Fix update#9
Merged
Merged
Conversation
Add using_dedup_hidden_cols tracking to OuterQueryReference so that columns hidden by a USING or NATURAL join in the outer scope are skipped during subquery column binding. Without this, correlated subqueries could produce false "ambiguous column name" errors when an outer-scope join uses USING on a column that appears in multiple tables. - Add using_dedup_hidden_cols: ColumnMask field to OuterQueryReference - Add JoinedTable::using_dedup_hidden_cols() to compute hidden columns - Check the mask during unqualified column binding in outer query refs - Initialize the field at all OuterQueryReference construction sites Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- perf/memory: Add #[cfg(not(clippy))] guards to dhat allocator and profiler to avoid linker conflicts when Clippy runs with --all-features - JS bindings: Refresh native loader version checks
Table-valued pragma helpers (e.g. pragma_table_info) prepare and step a separate helper statement on the same connection during the parent statement's VM step. Using prepare() marks the helper as a Root statement, which is semantically wrong — it increments n_active_root_statements and skips the nestedness guard that tells op_transaction to preserve the parent's transaction state. Switch to prepare_internal() (InternalHelper origin) so the helper is correctly identified as nested. I could not find a clean repro for this that isn't UPDATE...FROM specific, so no regression test here, but there will be one in the UPDATE-FROM PR.
Make it match SQLite.
…i Saurio Extracted from #6427 Replace the global CTE reference counter on ProgramBuilder with a tree- walk approach that counts shareable reads per query tree. The old approach double-counted CTE references from correlated subqueries and visibility-only pre-planning copies, leading to incorrect materialization decisions. - Remove cte_reference_counts from ProgramBuilder - Add count_shared_cte_references() tree-walk in subquery.rs - mark_shared_cte_materialization_requirements now takes TableReferences instead of ProgramBuilder - Extract select_plan_has_outer_scope_dependency() as public - Remove count_reference parameter from plan_cte() - Correlated RETURNING subqueries excluded from shared CTE counting Closes #6496
- perf/memory: Add #[cfg(not(clippy))] guards to dhat allocator and profiler to avoid linker conflicts when Clippy runs with --all-features - JS bindings: Refresh native loader version checks Closes #6498
…a Enberg Make it match SQLite. Closes #6500
Replace `macos-latest` with `blacksmith-6vcpu-macos-latest` across all workflows to match the Blacksmith Linux runners already in use.
Replace `macos-latest` with `blacksmith-6vcpu-macos-latest` across all workflows to match the Blacksmith Linux runners already in use. Closes #6501
Adds a wrapper Profile that adds a checkpoint step at the end of the run Check for MVCC mem usage before and after checkpoint Added the necessary changes Closes #6487
Bumps [time](https://github.com/time-rs/time) from 0.3.41 to 0.3.47. - [Release notes](https://github.com/time-rs/time/releases) - [Changelog](https://github.com/time-rs/time/blob/main/CHANGELOG.md) - [Commits](time-rs/time@v0.3.41...v0.3.47) --- updated-dependencies: - dependency-name: time dependency-version: 0.3.47 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [activesupport](https://github.com/rails/rails) from 7.2.3 to 7.2.3.1. - [Release notes](https://github.com/rails/rails/releases) - [Changelog](https://github.com/rails/rails/blob/v8.1.3/activesupport/CHANGELOG.md) - [Commits](rails/rails@v7.2.3...v7.2.3.1) --- updated-dependencies: - dependency-name: activesupport dependency-version: 7.2.3.