chore(deps): apply available major bumps (sha2 0.11, rand 0.10) and tighten maintenance spec#106
Merged
Merged
Conversation
The prior maintenance pass (#105) only ran 'cargo update', which is SemVer-compatible by definition and skipped two available major bumps. Take them now: - sha2 0.10 -> 0.11: drop-in for our 'Digest + Sha256' usage; no source change needed. - rand 0.8 -> 0.10: 'rand::thread_rng()' was removed and 'RngCore' is no longer re-exported at the crate root. Switch the bot-auth nonce generator to 'let bytes: [u8; 32] = rand::random();' which is the idiomatic 0.10 API for fixed-size random arrays. Also update specs/maintenance.md so future maintenance passes explicitly include major bumps via 'cargo upgrade --incompatible', not just lockfile refresh, with a callout for any deferred upgrade. Tested with and without the optional bot-auth feature: clippy clean under both, all 280+ unit/integration/doctests green, release build OK.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Follow-up to #105. That PR only ran
cargo update, which by definition is SemVer-compatible and skipped the two available major bumps. Apply them now and tighten the maintenance spec so this doesn't recur.sha20.10 → 0.11 (bot-auth feature)rand0.8 → 0.10 (bot-auth feature)specs/maintenance.md§1 rewritten to require evaluating and applying available major bumps viacargo upgrade --incompatible, with deferred bumps called out explicitly in PR + changelog.Why
The maintenance spec already said "Major version upgrades are allowed; review changelogs for breaking changes and adapt code accordingly" — but the wording let a partial pass slip through. Tighten it so future passes (human or agent) treat major bumps as a mandatory checklist item, not a stretch goal.
For the actual bumps: keeps the optional bot-auth feature on supported upstream crypto/RNG versions and avoids drifting onto unmaintained 0.8/0.10 lines.
How
sha20.11 is API-compatible for ourDigest + Sha256usage; no source change.rand0.10 removedrand::thread_rng()and no longer re-exportsRngCoreat the crate root. Switchedbot_auth::generate_noncefromrand::thread_rng().fill_bytes(&mut bytes)tolet bytes: [u8; 32] = rand::random();— the idiomatic 0.10 API for fixed-size random arrays. Same cryptographic source (ThreadRng→OsRngchain), same 32-byte nonce.--features bot-auth. Both pass clippy-D warnings, all 280+ tests, doctests, release build.Risk
generate_nonce) is functionally equivalent. Bot-auth feature is opt-in, no default-feature consumer affected.rand_core0.6 internally; cargo resolves it side-by-side with rand 0.10 which usesrand_core0.9. No conflict at link time.Checklist
cargo fmt --all -- --checkcargo clippy --workspace --all-targets --features bot-auth -- -D warningscargo test --workspace --exclude fetchkit-python(default features)cargo test --workspace --exclude fetchkit-python --features bot-authRUSTDOCFLAGS="-D warnings" cargo doc --workspace --exclude fetchkit-python --features bot-auth --no-depscargo build --workspace --exclude fetchkit-python --release --features bot-authspecs/maintenance.mdupdatedCHANGELOG.md[Unreleased]updatedGenerated by Claude Code