chore(deps): bump rand from 0.10.0 to 0.10.1 in /packages/daemon-rs#506
chore(deps): bump rand from 0.10.0 to 0.10.1 in /packages/daemon-rs#506dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
dependabot
bot
added
dependencies
|
Hi @dependabot[bot] - I'm an automated code reviewer powered by pr-reviewer. I'm taking a look at the refactor and cleanup work in |
PR-Reviewer-Ant
left a comment
PR-Reviewer-Ant
left a comment
There was a problem hiding this comment.
Automated review by pr-reviewer | model: claude-sonnet-4-6 | commit:
2e89d3c9
[Automated Review — pr-reviewer bot] Routine patch bump of rand 0.10.0→0.10.1 in the Rust daemon-rs shadow runtime. One non-obvious transitive dependency change in the lockfile is worth a human check.
Confidence: Medium [sufficient_diff_evidence, missing_cross_module_context] - The rand version bump and its new checksum are verifiable from the diff. The getrandom transitive change (0.4.2→0.3.4 for a second unnamed package) is visible in the lockfile diff but the owning package name is not exposed in the provided context window — the surrounding Cargo.lock lines show a stable checksum for that package but do not show its name = stanza. Whether that package's version range allows getrandom 0.3 is not provable without the full lockfile.
| dependencies = [ | ||
| "fastrand", | ||
| "getrandom 0.4.2", | ||
| "getrandom 0.3.4", |
There was a problem hiding this comment.
A second package (whose name is not visible in this diff window, but has checksum 32497e9a...) silently switched its getrandom dependency from 0.4.2 to 0.3.4. This is a minor-version downgrade of a crypto-adjacent crate. Both getrandom 0.3 and 0.4 are actively maintained and secure, so this is unlikely to be a problem, but it's worth verifying: (1) which crate owns this entry (cargo tree -i getrandom in the daemon-rs workspace); (2) that the crate's published version range actually allows getrandom 0.3.x (a mismatch would mean the lockfile diverged from the crate's declared bounds, which shouldn't happen but is worth confirming). This change is a side-effect of the rand bump altering resolver graph, not a direct edit by dependabot.
Bumps [rand](https://github.com/rust-random/rand) from 0.10.0 to 0.10.1. - [Release notes](https://github.com/rust-random/rand/releases) - [Changelog](https://github.com/rust-random/rand/blob/master/CHANGELOG.md) - [Commits](rust-random/rand@0.10.0...0.10.1) --- updated-dependencies: - dependency-name: rand dependency-version: 0.10.1 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/cargo/packages/daemon-rs/rand-0.10.1
branch
from
2e89d3c to
e430836
Compare
|
Review post failed; fallback summary posted. Error: GitHub create review failed (500 Internal Server Error):
[Automated Review by pr-reviewer] I found scope/intent drift and a transitive lockfile change that should be clarified before human merge review. Confidence: High [sufficient_diff_evidence, targeted_context_included] - The diff explicitly shows changes beyond the PR description (packages/forge/Cargo.lock rand 0.9.2->0.9.4) and a transitive dependency shift in packages/daemon-rs/Cargo.lock (getrandom 0.4.2->0.3.4) at changed lines. Unmapped findings (not on changed lines):
|
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
dependabot
bot
deleted the
dependabot/cargo/packages/daemon-rs/rand-0.10.1
branch
2 participants
Bumps rand from 0.10.0 to 0.10.1.
Changelog
Sourced from rand's changelog.
Commits
27ff4cbPrepare v0.10.1: deprecate featurelog(#1763)98d0638make_rng: document panic and add #[track_caller] (#1761)54e5eaaFix doc error (#1758)1ce4c08Bump itoa from 1.0.17 to 1.0.18 in the all-deps group (#1756)ccb734bdocs: fix typo in doc comment (#1754)357eb7dBump libc from 0.2.182 to 0.2.183 in the all-deps group (#1753)5e77fe5Fix trait references in documentation (#1752)da89185Bump the all-deps group with 3 updates (#1751)50516ffBump the all-deps group with 2 updates (#1749)fd71de9Bump the all-deps group with 2 updates (#1747)