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [addressable](https://github.com/sporkmonger/addressable) from 2.8.8 to 2.9.0. - [Changelog](https://github.com/sporkmonger/addressable/blob/main/CHANGELOG.md) - [Commits](sporkmonger/addressable@addressable-2.8.8...addressable-2.9.0) --- updated-dependencies: - dependency-name: addressable dependency-version: 2.9.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…G' from fixes: #6437 ``` turso> create table "users" (id integer primary key, name text); turso> insert into "users" values (1, 'a') returning "users".id, "users".name; ┌────┬──────┐ │ id │ name │ ├────┼──────┤ │ 1 │ a │ └────┴──────┘ turso> insert into "users" values (2, 'b') returning users.id, users.name; ┌────┬──────┐ │ id │ name │ ├────┼──────┤ │ 2 │ b │ └────┴──────┘ ``` Reviewed-by: Jussi Saurio <jussi.saurio@gmail.com> Closes #6438
Bumps [time](https://github.com/time-rs/time) from 0.3.41 to 0.3.47. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/time- rs/time/releases">time's releases</a>.</em></p> <blockquote> <h2>v0.3.47</h2> <p>See the <a href="https://github.com/time- rs/time/blob/main/CHANGELOG.md">changelog</a> for details.</p> <h2>v0.3.46</h2> <p>See the <a href="https://github.com/time- rs/time/blob/main/CHANGELOG.md">changelog</a> for details.</p> <h2>v0.3.45</h2> <p>See the <a href="https://github.com/time- rs/time/blob/main/CHANGELOG.md">changelog</a> for details.</p> <h2>v0.3.44</h2> <p>See the <a href="https://github.com/time- rs/time/blob/main/CHANGELOG.md">changelog</a> for details.</p> <h2>v0.3.43</h2> <p>See the <a href="https://github.com/time- rs/time/blob/main/CHANGELOG.md">changelog</a> for details.</p> <h2>v0.3.42</h2> <p>See the <a href="https://github.com/time- rs/time/blob/main/CHANGELOG.md">changelog</a> for details.</p> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/time- rs/time/blob/main/CHANGELOG.md">time's changelog</a>.</em></p> <blockquote> <h2>0.3.47 [2026-02-05]</h2> <h3>Security</h3> <ul> <li> <p>The possibility of a stack exhaustion denial of service attack when parsing RFC 2822 has been eliminated. Previously, it was possible to craft input that would cause unbounded recursion. Now, the depth of the recursion is tracked, causing an error to be returned if it exceeds a reasonable limit.</p> <p>This attack vector requires parsing user-provided input, with any type, using the RFC 2822 format.</p> </li> </ul> <h3>Compatibility</h3> <ul> <li>Attempting to format a value with a well-known format (i.e. RFC 3339, RFC 2822, or ISO 8601) will error at compile time if the type being formatted does not provide sufficient information. This would previously fail at runtime. Similarly, attempting to format a value with ISO 8601 that is only configured for parsing (i.e. <code>Iso8601::PARSING</code>) will error at compile time.</li> </ul> <h3>Added</h3> <ul> <li>Builder methods for format description modifiers, eliminating the need for verbose initialization when done manually.</li> <li><code>date!(2026-W01-2)</code> is now supported. Previously, a space was required between <code>W</code> and <code>01</code>.</li> <li><code>[end]</code> now has a <code>trailing_input</code> modifier which can either be <code>prohibit</code> (the default) or <code>discard</code>. When it is <code>discard</code>, all remaining input is ignored. Note that if there are components after <code>[end]</code>, they will still attempt to be parsed, likely resulting in an error.</li> </ul> <h3>Changed</h3> <ul> <li>More performance gains when parsing.</li> </ul> <h3>Fixed</h3> <ul> <li>If manually formatting a value, the number of bytes written was one short for some components. This has been fixed such that the number of bytes written is always correct.</li> <li>The possibility of integer overflow when parsing an owned format description has been effectively eliminated. This would previously wrap when overflow checks were disabled. Instead of storing the depth as <code>u8</code>, it is stored as <code>u32</code>. This would require multiple gigabytes of nested input to overflow, at which point we've got other problems and trivial mitigations are available by downstream users.