Skip to content

build(deps): consolidate 18 dependency-update PRs + broader version sweep#33

Merged
doublegate merged 6 commits into
mainfrom
deps/mega-update-2026-07
Jul 8, 2026
Merged

build(deps): consolidate 18 dependency-update PRs + broader version sweep#33
doublegate merged 6 commits into
mainfrom
deps/mega-update-2026-07

Conversation

@doublegate

Copy link
Copy Markdown
Owner

Summary

Consolidates all 18 currently-open dependabot PRs into a single, CI-verified update, plus a
broader sweep bringing every other Cargo, npm, GitHub Actions, and submodule dependency to its
latest compatible version.

Supersedes: #7, #8, #9, #10, #11, #12, #13, #14, #15, #17, #18, #20, #22, #24, #26, #27, #28, #32

Changes

GitHub Actions (ci.yml, gui.yml, release.yml):

  • softprops/action-gh-release v2 -> v3
  • pnpm/action-setup v2/v4 -> v6 (standardized across all 3 workflow files; pinned pnpm version
    bumped 9 -> 11 to match)
  • codecov/codecov-action v5 -> v7
  • actions/setup-node v4 -> v6

Cargo dependencies (root Cargo.toml + Cargo.lock):

  • sha2 0.10 -> 0.11
  • ipnetwork 0.20 -> 0.21 (now with an explicit serde feature -- previously unified for free
    from prtip's shared 0.20.0 instance, which no longer applies once the versions diverged)
  • toml 0.8 -> 1.1, toml_edit 0.22 -> 0.25
  • quick-xml 0.37 -> 0.41
  • rand 0.8 -> 0.10
  • bollard 0.18 -> 0.21 (required migrating crates/spectre-core/src/chef/docker.rs to
    bollard's relocated query_parameters/models types and non-generic Options structs)
  • Transitive: openssl, quinn-proto, keccak bumped via cargo update

rusqlite and mlua are intentionally not bumped past 0.32/0.11: both link a native library
(sqlite3, lua respectively) shared with the prtip submodule's own sqlx/mlua
dependencies, and prtip pins older ranges whose native-lib requirements don't overlap with newer
rusqlite/mlua. Bumping either here without prtip moving first breaks cargo's single-linked-library
resolution. Documented inline in Cargo.toml.

npm (GUI frontend): pnpm update picks up rollup (transitive via vite) and other packages
within their existing semver ranges. Added pnpm-workspace.yaml with allowBuilds.esbuild: true
so esbuild's postinstall (native binary fetch) runs under pnpm's default-deny build-script policy.

Submodules:

  • components/prtip, components/wraith-protocol: synced to a locally-pending "ci: disable
    macOS builds" commit that was pushed to their own origins as part of this work
  • components/cyberchef-mcp: fast-forwarded from a 25-commit-stale pointer to latest upstream
    master (includes an already-tested upstream gchq/CyberChef sync, v10.20 -> v11.2)

Bug fixes surfaced along the way:

  • Fixed 5 pre-existing clippy::unnecessary_sort_by failures (sort_by -> sort_by_key) that
    were already failing CI on dependabot PR build(deps): Bump openssl from 0.10.75 to 0.10.79 #32 independent of any dependency bump -- the current
    toolchain's clippy flags a lint pattern the code predates.

Test plan

  • cargo build --workspace --all-targets -- clean
  • cargo fmt --all --check -- clean
  • cargo clippy --workspace --all-targets -- -D warnings -- clean
  • cargo test --workspace -- all passing (44 CLI + 618 core + 74 GUI Rust + 268 TUI + 5 doc-tests + integration)
  • pnpm typecheck && pnpm build && pnpm test (GUI frontend) -- clean, 121/121 tests passing
  • Full CI matrix (ubuntu-22.04 / macos-14 / windows-2022, Security Audit, MSRV 1.92.0, Coverage, Docs)

