and `parquet` together at the same version. The four groups defined are: - `tonic-prost` (tonic*, prost*) - `arrow-parquet` (arrow, parquet) - `rustcrypto` (sha2, hmac, pbkdf2, md-5) - `napi-rs` (napi, napi-derive, napi-build) These mirror the way the dep-refresh PR (#6) treated them as single logical bumps. - **`ignore`** entries skip semver-major bumps for deps whose major migration was explicitly deferred (see PR #6's "Out of scope" section). Patch and minor bumps still flow through. Each entry is removed when we're ready to take that major. The list: - arrow, parquet (58 → 59 audit) - tonic, tonic-build, tonic-prost, tonic-prost-build, prost, prost-types (0.14 → 0.15 audit) - rmcp (1 → 2 audit) - napi, napi-derive, napi-build (3 → 4 audit, ties to napi runtime) - **npm scope** is `/hyperdb-api-node` only. The other package.json files in the tree are platform-binding shells whose deps are generated artifacts; pointing Dependabot at them yields no real upgrades. - **GitHub Actions scope** covers all `.github/workflows/*.yml` `uses:` references. The dep-refresh PR (#6) just bumped cache@v5, release-please@v5, action-gh-release@v3; future majors will surface here automatically.
StefanSteiner
added a commit
that referenced
this pull request
May 18, 2026
# Add Dependabot ## Summary Replaces the manual ''remember to run \`cargo search\` every few months'' workflow with weekly automated PRs across the three ecosystems this repo uses (Cargo, npm, GitHub Actions). Single config file: \`.github/dependabot.yml\`. This is a workflow change, not a dep change — the actual upgrade choices still happen in human-authored review of each Dependabot PR. ## Config choices and reasoning ### Weekly cadence on every ecosystem Daily generates churn that crowds out human PRs; monthly misses urgent advisories. Weekly is the standard middle ground. ### \`open-pull-requests-limit\` per ecosystem | Ecosystem | Limit | |---|---| | cargo | 5 | | npm | 3 | | github-actions | 3 | Caps the firehose on first activation and on backlog catch-ups. Without a limit, the very first Dependabot run after merging this PR would open a PR per outdated dep simultaneously. ### \`groups\` for lockstep dep families Four cargo groups defined so logically-paired bumps arrive as a single PR rather than three to six separate ones: | Group | Members | Why grouped | |---|---|---| | \`tonic-prost\` | \`tonic*\`, \`prost*\` | gRPC stack always moves together. | | \`arrow-parquet\` | \`arrow\`, \`parquet\` | arrow-rs ships them at the same version. | | \`rustcrypto\` | \`sha2\`, \`hmac\`, \`pbkdf2\`, \`md-5\` | RustCrypto traits move in lockstep — PR #6 commit 3 bumped them as one commit. | | \`napi-rs\` | \`napi\`, \`napi-derive\`, \`napi-build\` | napi-rs ships runtime + derive macro + build helper together. | This mirrors how PR #6 (the dep refresh) handled these families, so future Dependabot PRs follow the same shape we'd write by hand. ### \`ignore\` entries skip semver-major bumps for deferred-major deps Each entry below corresponds to a major migration we explicitly deferred per PR #6's ''Out of scope'' section. Patch and minor bumps still flow through unblocked — only majors are suppressed. **The block comment in the file says: remove an entry when we're ready to take that major.** | Dep family | Reason ignored | |---|---| | \`arrow\`, \`parquet\` | 58 → 59 touches public re-export surface; needs dedicated audit. | | \`tonic\`, \`tonic-build\`, \`tonic-prost\`, \`tonic-prost-build\`, \`prost\`, \`prost-types\` | 0.14 → 0.15 touches the wire-protocol layer. | | \`rmcp\` | 1 → 2 reworks tool-attribute / handler API. | | \`napi\`, \`napi-derive\`, \`napi-build\` | 3 → 4 changes macro surface and N-API runtime floor. | ### npm scope is \`/hyperdb-api-node\` only Other \`package.json\` files in the tree (\`/package.json\`, \`hyperdb-mcp/npm/*\`, \`hyperdb-api-node/npm/*\`) are platform-binding shells whose deps are generated prebuild artifacts, not real upgradable packages. Pointing Dependabot at them yields no real PRs. ### GitHub Actions scope covers all workflows Future action-major bumps surface here automatically. PR #6 just bumped \`cache@v5\`, \`release-please-action@v5\`, \`action-gh-release@v3\` by hand — that won't be needed next time. ## What you'll see after merge - Within a few hours of merging, GitHub will activate