</li> </ul> <h2>0.3.46 [2026-01-23]</h2> <h3>Added</h3> <ul> <li>All possible panics are now documented for the relevant methods.</li> <li>The need to use <code>#[serde(default)]</code> when using custom <code>serde</code> formats is documented. This applies only when deserializing an <code>Option<T></code>.</li> <li><code>Duration::nanoseconds_i128</code> has been made public, mirroring <code>std::time::Duration::from_nanos_u128</code>.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="time-rs/time@d5144cd2874862d46466 c900910cd8577d066019"><code>d5144cd</code></a> v0.3.47 release</li> <li><a href="time-rs/time@f6206b050fd54817d887 2834b4d61f605570e89b"><code>f6206b0</code></a> Guard against integer overflow in release mode</li> <li><a href="time-rs/time@1c63dc7985b8fa26bd8c 689423cc56b7a03841ee"><code>1c63dc7</code></a> Avoid denial of service when parsing Rfc2822</li> <li><a href="time-rs/time@5940df6e72efb63d246c a1ca59a0f836ad32ad8a"><code>5940df6</code></a> Add builder methods to avoid verbose construction</li> <li><a href="time-rs/time@00881a4da1bc5a6cb631 3052e5017dbd7daa40f0"><code>00881a4</code></a> Manually format macros everywhere</li> <li><a href="time-rs/time@bb723b6d826e46c174d7 5cd08987061984b0ceb7"><code>bb723b6</code></a> Add <code>trailing_input</code> modifier to <code>end</code></li> <li><a href="time-rs/time@31c4f8e0b56e6ae24fe0 d6ef0e492b6741dda783"><code>31c4f8e</code></a> Permit <code>W12</code> in <code>date!</code> macro</li> <li><a href="time-rs/time@490a17bf306576850f33 a86d3ca95d96db7b1dcd"><code>490a17b</code></a> Mark error paths in well- known formats as cold</li> <li><a href="time-rs/time@6cb1896a600be1538ecf ab8f233fe9cfe9fa8951"><code>6cb1896</code></a> Optimize <code>Rfc2822</code> parsing</li> <li><a href="time-rs/time@6d264d59c25e3da0453c 3defebf4640b0086a006"><code>6d264d5</code></a> Remove erroneous <code>#[inline(never)]</code> attributes</li> <li>Additional commits viewable in <a href="https://github.com/time- rs/time/compare/v0.3.41...v0.3.47">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security- vulnerabilities/about-dependabot-security-updates#about-compatibility- scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/tursodatabase/turso/network/alerts). </details> Closes #6502
Bumps [rustls-webpki](https://github.com/rustls/webpki) from 0.103.8 to 0.103.13. - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.8...v/0.103.13) --- updated-dependencies: - dependency-name: rustls-webpki dependency-version: 0.103.13 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…' from app/dependabot Bumps [addressable](https://github.com/sporkmonger/addressable) from 2.8.8 to 2.9.0. <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/sporkmonger/addressable/ blob/main/CHANGELOG.md">addressable's changelog</a>.</em></p> <blockquote> <h2>Addressable 2.9.0 <!-- raw HTML omitted --></h2> <ul> <li>fixes ReDoS vulnerability in Addressable::Template#match (fixes incomplete remediation in 2.8.10)</li> </ul> <h2>Addressable 2.8.10 <!-- raw HTML omitted --></h2> <ul> <li>fixes ReDoS vulnerability in Addressable::Template#match</li> </ul> <h2>Addressable 2.8.9 <!