Skip to content

chore(deps): batch patch bump (tokio, reqwest, quick-xml, blake3)#169

Merged
axpnet merged 2 commits intomainfrom
chore/rust-deps-patch-bump
May 6, 2026
Merged

chore(deps): batch patch bump (tokio, reqwest, quick-xml, blake3)#169
axpnet merged 2 commits intomainfrom
chore/rust-deps-patch-bump

Conversation

@axpnet
Copy link
Copy Markdown
Member

@axpnet axpnet commented May 5, 2026

Summary

Four safe patch updates from the May 5 dependency check, all on stable 1.x / 0.x lines:

  • `tokio` 1.52.1 -> 1.52.2
  • `reqwest` 0.13.2 -> 0.13.3
  • `quick-xml` 0.39.2 -> 0.39.3
  • `blake3` 1.8.4 -> 1.8.5

Pure lockfile change (no `Cargo.toml` edits required, all four are declared with caret semver).

Why russh is not here

`russh` 0.60.1 -> 0.60.2 forces downgrades on a stack of pre-1.0 RC crypto crates (`elliptic-curve rc.31 -> rc.28`, `p256/p384/p521 rc.9 -> rc.7`, `rsa rc.17 -> rc.16`, `spki 0.8.0 -> 0.8.0-rc.4`, `ml-kem rc.2 -> rc.1`) because the new russh has tighter version bounds.

Downgrades on RC crypto crates are not safe to ship through a routine patch batch: they may revert security fixes that landed between rc.7 and rc.9. Tracking separately for a dedicated PR with audit.

Validation

  • `cargo clippy --all-targets -D warnings` clean (full rebuild after `cargo clean`, 4m28s)
  • Lockfile-only diff, no source code touched

Test plan

  • CI green on Linux, Windows, macOS
  • No regression on async runtime, HTTP requests, WebDAV/Azure XML parsing, BLAKE3 hashing

@axpnet
chore(deps): batch patch bump (tokio, reqwest, quick-xml, blake3)
b92cc68 
Four safe patch updates from the May 5 dependency check, all on
the 1.x / 0.x stable lines:

- tokio 1.52.1 -> 1.52.2
- reqwest 0.13.2 -> 0.13.3
- quick-xml 0.39.2 -> 0.39.3
- blake3 1.8.4 -> 1.8.5

russh / russh-sftp deliberately excluded from this batch. Bumping
russh 0.60.1 -> 0.60.2 in isolation forces downgrades on a
half-dozen pre-1.0 RC crypto crates (elliptic-curve, p256, p384,
p521, rsa, spki, ml-kem) because the new russh has tighter version
bounds. That needs a dedicated PR with a careful audit, not a drive
through patch batch.

Validation: cargo clippy --all-targets -D warnings clean
(full rebuild after cargo clean, 4m28s).
@coderabbitai
Copy link
Copy Markdown

coderabbitai Bot commented May 5, 2026
edited
Loading

Important

Review skipped

Review was skipped due to path filters

⛔ Files ignored due to path filters (1)
  • src-tauri/Cargo.lock is excluded by !**/*.lock

CodeRabbit blocks several paths by default. You can override this behavior by explicitly including those paths in the path filters. For example, including **/dist/** will override the default block on the dist directory, by removing the pattern from both the lists.

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 17f4ac67-16bf-45a9-8d84-487c2c54960a

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch chore/rust-deps-patch-bump

Comment @coderabbitai help to get the list of available commands and usage tips.

@snyk-io
Copy link
Copy Markdown

snyk-io Bot commented May 5, 2026
edited
Loading

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@socket-security
Copy link
Copy Markdown

socket-security Bot commented May 5, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Updatedcargo/​tokio@​1.52.1 ⏵ 1.52.25810093100100
Updatedcargo/​reqwest@​0.13.2 ⏵ 0.13.379 +110094 +1100100
Updatedcargo/​blake3@​1.8.4 ⏵ 1.8.581100100100100
Updatedcargo/​quick-xml@​0.39.2 ⏵ 0.39.310010093100100

View full report

axpnet added a commit that referenced this pull request May 5, 2026
@axpnet @claude
ci(delta-sync): raise password-only fixture timeout 15m -> 25m
f261f9f 
The fallback-fixture job uses an isolated rust-cache shared-key
(delta-sync-fallback) that is invalidated whenever Cargo.lock churns
(deps-bump PRs from Dependabot, scheduled batch bumps, Tauri
ecosystem upgrades). On a cold cache the workspace + Tauri + aeroftp
lib compile takes 18-22 minutes before the integration test binary
links, which exceeds the previous 15m ceiling and silently cancels
the run.

The sibling key-auth lane fits comfortably in 11 minutes with a warm
default cache, so it stays at 15m. 25m on the fallback lane gives
enough headroom for cold-start runs without parking PRs forever.

Affects #168 and #169 which were both stuck on this timeout.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@axpnet axpnet merged commit ad1116b into main May 6, 2026
11 checks passed
@axpnet axpnet deleted the chore/rust-deps-patch-bump branch May 6, 2026 11:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@axpnet