Skip to content

chore(deps): update dependencies and improve robustness#835

Merged
da2ce7 merged 7 commits into
torrust:developfrom
da2ce7:20260319_update_deps
Mar 19, 2026
Merged

chore(deps): update dependencies and improve robustness#835
da2ce7 merged 7 commits into
torrust:developfrom
da2ce7:20260319_update_deps

Conversation

@da2ce7
Copy link
Copy Markdown
Contributor

@da2ce7 da2ce7 commented Mar 19, 2026

Summary

Update multiple Rust dependencies to their latest versions, including several
major version bumps, and implement two robustness improvements:

  • Embed verify-email template as compile-time default with file override
  • Isolate configuration test from environment using figment::Jail

Dependency Updates

Major Version Bumps

  • derive_more: v1 → v2 (with convert_case dependency)
  • jsonwebtoken: v9 → v10 (adds rust_crypto feature, replaces ring with pure-Rust crypto)
  • thiserror: v1 → v2 (in main crate and located-error package)
  • toml: v0 → v1 (toml 1.0 spec compliance)
  • which: v6 → v8 (simplified dependencies, drops winsafe)

Significant Updates

  • clap: 4.5 → 4.6 (anstream 1.0, anstyle-parse 1.0)
  • tokio: 1.49 → 1.50
  • chrono: 0.4.43 → 0.4.44
  • uuid: 1.21 → 1.22
  • aws-lc-rs: 1.15 → 1.16 (aws-lc-sys 0.37 → 0.38)
  • rustls: 0.23.36 → 0.23.37
  • serde_with: 3.16 → 3.18
  • tracing-subscriber: 0.3.22 → 0.3.23
  • wasm-bindgen family: 0.2.108 → 0.2.114
  • tempfile: 3.25 → 3.27
  • many other transitive dependency updates

Functional Improvements

Verify-Email Template Embedding

  • Added VERIFY_EMAIL_DEFAULT constant with include_str! for compile-time embedding
  • Template loading now attempts templates/verify.html from working directory first
  • Falls back to embedded default if file is absent
  • Uses add_raw_template instead of add_template_file for consistency

Configuration Test Isolation

  • Replaced drop(initialize_configuration()) with figment::Jail::expect_with
  • Test now loads default config from share/default/config/index.development.sqlite3.toml
  • Sets TORRUST_INDEX_CONFIG_TOML environment variable within jail
  • Eliminates dependency on external environment variables during test execution
  • Added #[allow(clippy::result_large_err)] to suppress false positive lint

Motivation

  • Security: Keep dependencies current with security patches
  • Maintenance: Reduce technical debt by updating major versions
  • Robustness: Ensure email verification works even when template file is missing
  • Test Reliability: Make configuration test deterministic and environment-independent
  • Modernization: Leverage latest features and performance improvements

Testing Performed

  • cargo check --workspace --all-targets --all-features passes
  • cargo test --workspace passes (including updated config test)
  • Verified email template fallback behavior with missing file
  • Confirmed jsonwebtoken v10 with rust_crypto feature works correctly

Breaking Changes

None. All updates maintain backward compatibility:

  • jsonwebtoken v10 maintains same API with pure-Rust crypto backend
  • derive_more v2 preserves existing derive macros
  • thiserror v2 is source-compatible with v1
  • toml v1 maintains spec 1.0 compatibility
  • Template fallback ensures existing deployments continue working

Migration Needed

  • No action required for existing users
  • Deployers can optionally place templates/verify.html to customize email template
  • Developers should run cargo update to sync local lockfile

References

Copilot AI review requested due to automatic review settings March 19, 2026 05:07
Copilot AI reviewed Mar 19, 2026
View reviewed changes
Copy link
Copy Markdown

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates a broad set of Rust dependencies (including several major-version bumps) and adds two robustness improvements: embedding the verify-email template in the binary with an optional on-disk override, and making the configuration bootstrap test deterministic by isolating environment variables with figment::Jail.