-- raw HTML omitted --></h2> <ul> <li>Reduce gem size by excluding test files (<a href="https://redirect.g ithub.com/sporkmonger/addressable/issues/569">#569</a>)</li> <li>No need for bundler as development dependency (<a href="https://redi rect.github.com/sporkmonger/addressable/issues/571">#571</a>, <a href="h ttps://github.com/sporkmonger/addressable/commit/5fc1d93">5fc1d93</a>)</ li> <li>idna/pure: stop building the useless <code>COMPOSITION_TABLE</code> (removes the <code>Addressable::IDNA::COMPOSITION_TABLE</code> constant) (<a href="https://redirect.github.com/sporkmonger/addressable/issues/564 ">#564</a>)</li> </ul> <p><a href="https://redirect.github.com/sporkmonger/addressable/issues/5 69">#569</a>: <a href="https://redirect.github.com/sporkmonger/addressab le/pull/569">sporkmonger/addressable#569</a> <a href="https://redirect.github.com/sporkmonger/addressable/issues/571" >#571</a>: <a href="https://redirect.github.com/sporkmonger/addressable/ pull/571">sporkmonger/addressable#571</a> <a href="https://redirect.github.com/sporkmonger/addressable/issues/564" >#564</a>: <a href="https://redirect.github.com/sporkmonger/addressable/ pull/564">sporkmonger/addressable#564</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="sporkmonger/addressable@0c3e8589b 23d4402903a9b4e1fdeba4e43c52ca4"><code>0c3e858</code></a> Revving version and changelog</li> <li><a href="sporkmonger/addressable@91915c1f7 aafa3e2c9f42e2f4e21d948c7a861b8"><code>91915c1</code></a> Fixing additional vulnerable paths</li> <li><a href="sporkmonger/addressable@a091e39ff 02fc321b21dea3a0df585bef2ba3744"><code>a091e39</code></a> Add many more adversarial test cases to ensure we don't have any ReDoS regres...</li> <li><a href="sporkmonger/addressable@463a81966 5a3b85ce5ce894c90bd7bfa3b9d2e15"><code>463a819</code></a> Regenerate gemspec on newer rubygems</li> <li><a href="sporkmonger/addressable@0afcb0b96 72bee301e5e96ed850fec05b2fcabb0"><code>0afcb0b</code></a> Improve from O(n^2) to O(n)</li> <li><a href="sporkmonger/addressable@c87f768f2 2ab00376ed2f8cb106f59c9d0652d3a"><code>c87f768</code></a> Fix a ReDoS vulnerability in URI template matching</li> <li><a href="sporkmonger/addressable@0d7e9b259 fb0940d1a85064b04f678a7984409a5"><code>0d7e9b2</code></a> Fix links for 2.8.9 in CHANGELOG (<a href="https://redirect.github.com/sporkmonger/add ressable/issues/573">#573</a>)</li> <li><a href="sporkmonger/addressable@e2091200b 31553f19248eb871f071852409796f8"><code>e209120</code></a> Update version, gemspec, and CHANGELOG for 2.8.9 (<a href="https://redirect.git hub.com/sporkmonger/addressable/issues/572">#572</a>)</li> <li><a href="sporkmonger/addressable@387587492 b6536748ed12a11c3fdb44a48885f28"><code>3875874</code></a> Reduce gem size by excluding test files (<a href="https://redirect.github.com/spork monger/addressable/issues/569">#569</a>)</li> <li><a href="sporkmonger/addressable@3e57cc601 8f94231aabb47fd341acd1b40f1e71a"><code>3e57cc6</code></a> CI: back to <code>windows-2022</code> for MRI job</li> <li>Additional commits viewable in <a href="https://github.com/sporkmong er/addressable/compare/addressable-2.8.8...addressable-2.9.0">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security- vulnerabilities/about-dependabot-security-updates#about-compatibility- scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/tursodatabase/turso/network/alerts). </details> Closes #6504
Bumps [rustls-webpki](https://github.com/rustls/webpki) from 0.103.8 to 0.103.13. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/rustls/webpki/releases">rustls-webpki's releases</a>.</em></p> <blockquote> <h2>0.103.13</h2> <ul> <li><strong>Fix reachable panic in parsing a CRL</strong>. This was reported to us as <a href="https://github.com/rustls/webpki/security/adv isories/GHSA-82j2-j2ch-gfr8">GHSA-82j2-j2ch-gfr8</a>. Users who don't use CRLs are not affected.</li> <li>For name constraints on URI names, we incorrectly processed excluded subtrees in a way which inverted the desired meaning. See <a href="https ://redirect.github.com/rustls/webpki/pull/471">rustls/webpki#471</a>. This was a case missing in the fix for <a href="https://github.com/advis ories/GHSA-965h-392x-2mh5">https://github.com/advisories/GHSA-965h-392x- 2mh5</a>.