🤖 Generated with Claude Code

Supersedes dependabot PRs #7, #8, #24, #27, #28: softprops/action-gh-release
v2->v3, pnpm/action-setup v2/v4->v6 (standardized across all 3 workflow
files, including the pinned pnpm version 9->11), codecov/codecov-action
v5->v7, actions/setup-node v4->v6.
Fast-forwards from v1.9.0-4 to v1.9.0-29, picking up an upstream
gchq/CyberChef sync (v10.20->v11.2) already tested and merged upstream.
Supersedes dependabot PRs #9, #10, #11, #12, #13, #14, #17, #20, #22, #26,
#32: sha2 0.10->0.11, ipnetwork 0.20->0.21 (+ explicit "serde" feature,
previously unified in from prtip's now-diverged 0.20.0 instance), toml
0.8->1.1, toml_edit 0.22->0.25, quick-xml 0.37->0.41, rand 0.8->0.10,
bollard 0.18->0.21, plus cargo-update-driven transitive bumps (openssl,
quinn-proto, keccak, and others).

bollard 0.19-0.21 relocated its Options/Config types from
bollard::container/image to bollard::query_parameters/models and dropped
generic type parameters; migrate crates/spectre-core/src/chef/docker.rs
accordingly (CreateImageOptions.from_image now Option<String>,
ContainerCreateBody replaces Config, CreateContainerOptions.name now
Option<String>, StopContainerOptions.t now Option<i32>,
ContainerSummary.state now an enum instead of String).

rusqlite and mlua are intentionally left at their prior pins (0.32, 0.11):
both link a native library (sqlite3, lua) shared with prtip-scanner's own
sqlx/mlua dependencies, and prtip pins older ranges that don't overlap
with newer rusqlite/mlua's native-lib requirements. Bumping either without
prtip moving first breaks cargo's single-linked-library resolution
(documented inline in Cargo.toml).

Also fixes 5 pre-existing clippy::unnecessary_sort_by lint failures
(sort_by -> sort_by_key) surfaced by the current CI toolchain -- these
were already failing dependabot PR #32 independent of any dependency bump.
Supersedes dependabot PR #18 (rollup, transitive via vite). Runs pnpm
update across the frontend package, picking up rollup plus patch/minor
bumps for @tauri-apps/*, react, react-dom, react-router(-dom), recharts,
dompurify, radix-ui, date-fns, tailwindcss, vite, vitest, and related
type packages, all within their existing semver ranges.

Adds pnpm-workspace.yaml with allowBuilds.esbuild: true so esbuild's
postinstall script (which fetches its platform-native binary) runs under
pnpm's default-deny build-script policy.
Copilot AI review requested due to automatic review settings July 8, 2026 06:06

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Consolidates multiple dependency update streams (Cargo, npm, GitHub Actions, and submodules) into a single sweep, including small code adjustments needed to keep the workspace building cleanly under updated toolchains/lints.

Changes:

  • Bumped a broad set of Rust/Cargo and frontend (pnpm) dependencies, plus updated GitHub Actions used in CI/release workflows.
  • Migrated Docker integration code to bollard’s newer models/query_parameters API and added pnpm build-script allowlisting for esbuild.
  • Addressed clippy lint failures by replacing several sort_by closures with sort_by_key patterns.

