Skip to content

Update outdated dependencies#37

Merged
iainmcgin merged 3 commits intomainfrom
iain/dep-updates
Apr 2, 2026
Merged

Update outdated dependencies#37
iainmcgin merged 3 commits intomainfrom
iain/dep-updates

Conversation

@iainmcgin
Copy link
Copy Markdown
Collaborator

@iainmcgin iainmcgin commented Apr 2, 2026
edited
Loading

Summary

Bumps direct dependencies that were several majors behind (per deps.rs) and pins direct deps to security-advisory floors while preserving each crate's major caret. cargo update refreshes the rest of the transitives.

Direct deps bumped (major)

Dep Old New Notes
rcgen 0.13 0.14 API migration in two test files (see below)
webpki-roots 0.26 1 No code changes — TLS_SERVER_ROOTS API surface unchanged
pprof 0.14 0.15 No code changes
rand 0.9 0.10 Rng trait split into Rng + RngExt in 0.10 — random_range moved to RngExt, so the import changes accordingly

rcgen 0.14 migration

CertificateParams::signed_by no longer takes (public_key, ca_cert, ca_key) — instead it takes (public_key, &Issuer). The new CertifiedIssuer::self_signed(params, key) constructor returns a value that holds both the self-signed cert (for the trust store) and the signing identity (via Deref-to-Issuer for issuing leaves), so it's a clean drop-in for the "CA that needs to both sign leaves and be added to a root store" pattern in peer_certs_reach_handler.

The CertifiedKey::key_pair field was also renamed to signing_key (used in tests/streaming).

Security-advisory pins

Pinned to the patched floor while keeping the original major caret semantics:

Dep Old New Advisory
tracing-subscriber 0.3 0.3.20 RUSTSEC-2025-0055 — ANSI escape sequence injection in logged user input
regex 1 1.5.5 RUSTSEC-2022-0013 — DoS via complex regex parsing

0.3.20 is still a caret pin (>=0.3.20, <0.4.0); same shape as before, just with a higher floor. Same for 1.5.5. Touched in conformance, eliza, and multiservice for tracing-subscriber; eliza only for regex.

Held back

criterion stays at 0.5 — pprof 0.15 still pins criterion ^0.5 for its PProfProfiler bench integration. Bumping criterion past 0.5 would mean giving up the bench-time profiler hook. Worth revisiting once pprof loosens that constraint.

Transitive updates (selected)

cargo update picked up many compatible bumps: tokio 1.49 → 1.50, hyper 1.8 → 1.9, zerocopy 0.8.40 → 0.8.48, tempfile 3.26 → 3.27, plus the usual icu/wasm-bindgen/symbolic refreshes. Cargo.lock is gitignored (library workspace) so the lockfile diff isn't in this PR, but these will all be picked up on the next cargo build against the new Cargo.toml constraints.

Test Plan

  • task fmt, task clippy --workspace --all-features -- -D warnings, task test --workspace --all-features — all clean.
  • All six conformance suites at the expected counts:
    • Server default: 3600/3600
    • Server connect-only: 1192/1192
    • Server connect-tls: 2396/2396
    • Client Connect: 2580/2580
    • Client gRPC: 1454/1454
    • Client gRPC-Web: 2838/2838

@iainmcgin
Update outdated dependencies
95f363d 
Bumps direct dependencies that were several majors behind:

- rcgen 0.13 → 0.14 (workspace + tests/streaming dev-dep). Migrates the
  CertificateParams::signed_by API: leaf certs are now signed against an
  Issuer instead of taking the (cert, key) pair directly. Uses
  CertifiedIssuer::self_signed for the CA so the same value yields both
  the trust-store cert and the signing identity. Also renames the
  CertifiedKey::key_pair field to signing_key in tests/streaming.
- webpki-roots 0.26 → 1 (eliza example). No code changes — the
  TLS_SERVER_ROOTS API surface is unchanged.
- pprof 0.14 → 0.15 (rpc bench harness). No code changes.
- rand 0.9 → 0.10 (eliza example). The Rng trait is split into Rng +
  RngExt in 0.10; random_range moved to RngExt, so the import changes
  from rand::Rng to rand::RngExt.

Pins direct deps to security-advisory floors while preserving the same
caret major:

- tracing-subscriber 0.3 → 0.3.20 (conformance, eliza, multiservice).
  RUSTSEC-2025-0055: ANSI escape sequence injection via logged user input.
  Fixed in 0.3.20.
- regex 1 → 1.5.5 (eliza). RUSTSEC-2022-0013: DoS via complex regex
  parsing. Fixed in 1.5.5.

criterion stays at 0.5 because pprof 0.15 still pins criterion ^0.5 for
its PProfProfiler integration; bumping criterion past 0.5 would mean
giving up the bench-time profiler hook.

Many transitive deps refreshed via cargo update — notably tokio
1.49 → 1.50 and hyper 1.8 → 1.9.

Cargo.lock is gitignored (library workspace) so the lockfile changes
don't show up in this commit.

All 37 test results pass; all six conformance suites pass at the
expected counts (3600/1192/2396 server, 2580/1454/2838 client).
@iainmcgin iainmcgin marked this pull request as ready for review April 2, 2026 18:44
@iainmcgin iainmcgin requested a review from rpb-ant April 2, 2026 18:45
rpb-ant
rpb-ant previously approved these changes Apr 2, 2026
View reviewed changes
Comment thread tests/streaming/Cargo.toml
Comment thread examples/multiservice/Cargo.toml Outdated
@iainmcgin iainmcgin enabled auto-merge (squash) April 2, 2026 20:33
@iainmcgin iainmcgin merged commit ab2974f into main Apr 2, 2026
10 checks passed
@github-actions github-actions bot locked and limited conversation to collaborators Apr 2, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@rpb-ant rpb-ant rpb-ant approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@iainmcgin @rpb-ant