</li> </ul> <h2>What's Changed</h2> <ul> <li>Actually fail closed for URI matching against excluded subtrees by <a href="https://github.com/djc"><code>@djc</code></a> in <a href="http s://redirect.github.com/rustls/webpki/pull/473">rustls/webpki#473</a></l i> <li>Prepare 0.103.13 by <a href="https://github.com/ctz"><code>@ctz</code></a> in <a href="https:/ /redirect.github.com/rustls/webpki/pull/474">rustls/webpki#474</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/rustls/w ebpki/compare/v/0.103.12...v/0.103.13">https://github.com/rustls/webpki/ compare/v/0.103.12...v/0.103.13</a></p> <h2>0.103.12</h2> <p>This release fixes two bugs in name constraint enforcement:</p> <ul> <li><strong>GHSA-965h-392x-2mh5</strong>: name constraints for URI names were ignored and therefore accepted. URI name constraints are now rejected unconditionally. Note this library does not provide an API for asserting URI names, and URI name constraints are otherwise not implemented.</li> <li><strong>GHSA-xgp8-3hg3-c2mh</strong>: permitted subtree name constraints for DNS names were accepted for certificates asserting a wildcard name. This was incorrect because, given a name constraint of <code>accept.example.com</code>, <code>*.example.com</code> could feasibly allow a name of <code>reject.example.com</code> which is outside the constraint. This is very similar to <a href="https://go.dev/issue/76442">CVE-2025-61727</a>.</li> </ul> <p>Since name constraints are restrictions on otherwise properly-issued certificates, these bugs are reachable only after signature verification and require misissuance to exploit.</p> <h2>What's Changed</h2> <ul> <li>Prepare 0.103.12 by <a href="https://github.com/djc"><code>@djc</code></a> in <a href="https:/ /redirect.github.com/rustls/webpki/pull/470">rustls/webpki#470</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/rustls/w ebpki/compare/v/0.103.11...v/0.103.12">https://github.com/rustls/webpki/ compare/v/0.103.11...v/0.103.12</a></p> <h2>0.103.11</h2> <p>In response to <a href="https://redirect.github.com/rustls/webpki/issues/464">#464</a>, we've slightly relaxed requirements for <code>anchor_from_trust_cert()</code> to ignore unknown extensions even if they're marked as critical. This only affects parsing a <code>TrustAnchor</code> from DER, for which most extensions are ignored anyway.</p> <h2>What's Changed</h2> <ul> <li>Backport parsing trust anchors with unknown critical extensions to 0.103 by <a href="https://github.com/djc"><code>@djc</code></a> in <a h ref="https://redirect.github.com/rustls/webpki/pull/466">rustls/webpki#4 66</a></li> </ul> <h2>0.103.10</h2> <p><strong>Correct selection of candidate CRLs by Distribution Point and Issuing Distribution Point</strong>. If a certificate had more than one <code>distributionPoint</code>, then only the first <code>distributionPoint</code> would be considered against each CRL's <code>IssuingDistributionPoint</code> <code>distributionPoint</code>, and then the certificate's subsequent <code>distributionPoint</code>s would be ignored.</p> <p>The impact was that correctly provided CRLs would not be consulted to check revocation. With <code>UnknownStatusPolicy::Deny</code> (the default) this would lead to incorrect but safe <code>Error::UnknownRevocationStatus</code>. With <code>UnknownStatusPolicy::Allow</code> this would lead to inappropriate acceptance of revoked certificates.</p> <p>This vulnerability is thought to be of limited impact. This is because both the certificate and CRL are signed -- an attacker would need to compromise a trusted issuing authority to trigger this bug. An attacker with such capabilities could likely bypass revocation checking through other more impactful means (such as publishing a valid, empty CRL.)</p> <p>More likely, this bug would be latent in normal use, and an attacker could leverage faulty revocation checking to continue using a revoked credential.