build(deps): consolidate 18 dependency-update PRs + broader version sweep#33
Conversation
Fast-forwards from v1.9.0-4 to v1.9.0-29, picking up an upstream gchq/CyberChef sync (v10.20->v11.2) already tested and merged upstream.
Supersedes dependabot PRs #9, #10, #11, #12, #13, #14, #17, #20, #22, #26, #32: sha2 0.10->0.11, ipnetwork 0.20->0.21 (+ explicit "serde" feature, previously unified in from prtip's now-diverged 0.20.0 instance), toml 0.8->1.1, toml_edit 0.22->0.25, quick-xml 0.37->0.41, rand 0.8->0.10, bollard 0.18->0.21, plus cargo-update-driven transitive bumps (openssl, quinn-proto, keccak, and others). bollard 0.19-0.21 relocated its Options/Config types from bollard::container/image to bollard::query_parameters/models and dropped generic type parameters; migrate crates/spectre-core/src/chef/docker.rs accordingly (CreateImageOptions.from_image now Option<String>, ContainerCreateBody replaces Config, CreateContainerOptions.name now Option<String>, StopContainerOptions.t now Option<i32>, ContainerSummary.state now an enum instead of String). rusqlite and mlua are intentionally left at their prior pins (0.32, 0.11): both link a native library (sqlite3, lua) shared with prtip-scanner's own sqlx/mlua dependencies, and prtip pins older ranges that don't overlap with newer rusqlite/mlua's native-lib requirements. Bumping either without prtip moving first breaks cargo's single-linked-library resolution (documented inline in Cargo.toml). Also fixes 5 pre-existing clippy::unnecessary_sort_by lint failures (sort_by -> sort_by_key) surfaced by the current CI toolchain -- these were already failing dependabot PR #32 independent of any dependency bump.
Supersedes dependabot PR #18 (rollup, transitive via vite). Runs pnpm update across the frontend package, picking up rollup plus patch/minor bumps for @tauri-apps/*, react, react-dom, react-router(-dom), recharts, dompurify, radix-ui, date-fns, tailwindcss, vite, vitest, and related type packages, all within their existing semver ranges. Adds pnpm-workspace.yaml with allowBuilds.esbuild: true so esbuild's postinstall script (which fetches its platform-native binary) runs under pnpm's default-deny build-script policy.
There was a problem hiding this comment.
Pull request overview
Consolidates multiple dependency update streams (Cargo, npm, GitHub Actions, and submodules) into a single sweep, including small code adjustments needed to keep the workspace building cleanly under updated toolchains/lints.
Changes:
- Bumped a broad set of Rust/Cargo and frontend (pnpm) dependencies, plus updated GitHub Actions used in CI/release workflows.
- Migrated Docker integration code to bollard’s newer
models/query_parametersAPI and added pnpm build-script allowlisting foresbuild. - Addressed clippy lint failures by replacing several
sort_byclosures withsort_by_keypatterns.
Reviewed changes
Copilot reviewed 13 out of 15 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| crates/spectre-gui/frontend/pnpm-workspace.yaml | Adds pnpm v11 build-script allowlist for esbuild. |
| crates/spectre-gui/frontend/package.json | Updates frontend dependency versions within semver-compatible ranges. |
| crates/spectre-core/src/results/stats.rs | Replaces sort_by with sort_by_key for clippy compliance. |
| crates/spectre-core/src/results/mod.rs | Simplifies sorting by scan time using sort_by_key. |
| crates/spectre-core/src/report/summary.rs | Updates sorting to sort_by_key with Reverse for descending order. |
| crates/spectre-core/src/orchestration/checkpoint.rs | Updates checkpoint sorting (currently introduces a compilation issue). |
| crates/spectre-core/src/chef/docker.rs | Updates bollard usage to new types and option structs. |
| CHANGELOG.md | Documents the consolidated dependency sweep and related fixes. |
| Cargo.toml | Updates core dependency versions and documents intentional pins. |
| Cargo.lock | Records resolved dependency graph changes after updates. |
| .github/workflows/release.yml | Updates action versions (pnpm/action-setup, setup-node, gh-release). |
| .github/workflows/gui.yml | Updates action versions and pnpm version pin. |
| .github/workflows/ci.yml | Updates action versions, pnpm version pin, and Codecov action version. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Codecov Report❌ Patch coverage is
📢 Thoughts on this report? Let us know! |
… fixes Syncs components/prtip and components/wraith-protocol pointers to pick up two upstream security fixes pushed as part of this dependency sweep: - prtip: rustls 0.21->0.23 migration (doublegate/ProRT-IP@eb2e84f, 02f4478), fixing RUSTSEC-2026-0098/0099/0104 (rustls-webpki 0.101.7 certificate name-constraint and CRL-parsing bugs). - wraith-protocol: hickory-resolver 0.25->0.26 (doublegate/WRAITH-Protocol@2993c3a), fixing RUSTSEC-2026-0119 (O(n^2) CPU exhaustion DoS in DNS message encoding). Re-running `cargo update` on the now-unified rustls/hickory-proto versions collapses the previously-duplicated 0.21/0.23 and 0.25/0.26 instances in Cargo.lock down to one each. Also adds RUSTSEC-2026-0194/0195 (quick-xml quadratic-runtime/memory-exhaustion bugs) to .cargo/audit.toml's ignore list: these come from tauri 2.11.5 (latest)'s own `plist` dependency, used only for macOS Info.plist bundle metadata at build/packaging time, not attacker-reachable network input. No fix is available upstream in tauri/plist yet. `cargo audit` now reports zero hard vulnerabilities (down from 12 at the start of this dependency sweep).