Changes:

  • Bump multiple dependencies across the workspace, including derive_more v2, jsonwebtoken v10 (+rust_crypto), thiserror v2, toml v1, and which v8.
  • Embed templates/verify.html into the binary and load an on-disk templates/verify.html only if present.
  • Update the default-config bootstrap test to use figment::Jail and inject the default TOML via TORRUST_INDEX_CONFIG_TOML.

Reviewed changes

Copilot reviewed 4 out of 5 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
src/tests/bootstrap/config.rs Makes the config bootstrap test environment-independent via figment::Jail and embedded default TOML.
src/mailer.rs Adds a compiled-in default verify-email template and runtime override loading from the working directory.
packages/located-error/Cargo.toml Updates thiserror dev-dependency to v2 to match the workspace upgrade.
Cargo.toml Updates primary dependency versions/features (notably jsonwebtoken v10 with rust_crypto).
Cargo.lock Refreshes the lockfile for all direct/transitive dependency upgrades.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

Comment thread src/mailer.rs
@codecov
Copy link
Copy Markdown

codecov Bot commented Mar 19, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 42.85714% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 52.18%. Comparing base (f626613) to head (103d55f).
⚠️ Report is 8 commits behind head on develop.

Files with missing lines Patch % Lines
src/mailer.rs 42.85% 4 Missing ⚠️
Additional details and impacted files 
@@             Coverage Diff             @@
##           develop     #835      +/-   ##
===========================================
+ Coverage    52.13%   52.18%   +0.04%     
===========================================
  Files          117      117              
  Lines         6199     6205       +6     
  Branches      6199     6205       +6     
===========================================
+ Hits          3232     3238       +6     
- Misses        2886     2887       +1     
+ Partials        81       80       -1

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

da2ce7 added 7 commits March 19, 2026 07:08
@da2ce7
fix: embed verify-email template as compiled-in default
b13bf98 
The Tera `add_template_file` call required `templates/verify.html` to
exist on disk relative to the working directory, which broke
containerised and relocated deployments.

Embed the template at compile time via `include_str!` and fall back to
it when the file is absent.  Deployers can still override the template
by placing a file at `templates/verify.html`.