</p> <p>This vulnerability is identified by <a href="https://github.com/rustls/webpki/security/advisories/GHSA-pwjx- qhcg-rvj4">GHSA-pwjx-qhcg-rvj4</a>. Thank you to <a href="https://github.com/1seal"><code>@1seal</code></a> for the report.</p> <h2>What's Changed</h2> <ul> <li>Freshen up rel-0.103 by <a href="https://github.com/ctz"><code>@ctz</code></a> in <a href="https:/ /redirect.github.com/rustls/webpki/pull/455">rustls/webpki#455</a></li> <li>Prepare 0.103.10 by <a href="https://github.com/ctz"><code>@ctz</code></a> in <a href="https:/ /redirect.github.com/rustls/webpki/pull/458">rustls/webpki#458</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/rustls/w ebpki/compare/v/0.103.9...v/0.103.10">https://github.com/rustls/webpki/c ompare/v/0.103.9...v/0.103.10</a></p> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="rustls/webpki@2879b2ce7a476181ac3 050f73fe0835f04728e86"><code>2879b2c</code></a> Prepare 0.103.13</li> <li><a href="rustls/webpki@2c49773d823f48c87db 30db7a66c25993c847007"><code>2c49773</code></a> Improve tests for padding of <code>BitStringFlags</code></li> <li><a href="rustls/webpki@4e3c0b393a7bfb9cbe6 dcdc8309cbadf8ee00c51"><code>4e3c0b3</code></a> Correct validation of BIT STRING constraints</li> <li><a href="rustls/webpki@39c91d2525a542a7f65 1a1a62c3462e8115cc39e"><code>39c91d2</code></a> Actually fail closed for URI matching against excluded subtrees</li> <li><a href="rustls/webpki@27131d476e2b68a537e 629d6d012bef8dad6efd3"><code>27131d4</code></a> Bump version to 0.103.12</li> <li><a href="rustls/webpki@6ecb8769cde2246e761 e058709421c14a7dee6b1"><code>6ecb876</code></a> Clean up stuttery enum variant names</li> <li><a href="rustls/webpki@318b3e6e03ca2bc2160 0ca6bb0d0c6439b9e6aeb"><code>318b3e6</code></a> Ignore wildcard labels when matching name constraints</li> <li><a href="rustls/webpki@12196229a327d3d6707 98688254bd3ea24aba24b"><code>1219622</code></a> Rewrite constraint matching to avoid permissive catch-all branch</li> <li><a href="rustls/webpki@57bc62ce538c2d0d31d 44b3eb8c58e6a0a764b47"><code>57bc62c</code></a> Bump version to 0.103.11</li> <li><a href="rustls/webpki@d0fa01ee0a76b7585c1 3ec43de5854955146ffef"><code>d0fa01e</code></a> Allow parsing trust anchors with unknown criticial extensions</li> <li>Additional commits viewable in <a href="https://github.com/rustls/we bpki/compare/v/0.103.8...v/0.103.13">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security- vulnerabilities/about-dependabot-security-updates#about-compatibility- scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/tursodatabase/turso/network/alerts). </details> Closes #6505
Bumps [json](https://github.com/ruby/json) from 2.18.0 to 2.19.2. - [Release notes](https://github.com/ruby/json/releases) - [Changelog](https://github.com/ruby/json/blob/master/CHANGES.md) - [Commits](ruby/json@v2.18.0...v2.19.2) --- updated-dependencies: - dependency-name: json dependency-version: 2.19.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…si Saurio Extracted from #6427 Table-valued pragma helpers (e.g. pragma_table_info) prepare and step a separate helper statement on the same connection during the parent statement's VM step. Using prepare() marks the helper as a Root statement, which is semantically wrong — it increments n_active_root_statements and skips the nestedness guard that tells op_transaction to preserve the parent's transaction state. Switch to prepare_internal() (InternalHelper origin) so the helper is correctly identified as nested. I could not find a clean repro for this that isn't UPDATE...FROM specific, so no regression test here, but there will be one in the UPDATE-FROM PR. Closes #6499
