Skip to content

chore(deps): openframe-client deps (major)#1916

Open
ivan-flamingo wants to merge 1 commit into
mainfrom
renovate/major-openframe-client-deps
Open

chore(deps): openframe-client deps (major)#1916
ivan-flamingo wants to merge 1 commit into
mainfrom
renovate/major-openframe-client-deps

Conversation

@ivan-flamingo

@ivan-flamingo ivan-flamingo commented Jun 16, 2026
edited by coderabbitai Bot
Loading

Copy link
Copy Markdown
Contributor

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package Type Update Change
directories dependencies major 5.06.0
embed-resource build-dependencies major 2.43.0
rustls-pemfile dependencies major 1.02.0
thiserror dependencies major 1.02.0
toml dependencies major 0.81.0
velopack (source) dependencies major 0.0.1213-g57cf68d1.0.0
whoami (source) dependencies major 1.42.0
zip dependencies major 0.68.0

Release Notes

nabijaczleweli/rust-embed-resource (embed-resource)

v3.0.9

Compare Source

v3.0.8

Compare Source

v3.0.7

Compare Source

v3.0.6

Compare Source

v3.0.5

Compare Source

v3.0.4

Compare Source

v3.0.3

Compare Source

v3.0.2

Compare Source

v3.0.1

Compare Source

dtolnay/thiserror (thiserror)

v2.0.18

Compare Source

v2.0.17

Compare Source

  • Use differently named __private module per patch release (#​434)

v2.0.16

Compare Source

  • Add to "no-std" crates.io category (#​429)

v2.0.15

Compare Source

  • Prevent Error::provide API becoming unavailable from a future new compiler lint (#​427)

v2.0.14

Compare Source

  • Allow build-script cleanup failure with NFSv3 output directory to be non-fatal (#​426)

v2.0.13

Compare Source

  • Documentation improvements

v2.0.12

Compare Source

  • Prevent elidable_lifetime_names pedantic clippy lint in generated impl (#​413)

v2.0.11

Compare Source

v2.0.10

Compare Source

  • Support errors containing a generic type parameter's associated type in a field (#​408)

v2.0.9

Compare Source

  • Work around missing_inline_in_public_items clippy restriction being triggered in macro-generated code (#​404)

v2.0.8

Compare Source

  • Improve support for macro-generated derive(Error) call sites (#​399)

v2.0.7

Compare Source

  • Work around conflict with #[deny(clippy::allow_attributes)] (#​397, thanks @​zertosh)

v2.0.6

Compare Source

  • Suppress deprecation warning on generated From impls (#​396)

v2.0.5

Compare Source

  • Prevent deprecation warning on generated impl for deprecated type (#​394)

v2.0.4

Compare Source

v2.0.3

Compare Source

  • Support the same Path field being repeated in both Debug and Display representation in error message (#​383)
  • Improve error message when a format trait used in error message is not implemented by some field (#​384)

v2.0.2

Compare Source

  • Fix hang on invalid input inside #[error(...)] attribute (#​382)

v2.0.1

Compare Source

  • Support errors that contain a dynamically sized final field (#​375)
  • Improve inference of trait bounds for fields that are interpolated multiple times in an error message (#​377)

v2.0.0

Compare Source

Breaking changes

  • Referencing keyword-named fields by a raw identifier like {r#type} inside a format string is no longer accepted; simply use the unraw name like {type} (#​347)

    This aligns thiserror with the standard library's formatting macros, which gained support for implicit argument capture later than the release of this feature in thiserror 1.x.

    #[derive(Error, Debug)]
#[error("... {type} ...")]  // Before: {r#type}
pub struct Error {
    pub r#type: Type,
}

  • Trait bounds are no longer inferred on fields whose value is shadowed by an explicit named argument in a format message (#​345)

    // Before: impl<T: Octal> Display for Error<T>
// After: impl<T> Display for Error<T>
#[derive(Error, Debug)]
#[error("{thing:o}", thing = "...")]
pub struct Error<T> {
    thing: T,
}

  • Tuple structs and tuple variants can no longer use numerical {0} {1} access at the same time as supplying extra positional arguments for a format message, as this makes it ambiguous whether the number refers to a tuple field vs a different positional arg (#​354)

    #[derive(Error, Debug)]
#[error("ambiguous: {0} {}", $N)]
//                  ^^^ Not allowed, use #[error("... {0} {n}", n = $N)]
pub struct TupleError(i32);

  • Code containing invocations of thiserror's derive(Error) must now have a direct dependency on the thiserror crate regardless of the error data structure's contents (#​368, #​369, #​370, #​372)

Features

  • Support disabling thiserror's standard library dependency by disabling the default "std" Cargo feature: thiserror = { version = "2", default-features = false } (#​373)

