Skip to content

Upgrade crates#101

Merged
genedna merged 1 commit intoweb3infra-foundation:mainfrom
genedna:main
Feb 23, 2026
Merged

Upgrade crates#101
genedna merged 1 commit intoweb3infra-foundation:mainfrom
genedna:main

Conversation

@genedna
Copy link
Copy Markdown
Member

@genedna genedna commented Feb 23, 2026

No description provided.

@genedna
Upgrade crates
74e87c1 
Signed-off-by: Eli Ma <eli@patch.sh>
Copilot AI review requested due to automatic review settings February 23, 2026 15:24
@github-actions
Copy link
Copy Markdown

github-actions bot commented Feb 23, 2026
edited
Loading

Claude finished @genedna's task in 4m 20s —— View job

Code Review: Upgrade crates

  • Gather context: read Cargo.toml, Cargo.lock, and key changed files
  • Analyze dependency upgrades and new additions
  • Review BUCK file structure and correctness
  • Security analysis of new/upgraded dependencies
  • Provide final review feedback

Summary

This PR upgrades several direct dependencies and their transitive closure, updates BUCK files accordingly (auto-generated via cargo buckal), and updates the buckal snapshot. The changes are straightforward but there are a few points worth discussing.

Direct Dependency Changes (Cargo.toml)

Crate Old New Type
memchr 2.7.6 2.8.0 dep
tempfile 3.24.0 3.25.0 dep
serde_json 1.0.145 1.0.149 dep
quickcheck 1.0.3 1.1.0 dev-dep

ring and serde_json were also repositioned in the file (no functional change). All version bumps are minor/patch-level, which is low risk.

Notable Indirect Dependency Changes

1. Three concurrent rand versions in the dependency graph

The project now has three versions of rand (0.8.5, 0.9.2, 0.10.0) in the dependency tree:

  • 0.8.5 — pulled in by other transitive dependencies
  • 0.9.2 — direct dev-dependency in Cargo.toml
  • 0.10.0newly added, pulled in by quickcheck 1.1.0

This increases compile time and binary size marginally. Since quickcheck 1.1.0 requires rand 0.10, consider also upgrading the direct rand dev-dependency from 0.9.2 to 0.10.0 to consolidate to two versions:

# Cargo.toml [dev-dependencies] — current
rand = "0.9.2"

# suggested
rand = "0.10.0"

2. quickcheck 1.1.0 pulls in a large WASM/WIT toolchain subtree (build-time only)

quickcheck 1.1.0rand 0.10.0getrandom 0.4.1wasip3 0.4.0wit-bindgen 0.51.0 introduces a large chain of WebAssembly-related crates:

  • wasip3 0.4.0+wasi-0.3.0-rc-2026-01-06
  • wit-bindgen 0.51.0, wit-bindgen-core, wit-bindgen-rust, wit-bindgen-rust-macro
  • wit-component 0.244.0, wit-parser 0.244.0
  • wasm-encoder 0.244.0, wasmparser 0.244.0, wasm-metadata 0.244.0
  • leb128fmt 0.1.0, id-arena 2.3.0, prettyplease 0.2.37, anyhow 1.0.102

These are only compile-time / dev-dependency artefacts (proc-macros and build scripts) and do not affect the production library binary. However, this is a surprising amount of additional build dependency surface from a single dev-dep minor version bump. If build times or dependency hygiene are concerns, it may be worth pinning quickcheck = "1.0.3" until this stabilises.

3. serde_json 1.0.149 depends on the new zmij crate

serde_json 1.0.149 now declares zmij 1.0.21 as a dependency (Cargo.lock line, serde_json/1.0.149/BUCK:43). This is part of serde's ongoing modularisation (serde_core and zmij are internal serde sub-crates). The checksums in Cargo.lock match what is published on crates.io, so this is not a supply-chain concern — but it is worth being aware of the expanded trust surface.

4. serde 1.0.228 now re-exports via serde_core 1.0.228

serde has been split into a serde_core sub-crate (analogous to tokio-core). The BUCK file references are correctly updated to point to serde_core/1.0.228.