Extracted from #6427 Add using_dedup_hidden_cols tracking to OuterQueryReference so that columns hidden by a USING or NATURAL join in the outer scope are skipped during subquery column binding. Without this, correlated subqueries could produce false "ambiguous column name" errors when an outer-scope join uses USING on a column that appears in multiple tables. - Add using_dedup_hidden_cols: ColumnMask field to OuterQueryReference - Add JoinedTable::using_dedup_hidden_cols() to compute hidden columns - Check the mask during unqualified column binding in outer query refs - Initialize the field at all OuterQueryReference construction sites Closes #6497
…' from Preston Thorpe Closes #6508
…l Francoeur Virtual columns weren't computed when emitting the old images for deferred FK checks. Closes tursodatabase/turso#6415 50/50 Reviewed-by: Jussi Saurio <jussi.saurio@gmail.com> Closes #6490
- Fix too strict query timeout test - Fix serverless get() test failure - Update libSQL dependency Closes #6587
Bumps [tar-fs](https://github.com/mafintosh/tar-fs) from 2.1.3 to 2.1.4. - [Commits](mafintosh/tar-fs@v2.1.3...v2.1.4) --- updated-dependencies: - dependency-name: tar-fs dependency-version: 2.1.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…rmance/javascript' from app/dependabot Bumps [tar-fs](https://github.com/mafintosh/tar-fs) from 2.1.3 to 2.1.4. <details> <summary>Commits</summary> <ul> <li><a href="mafintosh/tar-fs@f421a235565b6a6d 305bdf87e999ebdfae9dd1cc"><code>f421a23</code></a> 2.1.4</li> <li><a href="mafintosh/tar-fs@c412fa130e216d4c 01392f6fb62c8725c1a4ac8b"><code>c412fa1</code></a> refactor to same pattern as v3</li> <li>See full diff in <a href="https://github.com/mafintosh/tar- fs/compare/v2.1.3...v2.1.4">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security- vulnerabilities/about-dependabot-security-updates#about-compatibility- scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/tursodatabase/turso/network/alerts). </details> Closes #6590
Bumps [tar-fs](https://github.com/mafintosh/tar-fs) from 2.1.3 to 2.1.4. - [Commits](mafintosh/tar-fs@v2.1.3...v2.1.4) --- updated-dependencies: - dependency-name: tar-fs dependency-version: 2.1.4 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
if checkpoint became successful, then we will reload the scheme if abort was called
Library can't be compiled on FreeBSD due to `l_sysid` field. This PR makes building Turso on FreeBSD possible. Closes #6593
…m Preston Thorpe closes #6478 Closes #6561
Improves concurrent reads by substantial margin ## Linux/unix IO: **BEFORE**: <img width="893" height="146" alt="image" src="https://github.com/user- attachments/assets/d586179f-7638-4466-bb43-8314e1b1e4b9" /> **AFTER***: <img width="908" height="136" alt="image" src="https://github.com/user- attachments/assets/fe140d72-2c07-4d2d-95d1-bcc49b74cbab" /> ## WindowsIO: User reported even better perf improvements with the same benchmark Reviewed-by: Wojciech Adamek <wojciech.adamek@feathered.eu> Closes #6597
…script/perf' from app/dependabot Bumps [tar-fs](https://github.com/mafintosh/tar-fs) from 2.1.3 to 2.1.4. <details> <summary>Commits</summary> <ul> <li><a href="mafintosh/tar-fs@f421a235565b6a6d 305bdf87e999ebdfae9dd1cc"><code>f421a23</code></a> 2.1.4</li> <li><a href="mafintosh/tar-fs@c412fa130e216d4c 01392f6fb62c8725c1a4ac8b"><code>c412fa1</code></a> refactor to same pattern as v3</li> <li>See full diff in <a href="https://github.com/mafintosh/tar- fs/compare/v2.1.3...v2.1.4">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security- vulnerabilities/about-dependabot-security-updates#about-compatibility- scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/tursodatabase/turso/network/alerts). </details> Closes #6591
Bumps [postcss](https://github.com/postcss/postcss) from 8.5.6 to 8.5.12. - [Release notes](https://github.com/postcss/postcss/releases) - [Changelog](https://github.com/postcss/postcss/blob/main/CHANGELOG.md) - [Commits](postcss/postcss@8.5.6...8.5.12) --- updated-dependencies: - dependency-name: postcss dependency-version: 8.5.12 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