  • Support using r#source as field name to opt out of a field named "source" being treated as an error's Error::source() (#​350)

    #[derive(Error, Debug)]
#[error("{source} ==> {destination}")]
pub struct Error {
    r#source: char,
    destination: char,
}

let error = Error { source: 'S', destination: 'D' };

  • Infinite recursion in a generated Display impl now produces an unconditional_recursion warning (#​359)

    #[derive(Error, Debug)]
#[error("??? {self}")]
pub struct Error;

  • A new attribute #[error(fmt = path::to::myfmt)] can be used to write formatting logic for an enum variant out-of-line (#​367)

    #[derive(Error, Debug)]
pub enum Error {
    #[error(fmt = demo_fmt)]
    Demo { code: u16, message: Option<String> },
}

fn demo_fmt(code: &u16, message: &Option<String>, formatter: &mut fmt::Formatter) -> fmt::Result {
    write!(formatter, "{code}")?;
    if let Some(msg) = message {
        write!(formatter, " - {msg}")?;
    }
    Ok(())
}

  • Enums with an enum-level format message are now able to have individual variants that are transparent to supersede the enum-level message (#​366)

    #[derive(Error, Debug)]
#[error("my error {0}")]
pub enum Error {
    Json(#[from] serde_json::Error),
    Yaml(#[from] serde_yaml::Error),
    #[error(transparent)]
    Other(#[from] anyhow::Error),
}
toml-rs/toml (toml)

v1.1.2

Compare Source

v1.1.1

Compare Source

v1.1.0

Compare Source

v1.0.7

Compare Source

v1.0.6

Compare Source

v1.0.5

Compare Source

v1.0.4

Compare Source

v1.0.3

Compare Source

v1.0.2

Compare Source

v1.0.1

Compare Source

v1.0.0

Compare Source

v0.9.12

Compare Source

v0.9.11

Compare Source

v0.9.10

Compare Source

v0.9.9

Compare Source

v0.9.8

Compare Source

v0.9.7

Compare Source

v0.9.6

Compare Source

v0.9.5

Compare Source

v0.9.4

Compare Source

v0.9.3

Compare Source

v0.9.2

Compare Source

v0.9.1

Compare Source

v0.9.0

Compare Source

velopack/velopack (velopack)

v1.2.0

Compare Source

What's Changed

Full Changelog: velopack/velopack@1.1.1...1.2.0

v1.1.1

Compare Source

What's Changed

New Contributors

Full Changelog: velopack/velopack@1.0.1...1.1.1

v1.0.1

Compare Source

What's Changed

New Contributors

Dependency Updates

Expand to see all changed dependencies

Full Changelog: velopack/velopack@0.0.1298...1.0.1

v0.0.1298

Compare Source

What's Changed

  • Fix bug in GithubSource when an access token is not provided by @​caesay in #​676

Full Changelog: velopack/velopack@0.0.1297...0.0.1298

v0.0.1297

Compare Source

What's Changed

New Contributors

Dependency Updates

Expand to see all changed dependencies

Full Changelog: velopack/velopack@0.0.1251...0.0.1297

v0.0.1251

Compare Source

What's Changed

New Contributors

Dependency Updates

Expand to see all changed dependencies

Note

PR body was truncated to here.

Configuration

📅 Schedule: (in timezone UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

Summary by CodeRabbit

  • Chores
    • Updated multiple third-party dependencies to newer versions for improved reliability and continued maintenance.
    • Refreshed security and configuration-related libraries used by the client.
    • Upgraded packaging and Windows build tooling dependencies to align with current ecosystem releases.

@coderabbitai

coderabbitai Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Review Change Stack

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

  • @coderabbitai resume to resume automatic reviews.
  • @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

  • ▶️ Resume reviews
  • 🔍 Trigger review

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 72796f05-e493-47b9-a602-eadf5c574db7

📥 Commits

Reviewing files that changed from the base of the PR and between 1a3ecf0 and 14a5946.

⛔ Files ignored due to path filters (1)
  • clients/openframe-client/Cargo.lock is excluded by !**/*.lock
📒 Files selected for processing (1)
  • clients/openframe-client/Cargo.toml
🚧 Files skipped from review as they are similar to previous changes (1)
  • clients/openframe-client/Cargo.toml
📝 Walkthrough

Walkthrough

The openframe-client Cargo manifest updates several dependency version requirements, including runtime crates, rustls-pemfile, and the Windows build dependency embed-resource.

