chore(deps): split dependabot grouping + safe bumps from closed #115#118
Merged
Merged
Conversation
Two pieces: **Add .github/dependabot.yml** with explicit grouping: - \`cargo-safe\`: patch+minor for all crates EXCEPT rmcp(-macros) and ort(-sys). This is the group that should auto-mergeable. - \`cargo-flagged\`: rmcp and ort only, in their own PRs so a major rmcp bump can't block a batch of safe patches like #115 did. - Also configures the npm groupings (ck-vscode, docs-site) and a github-actions group. **Cherry-pick the 7 safe bumps** that were in #115 before it was closed for the rmcp 0.x→1.x compile break: - bytes 1.11.0 → 1.11.1 - lz4_flex 0.11.5 → 0.11.6 - openssl 0.10.75 → 0.10.80 (+ openssl-sys 0.9.111 → 0.9.116) — picks up the cipher_update_inplace buffer-overflow fix - quinn-proto 0.11.13 → 0.11.14 - rand 0.8.5 → 0.8.6 - rustls-webpki 0.103.9 → 0.103.13 - time 0.3.46 → 0.3.47 (+ time-macros 0.2.26 → 0.2.27) Cargo.lock-only. All version constraints in workspace Cargo.toml were already permissive enough; no Cargo.toml change needed. Once this lands, future dependabot runs should produce small clean PRs in the cargo-safe group, with rmcp/ort upgrades arriving separately for human review. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
runonthespot
added a commit
that referenced
this pull request
May 24, 2026
Ships everything merged today on top of 0.7.7: - #117 npm distribution as @beaconbay/ck-search - #118 dependabot config + safe cargo bumps (incl. openssl CVE fix) - #119 tar 6 → 7 + engines.node >= 18 - #120 GitHub Actions: checkout v6, codeql v4 - #121 @types/vscode patch - #122 vue patch (docs-site) - #125 cargo-safe 20-pack (anyhow, tokio, clap, fastembed 5.13, uuid, etc.) - #127 shlex 1.3 → 2.0 First release that also publishes to npm. See CHANGELOG.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two related pieces of cleanup after closing #115 (which mixed safe patch bumps with an rmcp 0.x→1.x major-version break that doesn't compile).
1. Add `.github/dependabot.yml`
Repo had no dependabot config — bumps were running on whatever defaults dependabot chose. That meant rmcp's major-version PR got grouped with 7 safe patch bumps; the major-version compile break poisoned the whole group and we had to close it.
New config splits cargo bumps into two groups:
Also configures the existing npm groupings (ck-vscode, docs-site) and a github-actions group.
2. Cherry-pick the 7 safe bumps from #115
Cargo.lock-only update via `cargo update -p ...`. None of these need a Cargo.toml change — all version constraints in `[workspace.dependencies]` were already permissive enough.
The openssl bump is the only one with anything beyond a routine patch — it includes a buffer-overflow fix in AES key-wrap-with-padding.
What this prevents going forward
Once the dependabot.yml lands, the next scheduled cargo run produces:
So #115's pattern (safe bumps held hostage by a hand-migration) doesn't recur.
Test plan
🤖 Generated with Claude Code