Skip to content

chore(deps): update rust crates (major)#1783

Open
renovate[bot] wants to merge 2 commits into
mainfrom
renovate/major-rust-crates
Open

chore(deps): update rust crates (major)#1783
renovate[bot] wants to merge 2 commits into
mainfrom
renovate/major-rust-crates

Conversation

@renovate

@renovate renovate Bot commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
junction workspace.dependencies major 1.4.12.0.0
zip workspace.dependencies major 7.28.0

Configuration

📅 Schedule: (in timezone Asia/Shanghai)

  • Branch creation
    • "before 10am on monday"
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Jun 7, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: Cargo.lock
Command failed: cargo update --config net.git-fetch-with-cli=true --manifest-path Cargo.toml --workspace
error: failed to load manifest for workspace member `/tmp/renovate/repos/github/voidzero-dev/vite-plus/packages/cli/binding`
referenced by workspace at `/tmp/renovate/repos/github/voidzero-dev/vite-plus/Cargo.toml`

Caused by:
  failed to load manifest for dependency `rolldown_binding`

Caused by:
  failed to read `/tmp/renovate/repos/github/voidzero-dev/vite-plus/rolldown/crates/rolldown_binding/Cargo.toml`

Caused by:
  No such file or directory (os error 2)

@netlify

netlify Bot commented Jun 7, 2026

Copy link
Copy Markdown

Deploy Preview for viteplus-preview canceled.

Name Link
🔨 Latest commit 300ca25
🔍 Latest deploy log https://app.netlify.com/projects/viteplus-preview/deploys/6a4d18bfceb4ff00085aa0c3

@renovate renovate Bot force-pushed the renovate/major-rust-crates branch 2 times, most recently from af3cd19 to 79e2650 Compare June 14, 2026 17:39
@renovate renovate Bot force-pushed the renovate/major-rust-crates branch 3 times, most recently from 44bd38e to bf03de2 Compare June 28, 2026 16:47
@renovate renovate Bot force-pushed the renovate/major-rust-crates branch 2 times, most recently from c4a933f to d551305 Compare July 5, 2026 16:19
@renovate renovate Bot force-pushed the renovate/major-rust-crates branch from 39a76ee to b7a203e Compare July 7, 2026 06:43
@socket-security

socket-security Bot commented Jul 7, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Addedcargo/​sha1@​0.11.010010093100100
Updatedcargo/​junction@​1.4.2 ⏵ 2.0.010010093100100
Updatedcargo/​zip@​7.2.0 ⏵ 8.6.0100 +110093100100

View full report

@renovate renovate Bot force-pushed the renovate/major-rust-crates branch from 91a6582 to 87b4e56 Compare July 7, 2026 15:17

fengmk2 commented Jul 7, 2026

Copy link
Copy Markdown
Member

I looked through the two dependency updates in this PR. Here is a more detailed summary of the actual changes and the risk areas.

Summary

This PR updates two Rust workspace dependencies:

-junction = "1.4.1"
+junction = "2.0.0"

-zip = "7.2"
+zip = "8.0"

However, the resolved lockfile version for zip is not 8.0.0, but 8.6.0:

[[package]]
name = "zip"
-version = "7.2.0"
+version = "8.6.0"

So I think we should review this as:

junction: 1.4.x -> 2.0.0
zip:      7.2.0 -> 8.6.0

junction update

junction is updated from 1.4.x to 2.0.0.

The main upstream behavior change in 2.0.0 is:

junction::get_target now doesn't check whether the junction's destination directory exists.

That means get_target() can now successfully return the junction target path even if the target directory no longer exists.

For vite-plus, the risk is likely not API compatibility, but behavior compatibility.