Changes

Cargo dependency upgrades

Layer / File(s) Summary
Runtime and build dependency version bumps
clients/openframe-client/Cargo.toml		 Updates multiple dependency version requirements in the crate manifest, including thiserror, directories, toml, zip, velopack, whoami, rustls-pemfile, and embed-resource.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

A bunny hopped by the Cargo trail,
and nudged each version with a happy tail.
toml and zip took a brighter leap,
while embed-resource woke from sleep.
Thump-thump—new crates, tidy and neat!

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately summarizes the main change: a major dependency update for openframe-client.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch renovate/major-openframe-client-deps

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@github-actions

github-actions Bot commented Jun 16, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Allure Report follow link:
https://flamingo-stack.github.io/openframe-oss-tenant/allure/1916/

📈 Test status: skipped

@ivan-flamingo ivan-flamingo force-pushed the renovate/major-openframe-client-deps branch 14 times, most recently from b2a536e to cdff232 Compare June 18, 2026 20:22
coderabbitai[bot]
coderabbitai Bot reviewed Jun 18, 2026
View reviewed changes

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@clients/openframe-client/Cargo.toml`:
- Line 54: Verify that the UpdateManager and related velopack APIs used in
clients/openframe-client/src/updater.rs are compatible with velopack 1.0.0
breaking changes. Review the updater implementation for any usage of renamed CLI
arguments (such as --signSkipDll which is now --signExclude), internal API
changes, and verify that the vpk CLI version installed in the development
environment matches the velopack 1.0.0 library version requirement. Test the
update functionality to ensure it works correctly with the upgraded version.
- Line 82: The rustls-pemfile 2.0 upgrade changed the certs() function to return
an iterator instead of a collection. In local_tls_config_provider.rs, find the
call to rustls_pemfile::certs() that currently passes the result directly to
context(). Update this code to collect the iterator into a Result type first by
calling collect with the type annotation Result<Vec<_>, _> before applying the
context method for error handling.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: 11b9245f-8afd-4f55-98f2-6f8670083959

📥 Commits

Reviewing files that changed from the base of the PR and between 6ea25fb and cdff232.

⛔ Files ignored due to path filters (1)
  • clients/openframe-client/Cargo.lock is excluded by !**/*.lock
📒 Files selected for processing (1)
  • clients/openframe-client/Cargo.toml

Comment thread clients/openframe-client/Cargo.toml
Comment thread clients/openframe-client/Cargo.toml
bytes = "1.10.1"
async-nats = { git = "https://github.com/flamingo-stack/nats.rs.git", branch = "main", features = ["websockets"] }
rustls-pemfile = "1.0"
rustls-pemfile = "2.0"

@coderabbitai coderabbitai Bot Jun 18, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find rustls-pemfile usage
echo "=== rustls-pemfile usage ==="
rg -n "rustls_pemfile" --type rust -C 3
rg -n "use.*pemfile" --type rust -C 2

# Find embed-resource usage (typically in build.rs)
echo "=== embed-resource usage ==="
fd -e rs "build.rs" --exec cat {}

Repository: flamingo-stack/openframe-oss-tenant

Length of output: 1804

🌐 Web query:

rustls-pemfile 2.0 breaking changes rust

💡 Result:

The rustls-pemfile crate reached version 2.0.0 in November 2023 [1], introducing significant changes as the project transitioned to using the rustls-pki-types crate for its core functionality [2]. Key breaking changes in the 2.0.0 release included: Integration with rustls-pki-types: The crate began using types from the rustls-pki-types crate to improve API stability [2]. Item Enum Renaming: The Item enum variants were renamed to better align with the new type system [2]. Specifically, the variants were changed as follows: Item::RSAKey became Item::Pkcs1Key [2] Item::PKCS8Key became Item::Pkcs8Key [2] Item::ECKey became Item::Sec1Key [2] Important Note on Status: As of mid-2025, the rustls-pemfile crate is officially unmaintained and the repository is archived [3][4]. Users are strongly encouraged to migrate directly to the PEM parsing functionality provided by the rustls-pki-types crate [4]. The final version, 2.2.0, remains available as a wrapper over rustls-pki-types, but no further development is expected [3][1]. Migration guidance from the maintainers suggests replacing legacy rustls-pemfile functions with corresponding PemObject trait methods in rustls-pki-types [4][5]. For example: rustls_pemfile::private_key(io::BufRead) should be replaced by PrivateKeyDer::from_pem_reader(io::Read) [6][5]. rustls_pemfile::certs(io::BufRead) should be replaced by CertificateDer::pem_reader_iter(io::Read) [6][5]. Comprehensive mapping tables for these replacements are available in the documentation for the latest version of the crate [5].

