deps: land safe Dependabot bumps; triage jni & gotatun#637
Merged
Conversation
…ndom) Consolidates the three Dependabot updates that are verified green, and documents (in the PR) the two that need manual work. #633 gradle-minor-patch group: - androidx.core:core-ktx 1.18.0 -> 1.19.0 - com.google.android.material 1.13.0 -> 1.14.0 - androidx.lifecycle 2.10.0 -> 2.11.0 - glide 5.0.7 -> 5.0.9 - okhttp 5.3.2 -> 5.4.0 - AGP 9.0.1 -> 9.2.1, Gradle wrapper 9.2.1 -> 9.6.1 core-ktx 1.19.0 and glide 5.0.9 ship minCompileSdk=37, so bump compileSdk/targetSdk 36 -> 37 (platform 37 is released/installed; no SDK 38 needed). Verified: ./gradlew :app:assembleGithubDebug passes, including the native wgbridge-rs build. #631 android_logger 0.14 -> 0.15: no API change for our call site (with_max_level/with_tag/init_once unchanged). Cargo.toml only. #630 getrandom 0.2 -> 0.3: renamed free fn getrandom() -> fill(); update the single call site in keys.rs. getrandom 0.3.4 was already in the tree via gotatun's rand 0.9 path, so this adds no new version. Verified: cargo build + cargo test (18/18) on host, and cargo ndk arm64 cross-compile of the combined tree. Not included (need manual work, see PR body): - #629 jni 0.21 -> 0.22: compiles only after a full FFI-layer rewrite; needs on-device testing. - #632 gotatun 0.7.2 -> 0.8.0: removes the public AsFd on UdpSocket used for VpnService.protect(); workaround regresses the optimized UDP datapath. Defer / file upstream for a public fd accessor. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This was referenced Jul 11, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Triage of the five open Dependabot PRs (#629, #630, #631, #632, #633). Each was investigated in an isolated worktree and its fix compiled + tested. This PR carries the three that are verified green and documents the two that need manual work (left as their own Dependabot PRs).
All five were red in CI. The common thread: four of them (#629–#632) touch the shared Rust crate
wgbridge-rs, and #633 was blocked by an unrelatedcompileSdkfloor. None were safe to merge blind.✅ Included in this PR (verified green)
#633 — gradle-minor-patch group (8 updates)
androidx.core:core-ktx1.18.0 → 1.19.0com.google.android.material1.13.0 → 1.14.0androidx.lifecycle2.10.0 → 2.11.0glide5.0.7 → 5.0.9okhttp5.3.2 → 5.4.0Why CI failed:
core-ktx:1.19.0andglide:5.0.9declareminCompileSdk=37(confirmed from their AAR metadata), but the project was oncompileSdk = 36, so:app:checkGithubDebugAarMetadatafailed. AGP ≥9.1.0 is also required — the group's bump to 9.2.1 satisfies that.Fix: bump
compileSdk/targetSdk36 → 37. Platform 37 is released and installed; SDK 38 is not needed (correcting an earlier assumption).targetSdkmoved in lockstep withcompileSdk, matching this file's existing convention — this is the one judgment call, since onlycompileSdkis strictly forced by the AAR metadata.Verified:
./gradlew :app:assembleGithubDebug→ BUILD SUCCESSFUL, including the nativewgbridge-rsbuild via cargo-ndk.#631 — android_logger 0.14 → 0.15
Not breaking for our single call site in
jni_bindings.rs(Config::with_max_level/with_tag/init_onceare unchanged in 0.15). Cargo.toml + lock only, no code change. Verified viacargo ndkarm64 cross-compile.#630 — getrandom 0.2 → 0.3
0.3 renamed the free function
getrandom::getrandom()→getrandom::fill(). Updated the single call site inkeys.rs(WireGuard private-key generation). getrandom 0.3.4 was already in the tree viagotatun → rand 0.9 → rand_core 0.9, so this adds no new version; 0.2.17 remains forring/chacha20poly1305. Not blocked by any other dep. Verifiedcargo build+cargo test(18/18) + arm64 cross-compile.#629 — jni 0.21 → 0.22 · fix exists, needs on-device test
jni 0.22 is a ground-up API redesign, not a signature tweak:
JNIEnvsplit intoEnvUnowned/Env(closure-basedwith_envupgrade +ErrorPolicy), closure-based thread attachment (attach_current_thread_permanentlyremoved),GlobalRef→Global<T>,call_methodnow takes compile-timejni_str!/jni_sig!, andjbooleanchanged fromu8tobool.A full rewrite of
jni_bindings.rswas produced that compiles cleanly for all four ABIs and preserves the exported FFI symbols (verified withllvm-nmagainst the Kotlinnativedeclarations). But it changes runtime semantics (exception propagation viaThrowRuntimeExAndDefault, worker thread attach/detach lifecycle) on the most safety-critical FFI path. Recommendation: review + on-device test (tunnel start/stop, key gen, DNS recording) before merging. Too large for a rubber-stamp. The ready fix can be dropped in when someone can validate on a device.#632 — gotatun 0.7.2 → 0.8.0 · defer / file upstream
Root cause: 0.8.0 made
UdpSocket's inner an opaque enum (Socket/DisabledIpv6) to support IPv4-only fallback, and removed the publicimpl AsFd for UdpSocket. There is now no public API to obtain the raw fd that our code hands to Android'sVpnService.protect(fd)— this is our loop-prevention / socket-protection path.A workaround compiles (bind our own
tokio::net::UdpSocket, protect it, implement gotatun'sUdpSend/UdpRecvon it), but it swaps gotatun's optimized Linux datapath (sendmmsg/recvmmsg+ UDP GRO) for per-packet send/recv — more syscalls/wakeups under load, which is a direct throughput and battery/radio-wakeup concern for this app. Recommendation: don't merge as-is. Preferred path: file an upstream request for a public fallible fd accessor (e.g.UdpSocket::as_raw_fd() -> Option<RawFd>) so the optimized datapath is retained, and defer #632 until then. gotatun also migrated internal logginglog→tracing(lock churn only) and addedDeviceBuilder::suspended(additive).Verification summary
assembleGithubDebugpasses (incl. native build)Suggested follow-up
🤖 Generated with Claude Code