Dependabot and start opening PRs. - The first wave will be patch/minor bumps for any deps that have drifted since PR #6 (probably a small list, since #6 just floored everything to current). - Each PR is signed by Dependabot's own bot identity (signed via GitHub's web-flow key — they show as **Verified**). - The \`commit-message: prefix: ''chore(deps)''\` setting means PR titles match the conventional-commit style release-please expects, so they don't accidentally trigger version bumps. ## Out of scope - **Dependabot security updates** — these are GitHub-side and on by default; no config needed in this PR. - **Auto-merge** for low-risk patch bumps — possible via a separate workflow but adds infrastructure surface; defer until we see whether the volume warrants it. - **Re-enabling deferred majors** — done in follow-up PRs by removing the corresponding \`ignore\` entry. Each major still gets its own audit. ## Test plan - [ ] Merge this PR. - [ ] Watch GitHub's Insights → Dependency graph → Dependabot tab for any config-parse errors. (Local YAML validation passed; this is the authoritative gate.) - [ ] Within ~24h, observe Dependabot opening its first PRs. Confirm: - Cargo group PRs (e.g. \`tonic-prost\` family) bundle correctly. - npm PRs target only \`hyperdb-api-node\`. - github-actions PRs surface for any drifted action versions. - No PR proposes a major bump for an ignored dep. - [ ] If anything is wrong, iterate on \`.github/dependabot.yml\` in a follow-up PR.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Refresh Rust + npm + GHA dependencies
Summary
First deliberate dependency refresh since the open-source cut on 2026-05-11 (deps then were current as of that date; we've shipped two patches since under
v0.1.1). Goal of this PR is to bring the lockfile and direct-dep floors back to current, plus pick up a small number of major bumps where the migration is genuinely trivial — without touching anything that would expand API surface or trigger a downstream-crate audit.Five atomic commits, each with its own verification gate, so any individual commit can be reverted post-merge if a regression appears:
23d53dachore(deps): cargo updateCargo.lockonly.3be229echore(deps): tighten Rust workspace dep floors[workspace.dependencies]floors to lockfile-resolved versions.a6723dfchore(deps): bump RustCrypto traitssha20.11,hmac0.13,pbkdf20.13,md-50.11.dde6698chore(deps): bump npm devDeps@napi-rs/cli^3.6.2,tsx^4.22.0.cbdd87fchore(deps): bump GHA actionsactions/cache@v5,release-please-action@v5,action-gh-release@v3.Commit 1:
chore(deps): cargo updatecargo updateagainst currentCargo.tomlconstraints. TouchesCargo.lockonly — no crate-version policy change.Most of the lockfile drift since 2026-05-11 lands here. Notable transitive bumps picked up by the resolver:
arrow58.2 → 58.3jsonwebtoken10.3 → 10.4napi3.8 → 3.9parquet58.2 → 58.3rmcp1.6 → 1.7tokio1.52.1 → 1.52.3tonic0.14.5 → 0.14.6Smallest commit, biggest leverage on lockfile staleness.
Commit 2:
chore(deps): tighten Rust workspace dep floorsWhere the workspace
Cargo.tomlfloors had drifted noticeably below what the lockfile already resolves to, lift the floor so a freshcargo builddoesn't pick up an old major-internal version on a downstream consumer.bytes1.51.11tempfile3.103.20smallvec(inhyperdb-api/Cargo.toml)1.131.15rmcp(inhyperdb-mcp/Cargo.toml)11.7csv(inhyperdb-mcp/Cargo.toml)1.31.4schemars(inhyperdb-mcp/Cargo.toml)1.01.2No code changes — these are all within-major bumps and the API surface is unchanged.
Commit 3:
chore(deps): bump RustCrypto traits — sha2 0.11, hmac 0.13, pbkdf2 0.13, md-5 0.11The only major-version bump in this PR. The RustCrypto traits ecosystem moves in lockstep, so
sha2/hmac/pbkdf2/md-5all get bumped together. They're used in two places:hyperdb-api-core::client::authfor SCRAM-SHA-256 and MD5 password authentication.hyperdb-bootstrap::downloadfor SHA-256 verification of the downloadedhyperdarchive.sha2hmacpbkdf2md-5Two trivial source adjustments needed
The plan's pre-commit checklist required: "if 0.11/0.13 don't compile cleanly, back out and document the holdback." Both compiled cleanly after these two adapter changes — no API ergonomics fight.
1.
hmac0.13 no longer re-exportsKeyInit::new_from_slicethrough theMactrait.hyperdb-api-core/src/client/auth.rsnow importsKeyInitexplicitly:The compiler suggested this fix automatically.