Citations:

🌐 Web query:

embed-resource 3.0 breaking changes rust

💡 Result:

The primary breaking change introduced in the 3.0 release of the embed-resource crate involves the handling of Windows manifests [1][2][3]. In versions prior to 3.0, the crate behaved by default as if the manifest was optional [1][2]. In version 3.0 and later, you must explicitly call either.manifest_optional.unwrap or.manifest_required.unwrap on the result of every embed_resource::compile and embed_resource::compile_for* call [1][4][3]. This change is enforced by the fact that the CompilationResult type is now marked with the #[must_use] attribute, which will trigger compiler warnings or errors if you neglect to specify how the manifest should be handled [1][2][3]. Summary of updates required for 3.0: - Use.manifest_optional.unwrap if the manifest is cosmetic, such as for an icon [2][5]. - Use.manifest_required.unwrap if the manifest is necessary for security, entry points, or other critical requirements [1][2]. Example update pattern: // Old approach (< 3.0) embed_resource::compile("my_resource.rc", embed_resource::NONE); // New approach (3.0+) embed_resource::compile("my_resource.rc", embed_resource::NONE).manifest_optional.unwrap;

Citations:

🏁 Script executed:

#!/bin/bash
# Check Cargo.toml for both dependencies at specified lines
echo "=== Cargo.toml around line 82 (rustls-pemfile) ==="
sed -n '78,86p' clients/openframe-client/Cargo.toml

echo ""
echo "=== Cargo.toml around line 96 (embed-resource) ==="
sed -n '92,100p' clients/openframe-client/Cargo.toml

echo ""
echo "=== Check build.rs for embed-resource imports ==="
fd -e rs "build.rs" -x grep -n "embed.resource\|embed_resource" {} +

echo ""
echo "=== Local TLS config full implementation ==="
cat clients/openframe-client/src/services/local_tls_config_provider.rs

Repository: flamingo-stack/openframe-oss-tenant

Length of output: 3136

🌐 Web query:

rustls-pemfile 2.0 certs function signature API changes

💡 Result:

In the transition to rustls-pemfile 2.0, the signature of the certs function (and other helper functions like rsa_private_keys and pkcs8_private_keys) was changed from returning a Vec (or similar collection) to returning an iterator [1]. Specifically, in version 2.0 and later, the function signature for certs is: pub fn certs(rd: &mut dyn io::BufRead) -> impl Iterator<Item = Result<CertificateDer<'static>, io::Error>> + '_ This change allows for streaming PEM files rather than loading the entire file into memory at once [1]. Because the function now returns an iterator, code that previously expected a collection must now collect the results if a collection is still required (e.g., using.collect::<Result<Vec<_>, _>>) [1]. Note that the rustls-pemfile crate is currently unmaintained as of late 2025 [2]. It is recommended to depend directly on the PEM parsing functionality provided by the rustls-pki-types crate (specifically using the PemObject trait), which powers the rustls-pemfile wrapper [3][2]. Migrating to rustls-pki-types generally involves replacing calls like rustls_pemfile::certs(rd) with CertificateDer::pem_reader_iter(rd) [4][3].

Citations:

Fix rustls-pemfile 2.0 API incompatibility in certificate parsing.

The upgrade to rustls-pemfile 2.0 introduces a breaking API change: the certs() function now returns an iterator instead of a collection, requiring code updates at line 31 in local_tls_config_provider.rs.

Current code fails to compile:

let certs = rustls_pemfile::certs(&mut cursor)
    .context("Failed to parse certificate")?;

Update to handle the iterator return type:

let certs = rustls_pemfile::certs(&mut cursor)
    .collect::<Result<Vec<_>, _>>()
    .context("Failed to parse certificate")?;

Note: The embed-resource dependency at line 96 is declared in [build-dependencies] but is not actually used in build.rs, so the 3.0 breaking changes (manifest handling) are not applicable to this project.

🤖 Prompt for AI Agents 
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@clients/openframe-client/Cargo.toml` at line 82, The rustls-pemfile 2.0
upgrade changed the certs() function to return an iterator instead of a
collection. In local_tls_config_provider.rs, find the call to
rustls_pemfile::certs() that currently passes the result directly to context().
Update this code to collect the iterator into a Result type first by calling
collect with the type annotation Result<Vec<_>, _> before applying the context
method for error handling.

@ivan-flamingo ivan-flamingo force-pushed the renovate/major-openframe-client-deps branch 10 times, most recently from 0a1d412 to 330e8e7 Compare June 22, 2026 19:46
@ivan-flamingo ivan-flamingo force-pushed the renovate/major-openframe-client-deps branch 24 times, most recently from c2d423b to 1a3ecf0 Compare June 26, 2026 14:21
@ivan-flamingo ivan-flamingo force-pushed the renovate/major-openframe-client-deps branch from 1a3ecf0 to 14a5946 Compare June 26, 2026 15:22
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

clients dependencies openframe-client

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ivan-flamingo @renovate-bot