Also isolate the `it_should_load_with_default_config` test inside a
`figment::Jail` so it no longer depends on ambient environment variables
or a config file on disk.
@da2ce7
chore: update dependencies
68be605 
$ cargo update --verbose
    Updating crates.io index
     Locking 67 packages to latest compatible versions
    Updating anstream v0.6.21 -> v1.0.0
    Updating anstyle v1.0.13 -> v1.0.14
    Updating anstyle-parse v0.2.7 -> v1.0.0
    Updating anyhow v1.0.101 -> v1.0.102
    Updating async-compression v0.4.39 -> v0.4.41
    Updating aws-lc-rs v1.15.4 -> v1.16.1
    Updating aws-lc-sys v0.37.1 -> v0.38.0
    Updating bumpalo v3.19.1 -> v3.20.2
   Unchanged camino v1.1.12 (available: v1.2.2)
    Updating cc v1.2.56 -> v1.2.57
    Updating chrono v0.4.43 -> v0.4.44
    Updating clap v4.5.59 -> v4.6.0
    Updating clap_builder v4.5.59 -> v4.6.0
    Updating clap_derive v4.5.55 -> v4.6.0
    Updating clap_lex v1.0.0 -> v1.1.0
    Updating colorchoice v1.0.4 -> v1.0.5
    Updating compression-codecs v0.4.36 -> v0.4.37
    Updating darling v0.21.3 -> v0.23.0
    Updating darling_core v0.21.3 -> v0.23.0
    Updating darling_macro v0.21.3 -> v0.23.0
    Updating deranged v0.5.6 -> v0.5.8
   Unchanged derive_more v1.0.0 (available: v2.1.1)
   Unchanged generic-array v0.14.7 (available: v0.14.9)
    Updating getrandom v0.4.1 -> v0.4.2
    Updating ipnet v2.11.0 -> v2.12.0
    Updating js-sys v0.3.85 -> v0.3.91
   Unchanged jsonwebtoken v9.3.1 (available: v10.3.0)
    Updating libc v0.2.182 -> v0.2.183
    Updating libredox v0.1.12 -> v0.1.14
    Updating linux-raw-sys v0.11.0 -> v0.12.1
   Unchanged matchit v0.8.4 (available: v0.8.6)
    Updating native-tls v0.2.16 -> v0.2.18
    Updating once_cell v1.21.3 -> v1.21.4
    Updating openssl v0.10.75 -> v0.10.76
    Updating openssl-sys v0.9.111 -> v0.9.112
    Updating pin-project-lite v0.2.16 -> v0.2.17
      Adding plain v0.2.3
    Updating quinn-proto v0.11.13 -> v0.11.14
    Updating quote v1.0.44 -> v1.0.45
      Adding r-efi v6.0.0
    Updating redox_syscall v0.7.1 -> v0.7.3
    Updating regex-syntax v0.8.9 -> v0.8.10
    Updating rustix v1.1.3 -> v1.1.4
    Updating rustls v0.23.36 -> v0.23.37
    Updating schannel v0.1.28 -> v0.1.29
    Updating security-framework v3.6.0 -> v3.7.0
    Updating security-framework-sys v2.16.0 -> v2.17.0
    Updating serde_with v3.16.1 -> v3.18.0
    Updating serde_with_macros v3.16.1 -> v3.18.0
    Updating socket2 v0.6.2 -> v0.6.3
    Updating syn v2.0.116 -> v2.0.117
    Updating tempfile v3.25.0 -> v3.27.0
   Unchanged thiserror v1.0.69 (available: v2.0.18)
    Updating tinyvec v1.10.0 -> v1.11.0
    Updating tokio v1.49.0 -> v1.50.0
    Updating tokio-macros v2.6.0 -> v2.6.1
   Unchanged toml v0.9.12+spec-1.1.0 (available: v1.0.7+spec-1.1.0)
    Updating toml_parser v1.0.9+spec-1.1.0 -> v1.0.10+spec-1.1.0
    Updating toml_writer v1.0.6+spec-1.1.0 -> v1.0.7+spec-1.1.0
    Updating tracing-subscriber v0.3.22 -> v0.3.23
    Updating uuid v1.21.0 -> v1.22.0
    Updating wasm-bindgen v0.2.108 -> v0.2.114
    Updating wasm-bindgen-futures v0.4.58 -> v0.4.64
    Updating wasm-bindgen-macro v0.2.108 -> v0.2.114
    Updating wasm-bindgen-macro-support v0.2.108 -> v0.2.114
    Updating wasm-bindgen-shared v0.2.108 -> v0.2.114
    Updating wasm-bindgen-test v0.3.58 -> v0.3.64
    Updating wasm-bindgen-test-macro v0.3.58 -> v0.3.64
    Updating wasm-bindgen-test-shared v0.2.108 -> v0.2.114
    Updating web-sys v0.3.85 -> v0.3.91
   Unchanged which v6.0.3 (available: v8.0.2)
    Removing winnow v0.7.14
      Adding winnow v0.7.15
      Adding winnow v1.0.0
    Updating zerocopy v0.8.39 -> v0.8.42
    Updating zerocopy-derive v0.8.39 -> v0.8.42
@da2ce7
chore(deps): update toml next major version (v1)
c400936
@da2ce7
chore(deps): update thiserror next major version (v2)
519fbad
@da2ce7
chore(deps): update derive_more next major version (v2)
e7811f2
@da2ce7
chore(deps): update jsonwebtoken next major version (v10)
19a96c6
@da2ce7
chore(deps): update which next major version from (v6) to (v8)
103d55f
@da2ce7 da2ce7 force-pushed the 20260319_update_deps branch from 733634a to 103d55f Compare March 19, 2026 06:09
@da2ce7
Copy link
Copy Markdown
Contributor Author

da2ce7 commented Mar 19, 2026

ACK 103d55f

@da2ce7 da2ce7 merged commit b5a40b6 into torrust:develop Mar 19, 2026
16 of 17 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@da2ce7