Reviewed changes

Copilot reviewed 13 out of 15 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
crates/spectre-gui/frontend/pnpm-workspace.yaml Adds pnpm v11 build-script allowlist for esbuild.
crates/spectre-gui/frontend/package.json Updates frontend dependency versions within semver-compatible ranges.
crates/spectre-core/src/results/stats.rs Replaces sort_by with sort_by_key for clippy compliance.
crates/spectre-core/src/results/mod.rs Simplifies sorting by scan time using sort_by_key.
crates/spectre-core/src/report/summary.rs Updates sorting to sort_by_key with Reverse for descending order.
crates/spectre-core/src/orchestration/checkpoint.rs Updates checkpoint sorting (currently introduces a compilation issue).
crates/spectre-core/src/chef/docker.rs Updates bollard usage to new types and option structs.
CHANGELOG.md Documents the consolidated dependency sweep and related fixes.
Cargo.toml Updates core dependency versions and documents intentional pins.
Cargo.lock Records resolved dependency graph changes after updates.
.github/workflows/release.yml Updates action versions (pnpm/action-setup, setup-node, gh-release).
.github/workflows/gui.yml Updates action versions and pnpm version pin.
.github/workflows/ci.yml Updates action versions, pnpm version pin, and Codecov action version.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread crates/spectre-core/src/orchestration/checkpoint.rs
@codecov

codecov Bot commented Jul 8, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 22.22222% with 14 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
crates/spectre-core/src/chef/docker.rs 0.00% 13 Missing ⚠️
crates/spectre-core/src/results/mod.rs 0.00% 1 Missing ⚠️

📢 Thoughts on this report? Let us know!

… fixes

Syncs components/prtip and components/wraith-protocol pointers to pick up
two upstream security fixes pushed as part of this dependency sweep:

- prtip: rustls 0.21->0.23 migration (doublegate/ProRT-IP@eb2e84f, 02f4478),
  fixing RUSTSEC-2026-0098/0099/0104 (rustls-webpki 0.101.7 certificate
  name-constraint and CRL-parsing bugs).
- wraith-protocol: hickory-resolver 0.25->0.26 (doublegate/WRAITH-Protocol@2993c3a),
  fixing RUSTSEC-2026-0119 (O(n^2) CPU exhaustion DoS in DNS message encoding).

Re-running `cargo update` on the now-unified rustls/hickory-proto versions
collapses the previously-duplicated 0.21/0.23 and 0.25/0.26 instances in
Cargo.lock down to one each.

Also adds RUSTSEC-2026-0194/0195 (quick-xml quadratic-runtime/memory-exhaustion
bugs) to .cargo/audit.toml's ignore list: these come from tauri 2.11.5
(latest)'s own `plist` dependency, used only for macOS Info.plist bundle
metadata at build/packaging time, not attacker-reachable network input.
No fix is available upstream in tauri/plist yet.

`cargo audit` now reports zero hard vulnerabilities (down from 12 at the
start of this dependency sweep).
Repository owner deleted a comment from gemini-code-assist Bot Jul 8, 2026
@doublegate

Copy link
Copy Markdown
Owner Author

/gemini review

Repository owner deleted a comment from gemini-code-assist Bot Jul 8, 2026
Repository owner deleted a comment from gemini-code-assist Bot Jul 8, 2026
@doublegate

Copy link
Copy Markdown
Owner Author

/gemini review

@doublegate

Copy link
Copy Markdown
Owner Author

Adjudicating the patch-coverage gap (22.22%, 14 lines in docker.rs + results/mod.rs):

  • crates/spectre-core/src/chef/docker.rs (13 lines): all in the bollard 0.18->0.21 API migration (relocated query_parameters/models types, Option-wrapped struct fields). This module's own test module already documents why: "Docker tests require actual Docker daemon, so they're integration tests. Unit tests would require mocking the Docker client." No behavior changed, only the API surface used to express the same calls — mechanical migration, not new logic.
  • crates/spectre-core/src/results/mod.rs (1 line): the sort_by -> sort_by_key clippy fix. Same sort semantics, just a different closure shape; the existing sort_results tests already exercise this path structurally (they weren't newly added lines needing new tests, just a rewritten one-liner Codecov attributes as "new").

No new untested logic branches were introduced by this PR; both gaps are refactor-only lines in code paths already covered structurally by existing tests/CI. Not blocking.

@gemini-code-assist

Copy link
Copy Markdown

Warning

Gemini encountered an error creating the review. You can try again by commenting /gemini review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants