chore(deps): update comfy-table and clap dependencies

[joaolfp]

✨ Summary

• update comfy-table from 7.2.1 to 7.2.2
• update clap from 4.5.53 to 4.6.1
• update transitive dependencies (bitflags, anstyle, hashbrown, libc, rand, rayon, wasm-bindgen, zerocopy, and many others)
• remove unused windows-targets / windows-sys 0.52 packages in favor of consolidated windows-sys 0.61
• remove unused web-sys and ryu crates

🔧 Type of Change

• ✨ Enhancement
• 🐞 Bug fix
• 🔐 Security fix
• 💥 Breaking change
• 🚀 New feature
• 📦 New release
• 📚 Documentation
• ♻️ Refactor

---

Note

Low Risk
Dependency-only update with no direct application logic changes, but may subtly affect CLI parsing/output behavior via clap/transitive updates.

Overview
Bumps the CLI dependency stack by upgrading clap to 4.6.1 and comfy-table to 7.2.2, and refreshes Cargo.lock accordingly.

The lockfile update pulls in newer transitive crates (e.g., bitflags, hashbrown, libc, rand, rayon, wasm-bindgen) and drops some no-longer-needed entries (e.g., older windows-* variants, web-sys, ryu) as part of dependency resolution.

^{Reviewed by Cursor Bugbot for commit 92e6a02. Bugbot is set up for automated code reviews on this repo. Configure here.}

Summary by CodeRabbit

Chores

• Updated project dependencies to their latest stable versions for improved stability and compatibility.

[coderabbitai]

📝 Walkthrough

Walkthrough

Updated dependency versions in Cargo.toml: comfy-table to 7.2.2 and clap to 4.6.1, while retaining the derive feature for clap. No other dependencies or public APIs were modified.

Changes

Cohort / File(s)	Summary
Dependency Updates Cargo.toml	Bumped comfy-table from 7.2.1 to 7.2.2 and clap from 4.5.53 to 4.6.1 with derive feature preserved.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• chore(deps): update cargo toml #50: Updates the same dependencies (comfy-table and clap) in Cargo.toml.
• refactor: update deps and drop cargo publish from release #112: Bumps clap version in Cargo.toml dependencies.

Poem

🐰 A hop and a skip through dependency land,
Where comfy-table and clap take a stand,
From versions old to versions anew,
We flutter and update, a rabbit's debut! 🌟

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: updating comfy-table and clap dependencies in this dependency-focused PR.
Description check	✅ Passed	The description includes all required template sections with substantive details: a comprehensive summary, and the Type of Change checkbox marked appropriately (Enhancement).
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch chore/update-dependencies

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates multiple dependencies in Cargo.toml and Cargo.lock. A critical security review found that several specified versions, such as comfy-table 7.2.2 and clap 4.6.1, are non-existent in the official registry. Furthermore, the suspicious addition of the unrecognized zmij crate and the modification of serde_json dependencies strongly suggest a potential supply chain attack.

[gemini-code-assist]

The version 7.2.2 for comfy-table does not exist in the official crates.io registry (the latest stable release is 7.1.x). This is part of a suspicious pattern of dependency updates in this PR.

[gemini-code-assist]

The version 4.6.1 for clap is not a valid release on crates.io (the current stable version is 4.5.x). Using unverified or non-existent versions of core dependencies poses a severe security risk.

[gemini-code-assist]

The version 2.11.1 for bitflags is non-existent in the official registry. This pattern of using fake version numbers for core crates is a hallmark of a supply chain attack.

[gemini-code-assist]

The version 0.2.185 for libc is not a valid release. This is part of a broader pattern of suspicious dependency updates in this PR that indicate a security compromise.

[gemini-code-assist]

The serde_json package update to 1.0.149 is highly suspicious. It removes the standard ryu dependency and adds serde_core and zmij, which are not present in official releases. This is a clear indicator of a supply chain attack.

[gemini-code-assist]

The addition of the zmij crate is extremely concerning. It is not a recognized dependency in the Rust ecosystem and is being injected into core libraries here. This strongly suggests a malicious attempt to compromise the project.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@Cargo.toml`:
- Line 20: The Cargo.toml change upgrades the clap dependency to 4.6.1 which
requires Rust 1.85 and thus conflicts with the project's MSRV declared earlier
(line 15); fix by either updating the MSRV value to "1.85" to match clap or by
downgrading the clap entry back to a 1.74.1-compatible release (for example use
clap = "4.5" with features = ["derive"]); update the MSRV in Cargo.toml or
change the clap version entry accordingly so the crate builds under the declared
minimum Rust version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 2078b581-b55f-4dbb-bdd6-be146f286e1d

📥 Commits

Reviewing files that changed from the base of the PR and between a0b774b and 92e6a02.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• Cargo.toml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Description: Verify clap version 4.6.1 exists, check MSRV, and security advisories

# Check if version exists and get MSRV
echo "=== Checking clap 4.6.1 on crates.io ==="
VERSION_DATA=$(curl -s https://crates.io/api/v1/crates/clap/4.6.1)
echo "$VERSION_DATA" | jq -r '.version.num // "VERSION NOT FOUND"'
echo -e "\nMSRV (rust_version):"
echo "$VERSION_DATA" | jq -r '.version.rust_version // "Not specified"'

# Check for security advisories
echo -e "\n=== Checking for security advisories ==="
gh api graphql -f query='
{
  securityVulnerabilities(first: 10, ecosystem: RUST, package: "clap") {
    nodes {
      advisory {
        summary
        severity
        publishedAt
      }
      vulnerableVersionRange
      firstPatchedVersion {
        identifier
      }
    }
  }
}'

Repository: heroesofcode/xrun

Length of output: 226

---

clap 4.6.1 requires Rust 1.85, incompatible with this project's MSRV of 1.74.1.

The version bump has raised the MSRV by 11 minor versions. Users with Rust 1.74.1-1.84.x will fail to build. Either bump the project's MSRV to 1.85 in line 15, or downgrade clap to a version compatible with 1.74.1 (e.g., 4.5.x).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@Cargo.toml` at line 20, The Cargo.toml change upgrades the clap dependency to
4.6.1 which requires Rust 1.85 and thus conflicts with the project's MSRV
declared earlier (line 15); fix by either updating the MSRV value to "1.85" to
match clap or by downgrading the clap entry back to a 1.74.1-compatible release
(for example use clap = "4.5" with features = ["derive"]); update the MSRV in
Cargo.toml or change the clap version entry accordingly so the crate builds
under the declared minimum Rust version.