Potentially affected area:

Windows setup / upgrade / shim / junction cleanup logic

The thing we should verify is whether any code currently treats this pattern as an existence check:

if junction::get_target(path).is_ok() {
    // previously this may have implied that the target exists
}

After this update, that assumption may no longer be valid. If we need to know whether the target exists, we should check it explicitly:

let target = junction::get_target(path)?;

if !target.exists() {
    // handle stale junction target
}

Suggested validation for junction:

- Verify Windows setup flow.
- Verify Windows upgrade flow.
- Verify shim / junction replacement behavior.
- Verify cleanup behavior when the junction target directory has already been removed.
- Search call sites of junction::get_target and make sure success is not used as an implicit target-exists check.

zip update

zip is declared as:

-zip = "7.2"
+zip = "8.0"

But the lockfile resolves it to:

zip 8.6.0

So the effective update is:

zip 7.2.0 -> 8.6.0

Important upstream changes across this range include:

8.0.0:
- Migrates the crate to Rust 2024.
- Removes deprecated DateTime methods.

8.1.x - 8.6.x:
- Adds support for getting the underlying writer from ZipWriter.
- Adds file option support for reproducible archives across platforms.
- Improves extra-field parsing.
- Adds CRC32 ignore option.
- Adds unsupported-compression enum error.
- Adds [u8] filename support.
- Includes several ZIP reader / writer refactors and parsing fixes.

For vite-plus, the direct usage appears to be simple. We mainly use zip for runtime archive extraction:

let file = File::open(archive_path)?;
let mut archive = zip::ZipArchive::new(file)
    .map_err(|e| Error::ExtractionFailed {
        reason: vite_str::format!("{e}"),
    })?;

archive.extract(target_dir)
    .map_err(|e| Error::ExtractionFailed {
        reason: vite_str::format!("{e}"),
    })?;

Since we do not appear to use the removed DateTime APIs or writer APIs directly, the direct API compatibility risk looks low.

The main risks are:

- MSRV / toolchain compatibility, because zip 8.x moved to Rust 2024.
- Transitive dependency changes, because Cargo.lock resolves to zip 8.6.0, not just 8.0.0.
- Runtime ZIP extraction behavior changes, especially for Windows runtime archives.
- Default feature / crypto dependency changes from zip 8.6.0.

The lockfile also shows several dependency changes caused by the zip update, for example:

aes       -> 0.9.x
hmac      -> 0.13.x
sha1      -> 0.11.x
getrandom -> 0.4.x

So this is not only a small API bump.

Lockfile / Renovate concern

There is also an important Renovate warning in this PR:

Artifact update problem

Renovate failed to update an artifact related to this branch.
You probably do not want to merge this PR as-is.

The failure happened while updating Cargo.lock:

failed to load manifest for workspace member `packages/cli/binding`

Caused by:
  failed to load manifest for dependency `rolldown_binding`

Caused by:
  failed to read `rolldown/crates/rolldown_binding/Cargo.toml`

Caused by:
  No such file or directory

Because of this, I do not think this PR should be automerged as-is. The lockfile should be regenerated from a complete checkout where the workspace and submodule / vendored dependencies are available.

Suggested validation before merging

I suggest doing the following before merging:

cargo update -p junction -p zip
cargo test --workspace

And specifically validate:

- Windows setup / upgrade flow.
- Windows shim / junction replacement flow.
- Cleanup behavior when a junction target no longer exists.
- Runtime archive download and extraction.
- ZIP extraction for Windows runtime archives.
- Whether resolving zip = "8.0" to zip 8.6.0 is intentional.
- Whether the current Rust toolchain/MSRV is compatible with zip 8.6.0.

Recommendation

I would not automerge this PR yet.

junction looks relatively low risk, but needs a Windows behavior check around stale junction targets.

zip has simple direct usage in vite-plus, but the effective update is 7.2.0 -> 8.6.0, with Rust 2024 / MSRV and transitive dependency implications. Combined with the Renovate artifact failure for Cargo.lock, I think we should regenerate the lockfile in a complete checkout and run the Windows/runtime extraction checks before merging.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant