chore(deps): master dependency bump — consolidate all 14 Dependabot PRs#113
Merged
Conversation
Adjudicates and supersedes all 14 open Dependabot PRs in a single change. Cargo dependencies (workspace + crates): - toml 0.9 -> 1.0 (#83) - tracing-subscriber 0.3.22 -> 0.3.23 (#85) - rustls-webpki 0.103.9 -> 0.103.10+ (#87) - rand 0.9 -> 0.10 (#98) — recovery.rs: rand::Rng -> rand::RngExt for random_range - proptest 1.10 -> 1.11 (#92) - notify-rust 4.12 -> 4.16+ (#106) - tokio 1.50 -> 1.52 (#107) - clap 4.5 -> 4.6 (#108) - rustls 0.23.37 -> 0.23.39+ (#109) - webpki-roots 1.0.6 -> 1.0.7+ (#110) GitHub Actions: - codecov/codecov-action 5 -> 6 (#91) - actions/github-script 8 -> 9 (#97) - mozilla-actions/sccache-action 0.0.9 -> 0.0.10 (#105) - actions/dependency-review-action 4 -> 5 (#111) The only source change required is the rand 0.10 API migration (random_range moved to the RngExt trait). All workspace builds, clippy (Linux), and the core/protocol/tui/plugins/scripting plus integration test suites pass locally. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Dependency ReviewThe following issues were found:
License Issues.github/workflows/security-audit.yml
Cargo.lock
crates/rustirc-core/Cargo.toml
OpenSSF ScorecardScorecard details
Scanned Files
|
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request updates several workspace dependencies, including upgrading tokio to 1.52, toml to 1.0, clap to 4.6.1, and rand to 0.10. In crates/rustirc-core/src/recovery.rs, the import is updated to rand::RngExt to accommodate the rand upgrade. Feedback suggests further simplifying this change by using the new top-level rand::random_range function directly, which is more idiomatic in rand 0.10.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
…eview notify-rust 4.18 pulls mac-notification-sys 0.6.15, whose crate metadata declares the deprecated "MIT/Apache-2.0" slash-form license expression. GitHub's dependency-review parser cannot resolve it and renders it as LicenseRef-bad-mitapache-2.0, failing the license check. Both MIT and Apache-2.0 are already in allow-licenses, so the crate is genuinely permissive; add it to allow-dependencies-licenses like the other crates with complex license expressions. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR consolidates multiple Dependabot updates into a single “master bump” across the Rust workspace and GitHub Actions workflows, with a small source change to adapt to the rand API shift.
Changes:
- Bump several workspace Rust dependencies (e.g.,
tokio,toml,tracing-subscriber,proptest,clap) and refreshCargo.lock. - Migrate jitter RNG usage in
rustirc-coretorand0.10’sRngExttrait. - Update CI/security workflows to newer GitHub Actions versions (e.g.,
codecov/codecov-action@v6,actions/github-script@v9,actions/dependency-review-action@v5,mozilla-actions/sccache-action@v0.0.10).
Reviewed changes
Copilot reviewed 7 out of 8 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| crates/rustirc-core/src/recovery.rs | Updates jitter RNG import to rand 0.10 (RngExt) to keep recovery backoff working. |
| crates/rustirc-core/Cargo.toml | Bumps rand to 0.10 for the core crate. |
| Cargo.toml | Updates workspace dependency versions (tokio/toml/tracing-subscriber/proptest/clap). |
| Cargo.lock | Refreshes the lockfile to reflect the dependency upgrades and transitive changes. |
| .github/workflows/security-audit.yml | Bumps actions/github-script to v9 and dependency-review-action to v5. |
| .github/workflows/master-pipeline.yml | Bumps sccache action and Codecov action versions used in the pipeline. |
| .github/workflows/ci.yml | Bumps sccache action and Codecov action versions used in CI. |
…and usage Adjudicates the bot review comments on the master dependency-bump PR: - gemini-code-assist: use the top-level rand::random_range() in recovery.rs instead of importing RngExt and spinning up a thread RNG. - Copilot (x2): clap 4.6 and rand 0.10 both declare rust-version = 1.85, which is inconsistent with the repo's previously declared MSRV of 1.75. Since this PR's purpose is to adopt those bumps, raise the project MSRV to 1.85 across Cargo.toml, clippy.toml, the CI msrv toolchain, and the docs (README, technology-stack, getting-started, copilot-instructions, bug_report template). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Auditing the locked dependency tree shows the real minimum supported Rust is 1.89.0, driven by notify-rust 4.18 (rust-version = 1.89), with iced 0.14 / wgpu 27 at 1.88 and zbus 5.14 at 1.87. 1.85 (clap/rand) was necessary but not sufficient. Note the previously declared 1.75 was already unattainable since iced 0.14 (pre-existing) requires 1.88 — the MSRV CI job only ever passed via a full build-cache hit, never a real 1.75 compile. This sets an honest, enforceable MSRV. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Raising the clippy.toml msrv to 1.89 enables clippy::manual_is_multiple_of (the is_multiple_of method stabilized in Rust 1.87). Replace the two manual modulo-zero checks it flags: - rustirc-tui state.rs: total_seconds % 60 == 0 -> .is_multiple_of(60) - rustirc-gui rich_text_editor.rs: len() % n != 0 -> !len().is_multiple_of(n) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Master Dependency Bump — Consolidates All 14 Open Dependabot PRs
This PR adjudicates and supersedes all 14 open Dependabot PRs, applying every version bump in a single, mergeable change with the source-code adjustments required to keep the workspace building, linting, and testing green.
Merging this PR closes the following (all changes incorporated, at the requested version or newer):
Cargo dependencies
tomltracing-subscriberrustls-webpkiproptestrandnotify-rusttokioclaprustlswebpki-rootsGitHub Actions
codecov/codecov-actionactions/github-scriptmozilla-actions/sccache-actionactions/dependency-review-actionSource changes
The only code change required is the
rand0.10 API migration:random_rangemoved from theRngtrait to the newRngExttrait. Updated the import incrates/rustirc-core/src/recovery.rs(use rand::Rng;→use rand::RngExt;). All other bumps are drop-in.Verification (local)
cargo build— cleancargo clippy --all-targets --all-features -- -D warnings— clean on Linux-equivalent paths (only pre-existing#[cfg(windows)]warnings inplatform.rs, which CI does not compile since clippy runs onubuntu-latest)cargo test— core, protocol, tui, plugins, scripting, and all integration suites pass (119+ passing, 0 failing)Closes #83, closes #85, closes #87, closes #91, closes #92, closes #97, closes #98, closes #105, closes #106, closes #107, closes #108, closes #109, closes #110, closes #111
🤖 Generated with Claude Code