|
/gemini review |
|
/gemini review |
|
Adjudicating the patch-coverage gap (22.22%, 14 lines in docker.rs + results/mod.rs):
No new untested logic branches were introduced by this PR; both gaps are refactor-only lines in code paths already covered structurally by existing tests/CI. Not blocking. |
|
Warning Gemini encountered an error creating the review. You can try again by commenting |
Summary
Consolidates all 18 currently-open dependabot PRs into a single, CI-verified update, plus a
broader sweep bringing every other Cargo, npm, GitHub Actions, and submodule dependency to its
latest compatible version.
Supersedes: #7, #8, #9, #10, #11, #12, #13, #14, #15, #17, #18, #20, #22, #24, #26, #27, #28, #32
Changes
GitHub Actions (
ci.yml,gui.yml,release.yml):softprops/action-gh-releasev2 -> v3pnpm/action-setupv2/v4 -> v6 (standardized across all 3 workflow files; pinned pnpm versionbumped 9 -> 11 to match)
codecov/codecov-actionv5 -> v7actions/setup-nodev4 -> v6Cargo dependencies (root
Cargo.toml+Cargo.lock):sha20.10 -> 0.11ipnetwork0.20 -> 0.21 (now with an explicitserdefeature -- previously unified for freefrom prtip's shared 0.20.0 instance, which no longer applies once the versions diverged)
toml0.8 -> 1.1,toml_edit0.22 -> 0.25quick-xml0.37 -> 0.41rand0.8 -> 0.10bollard0.18 -> 0.21 (required migratingcrates/spectre-core/src/chef/docker.rstobollard's relocated
query_parameters/modelstypes and non-generic Options structs)openssl,quinn-proto,keccakbumped viacargo updaterusqliteandmluaare intentionally not bumped past 0.32/0.11: both link a native library(
sqlite3,luarespectively) shared with theprtipsubmodule's ownsqlx/mluadependencies, and prtip pins older ranges whose native-lib requirements don't overlap with newer
rusqlite/mlua. Bumping either here without prtip moving first breaks cargo's single-linked-library
resolution. Documented inline in
Cargo.toml.npm (GUI frontend):
pnpm updatepicks uprollup(transitive via vite) and other packageswithin their existing semver ranges. Added
pnpm-workspace.yamlwithallowBuilds.esbuild: trueso esbuild's postinstall (native binary fetch) runs under pnpm's default-deny build-script policy.
Submodules:
components/prtip,components/wraith-protocol: synced to a locally-pending "ci: disablemacOS builds" commit that was pushed to their own origins as part of this work
components/cyberchef-mcp: fast-forwarded from a 25-commit-stale pointer to latest upstreammaster (includes an already-tested upstream gchq/CyberChef sync, v10.20 -> v11.2)
Bug fixes surfaced along the way:
clippy::unnecessary_sort_byfailures (sort_by->sort_by_key) thatwere already failing CI on dependabot PR build(deps): Bump openssl from 0.10.75 to 0.10.79 #32 independent of any dependency bump -- the current
toolchain's clippy flags a lint pattern the code predates.
Test plan
cargo build --workspace --all-targets-- cleancargo fmt --all --check-- cleancargo clippy --workspace --all-targets -- -D warnings-- cleancargo test --workspace-- all passing (44 CLI + 618 core + 74 GUI Rust + 268 TUI + 5 doc-tests + integration)pnpm typecheck && pnpm build && pnpm test(GUI frontend) -- clean, 121/121 tests passing🤖 Generated with Claude Code