Harden the leptos/dioxus dependency-update workflow#1
Merged
Conversation
Make staying current with framework releases (and the wider dep tree) less painful and less risky, per the five-item plan: 1. Server-fn HTTP round-trip tests (both adapters). New tests/server_fn_roundtrip.rs boots the real install-layered router on an ephemeral port and drives register -> login -> authed read -> logout over HTTP with a cookie jar. The feature-matrix/wasm jobs only `cargo check` the adapters; these catch a Leptos/Dioxus/server_fn release that compiles but changes the wire encoding, response shape, or session-cookie handling. (Leptos posts form-encoded; Dioxus posts JSON and reads the profile over GET — the helpers mirror that.) 2. Pin dioxus-primitives to an explicit git `rev` in both manifests. It's a git dep with no crates.io release, so a bare `cargo update` could otherwise pull a breaking HEAD. Cargo.lock is gitignored, so this rev is now the sole pin. Bump it deliberately. 3. .github/dependabot.yml: weekly grouped cargo + github-actions updates, with dioxus and leptos each in their own isolated group so a framework bump (0.x minor = breaking) lands as a standalone, separately-reviewable PR instead of buried in a batch. 4. rust-toolchain.toml pins the compiler (1.95.0 + rustfmt/clippy + wasm32 target). A toolchain bump becomes a deliberate PR rather than silent drift through the gating clippy job. CI now provisions from the file (`rustup show`) instead of dtolnay@stable so the pin is the single source of truth. 5. Wasm-target logic tests (both adapters). New tests/wasm_client.rs runs in Node via wasm-bindgen-test-runner (no browser), exercising the re-exported wire-type serde round-trip (and, for Leptos, friendly_server_error) on the client build — turning the wasm job from "compiles" into "runs". New `wasm-test` CI job derives the matching wasm-bindgen version from the resolved graph, so a wasm-bindgen bump needs no edit here. Dev-deps are split by target (native server stack under cfg(not(wasm32)), wasm-bindgen-test under cfg(wasm32)) and each test file is cfg-guarded, so a `--target wasm32` test build never pulls the tokio/sqlx/reqwest stack that can't build for wasm. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Un-gitignore Cargo.lock and check it in. Without a committed lock, CI resolved the dependency graph fresh on every run within the caret ranges, so a compatible-but-broken upstream release could redden an unrelated PR and not reproduce locally — the main reproducibility gap in keeping current with leptos/dioxus. Committing the lock makes every build (local + CI) resolve identically; dependency bumps now arrive as explicit lockfile diffs in Dependabot PRs. Also update the dependabot.yml comment to match: with a committed lock, Dependabot updates locked versions rather than only widening manifest ranges. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Makes staying current with Leptos/Dioxus releases (and the wider dep tree) less painful and less risky. Detection of outdated deps already existed (nightly
cargo outdated/audit); this adds the pieces that catch breakage and make resolution reproducible.Changes
Server-fn HTTP round-trip test, per adapter (
crates/arium-{leptos,dioxus}/tests/server_fn_roundtrip.rs). Boots the realinstall-layered router on an ephemeral port and drivesregister → login → authenticated read → logoutover HTTP with a cookie jar. The adapters previously had zero runtime tests (the engine has 112) — they were onlycargo check-compiled, so a framework release that compiled but changed the server-fn wire format / response shape / session-cookie handling would pass CI silently. These turn that red. (Confirmed empirically: Leptos posts form-encoded; Dioxus#[post]takes JSON and reads the profile via#[get].)Pin
dioxus-primitivesto an explicit gitrevin both manifests. It's a git dep with no crates.io release, so a barecargo updatecould otherwise pull a breakingHEAD.Dependabot (
.github/dependabot.yml): weekly, grouped cargo + github-actions updates, withdioxusandleptoseach in their own isolated group so a framework bump (0.x minor = breaking) lands as a standalone, separately-reviewable PR rather than buried in a batch.rust-toolchain.tomlpins the compiler (1.95.0 + rustfmt/clippy + wasm32). A toolchain bump becomes a deliberate PR instead of silent drift through the gating clippy job. CI now provisions from the file (rustup show) instead ofdtolnay/rust-toolchain@stable, so the file is the single source of truth.Wasm-target logic test, per adapter (
tests/wasm_client.rs). Runs in Node viawasm-bindgen-test-runner(no browser), exercising the re-exported wire-type serde round-trip (and, for Leptos,friendly_server_error) on the client/hydrate build — turning the wasm job from "compiles" into "runs". Newwasm-testCI job auto-derives the matchingwasm-bindgenversion from the resolved graph, so a wasm-bindgen bump needs no edit here.Commit
Cargo.lock(un-gitignored). Without it, CI resolved fresh on every run, so a compatible-but-broken upstream release could redden an unrelated PR and not reproduce locally. Now every build resolves identically and dependency bumps show up as explicit lockfile diffs.Notes
cfg(not(wasm32)),wasm-bindgen-testundercfg(wasm32)) and each test file iscfg-guarded, so a--target wasm32test build never pulls the tokio/sqlx/reqwest stack that can't build for wasm.register_server_functions()ontoFullstackState::headless()becausedioxus::server::router(app)requires a builtpublic/asset dir.Verification (local)
cargo fmt --all --checkclean;cargo clippy --tests -- -D warningsclean on both adapters.Cargo.lockresolves cleanly under--locked.🤖 Generated with Claude Code