BUCK File Review

All new BUCK files appear to be auto-generated by cargo buckal (header # @generated by cargo buckal). Structure is consistent with existing files:

  • http_archive with correct sha256 matching Cargo.lock checksums
  • cargo_manifest, rust_library, buildscript_run patterns are consistent
  • getrandom/0.4.1/BUCK correctly uses os_deps for libc on Linux/macOS (lines 34–37)
  • rand/0.10.0/BUCK uses edition = "2024" correctly for the new rand release

No structural issues found with BUCK files.

Minor Observations

  • No test changes — since these are dependency-only upgrades with no API changes, this is expected.
  • No documentation changes needed — correct, this is an internal dependency management change.
  • The buckal.snap fingerprint update correctly reflects the package version bump from 0.4.1 to 0.6.0 (Cargo.toml version field).

Recommendations

  1. Consider consolidating rand versions — upgrade the direct rand dev-dep from 0.9.20.10.0 to reduce the duplicate rand versions from 3 to 2. Fix this →

  2. Verify zmij / serde_json 1.0.149 on crates.io before merging if you have a strict supply-chain policy — the checksums match crates.io but zmij is a relatively new and unfamiliar crate name in the ecosystem.

Overall this is a clean, low-risk dependency maintenance PR. The BUCK files are correctly generated, checksums are consistent with Cargo.lock, and the direct changes are all minor version bumps. The main surprise is the deep WASM toolchain being pulled in transitively through quickcheck.

Copilot AI reviewed Feb 23, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR upgrades several Rust dependencies in the git-internal repository, primarily focusing on infrastructure crates for serialization, randomness, and WebAssembly tooling.

Changes:

  • Upgrades core dependencies: memchr (2.7.6 → 2.8.0), serde_json (1.0.145 → 1.0.149), tempfile (3.24.0 → 3.25.0), quickcheck (1.0.3 → 1.1.0)
  • Adds new transitive dependencies including the wit-bindgen ecosystem (0.51.0), anyhow (1.0.102), rand (0.10.0), and zmij (1.0.21)
  • Updates feature flags: removes unused "small_rng" from rand 0.8.5, adds "default" feature to rand_chacha 0.9.0, adds "serde" feature to indexmap 2.12.1

Reviewed changes

Copilot reviewed 45 out of 46 changed files in this pull request and generated no comments.

Show a summary per file
File Description
Cargo.toml Updates memchr, tempfile, serde_json, quickcheck versions; reorders ring and serde_json declarations
Cargo.lock Reflects all transitive dependency updates including new crates (anyhow, zmij, wit-bindgen family, getrandom 0.4.1, etc.)
BUCK Updates dependency references to match new versions (memchr, serde_json, tempfile)
buckal.snap Updates fingerprints for all changed crates; updates workspace version to 0.6.0
third-party/rust/crates/*/BUCK Adds BUCK build files for new crate versions: memchr 2.8.0, serde_json 1.0.149, tempfile 3.25.0, quickcheck 1.1.0, and all wit-bindgen ecosystem crates, zmij 1.0.21, anyhow 1.0.102, getrandom 0.4.1, prettyplease 0.2.37, env_logger 0.11.9, env_filter 1.0.0, id-arena 2.3.0, leb128fmt 0.1.0, rand 0.10.0, wasip3 0.4.0, wasm-encoder 0.244.0, wasm-metadata 0.244.0, wasmparser 0.244.0
third-party/rust/crates/{winnow,sqlx-,sea-,rust_decimal,regex*,nom,futures-util,bstr,axum,aho-corasick}/BUCK Updates memchr dependency references from 2.7.6 to 2.8.0 and serde_json from 1.0.145 to 1.0.149
third-party/rust/crates/rand*/BUCK Removes "small_rng" feature from rand 0.8.5; adds "default" feature to rand_chacha 0.9.0
third-party/rust/crates/indexmap/2.12.1/BUCK Adds "serde" feature and serde_core dependency

@genedna genedna merged commit 0caa69b into web3infra-foundation:main Feb 23, 2026
13 checks passed
genedna added a commit to genedna/git-internal that referenced this pull request Mar 15, 2026
@genedna
Upgrade crates (web3infra-foundation#101)
9b3504b 
Signed-off-by: Eli Ma <eli@patch.sh>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@genedna