2.
sha20.11'sfinalize()returnsArray<u8, _>(replacingGenericArray<u8, _>), which doesn't implementLowerHex.hyperdb-bootstrap/src/download.rs:hash_filenow hex-encodes the digest by iterating bytes itself, mirroring the pattern already used inhyperdb-api-core::client::auth::hex_encode:The corresponding
#[expect(clippy::format_collect, …)]annotation onhash_filematches the one already onhex_encode—clippy::format_collectwould otherwise demand afold!-based rewrite that obscures intent.Why bump these and nothing else major
Each remaining major-version-pending dep (
arrow58→59,tonic0.14→0.15,rmcp1→2,napi3→4) touches API surface that downstream consumers see, would require its own audit, and is best kept out of a periodic refresh PR. The RustCrypto traits, by contrast, are entirely internal to the workspace and the migration was confined to the two adapter changes above.Commit 4:
chore(deps): bump npm devDepshyperdb-api-node/package.jsondevDependencies refreshed to current within-major:@napi-rs/cli^3^3.6.2tsx^4.21.0^4.22.0apache-arrow^21.1.0peerDependencies."apache-arrow": ">=14.0.0"floor stays broad on purpose — keeping that floor wide lets consumers paired with older Arrow builds continue to install the bindings.package-lock.jsonregenerated vianpm install. The release napi build (npm run build) and full smoke test suite (npm test, 19 cases through__test__/smoke.mjs) both pass locally.Commit 5:
chore(deps): bump GHA actionsThree GitHub Actions had new majors with verified-clean migration paths. The only breaking change in each is the bump from the Node 20 to Node 24 Actions runtime — a runner-side requirement, not a config change. All three GitHub-hosted runner images we use (
ubuntu-latest/macos-14/windows-latest) already ship Actions runner ≥2.327.1, the floor required for Node 24.actions/cache@v4@v5ci.yml(hyperd binary cache),release.yml(hyperd binary cache)googleapis/release-please-action@v4@v5release-please.ymlsoftprops/action-gh-release@v2@v3release.yml(GitHub Release publish)What I checked in each release's notes
actions/cache@v5: only breaking change is Node 20 → Node 24 runtime. Otherwise drop-in.release-please-action@v5: only breaking change is Node 20 → Node 24 runtime. The release-please config schema is unchanged —release-please-config.jsonand.release-please-manifest.jsonneed no edits. (This was the most likely failure mode going in; verified directly from the v5 release notes before bumping.)action-gh-release@v3: only breaking change is Node 20 → Node 24 runtime. Existingtag_name/prerelease/generate_release_notesinputs unchanged.Deliberately NOT bumped
actions-rust-lang/setup-rust-toolchain@v1— already pulls latest1.xvia the floating major tag (currentlyv1.16.1).actions/checkout@v4,actions/upload-artifact@v4,actions/download-artifact@v4,actions/setup-node@v4— same: floating-major tags, already current within-major. No new majors out yet.Existing waivers — preserved as-is
These have full rationale documented in
deny.toml,.cargo/audit.toml, anddocs/SECURITY.md. None of them were touched by this PR:RUSTSEC-2024-0436pasteparquet, macro-only — no replacement available.RUSTSEC-2025-0134rustls-pemfileRUSTSEC-2023-0071rsathriftdeny.tomlfor when RustSec ingests this asRUSTSEC-2026-NNNN. See PR #4.Out of scope
Each of these would benefit from a dedicated PR with its own audit and is intentionally deferred:
hyperd-version.tomlpin (0.0.25080from 2026-05-11) — separate decision tied to whether we want to ride latest hyperd or stay on a tested baseline.rust-toolchain.toml— staying onstable; toolchain bumps come automatically with eachstablerelease on the runner image.arrow58 → 59 (when released).tonic0.14 → 0.15+.rmcp1 → 2.napi3 → 4.Verification
End-to-end gate run after each commit (so a regression is bisectable to a specific commit), and again on the integrated branch:
cargo fmt --all --checkcargo clippy --workspace --all-targets --all-features -- -D warningsHYPERD_PATH="$PWD/.hyperd/current" cargo test --workspace --exclude hyperdb-api-node --exclude hyperdb-bootstrap(matchesci.yml's test job scope)cargo test -p hyperdb-bootstrapcargo deny checkcargo audit --deny warningscd hyperdb-api-node && npm install && npm run build && npm testTest plan
ubuntu-latest/macos-14/windows-latest) green on this PR.clippyjob remains clean across the workspace under-D warnings.cargo deny checkandcargo audit --deny warningscontinue to pass — the known-waiver list and[advisories].ignoreare unchanged by this PR.npm-build-publish.ymlstill has access to a working napi build (will only be verified on the next release after merge).release-please.yml— verify after merge that the next release-please run onmainopens a PR cleanly undergoogleapis/release-please-action@v5(config schema is unchanged, so this is just exercising the runtime bump).