…s/javascript/sync-wasm-vite' from app/dependabot Bumps [postcss](https://github.com/postcss/postcss) from 8.5.6 to 8.5.12. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/postcss/postcss/releases">postcss's releases</a>.</em></p> <blockquote> <h2>8.5.12</h2> <ul> <li>Fixed reading any file via user-generated CSS.</li> <li>Added <code>opts.unsafeMap</code> to disable checks.</li> </ul> <h2>8.5.11</h2> <ul> <li>Fixed nested brackets parsing performance (by <a href="https://github.com/offset"><code>@offset</code></a>).</li> </ul> <h2>8.5.10</h2> <ul> <li>Fixed XSS via unescaped <code></style></code> in non-bundler cases (by <a href="https://github.com/TharVid"><code>@TharVid</code></a>).</li> </ul> <h2>8.5.9</h2> <ul> <li>Speed up source map encoding paring in case of the error.</li> </ul> <h2>8.5.8</h2> <ul> <li>Fixed <code>Processor#version</code>.</li> </ul> <h2>8.5.7</h2> <ul> <li>Improved source map annotation cleaning performance (by CodeAnt AI).</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/postcss/postcss/blob/mai n/CHANGELOG.md">postcss's changelog</a>.</em></p> <blockquote> <h2>8.5.12</h2> <ul> <li>Fixed reading any file via user-generated CSS.</li> <li>Added <code>opts.unsafeMap</code> to disable checks.</li> </ul> <h2>8.5.11</h2> <ul> <li>Fixed nested brackets parsing performance (by <a href="https://github.com/offset"><code>@offset</code></a>).</li> </ul> <h2>8.5.10</h2> <ul> <li>Fixed XSS via unescaped <code></style></code> in non-bundler cases (by <a href="https://github.com/TharVid"><code>@TharVid</code></a>).</li> </ul> <h2>8.5.9</h2> <ul> <li>Speed up source map encoding paring in case of the error.</li> </ul> <h2>8.5.8</h2> <ul> <li>Fixed <code>Processor#version</code>.</li> </ul> <h2>8.5.7</h2> <ul> <li>Improved source map annotation cleaning performance (by CodeAnt AI).</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="postcss/postcss@9bc81c48f054a630c 9a2e3868263b7ad4fc15013"><code>9bc81c4</code></a> Release 8.5.12 version</li> <li><a href="postcss/postcss@85c4d7dab830be366 f8a96047f9e5b7944e101d8"><code>85c4d7d</code></a> Another try to fix coverage</li> <li><a href="postcss/postcss@94484cae6d4308167 939f2ac888d166bd80dff01"><code>94484ca</code></a> Try to fix coverage</li> <li><a href="postcss/postcss@c64b7488d2731dfa1 6213739b42c34faf5a9eba3"><code>c64b748</code></a> Load only .map source maps</li> <li><a href="postcss/postcss@aaec7b78b3ce27925 85b4b300ef1bd5dd5b3e8ad"><code>aaec7b7</code></a> Avoid throwing JSON parsing errors for non-JSON source maps</li> <li><a href="postcss/postcss@233fb264ea4c37f9e 2d7b64b2726e6d23fd02327"><code>233fb26</code></a> Mention original author of the solution</li> <li><a href="postcss/postcss@2502f750307acde73 3a39f9dfd4ef3cf6c6b734d"><code>2502f75</code></a> Release 8.5.11 version</li> <li><a href="postcss/postcss@5ca19019495b3fa08 205f5fd2eeed57892f9fa3d"><code>5ca1901</code></a> Speed up parsing many nested brackets</li> <li><a href="postcss/postcss@42b5337dd7e2fa9a0 3566495cfad2737eb19e712"><code>42b5337</code></a> Update dependencies</li> <li><a href="postcss/postcss@7e36e153d075ef56e bc352f298b65f646c700a06"><code>7e36e15</code></a> Cache node.raws locally in Stringifier hot methods</li> <li>Additional commits viewable in <a href="https://github.com/postcss/postcss/compare/8.5.6...8.5.12">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security- vulnerabilities/about-dependabot-security-updates#about-compatibility- scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/tursodatabase/turso/network/alerts). </details> Closes #6608
This adds a concurrent simulator config that captures code coverage of a simulator run. There's a new top-level `make whopper-coverage` command to run it. The coverage files are stored in `.coverage/whopper` directory.
…n BEGIN CONCURRENT' from Artur Kantorczyk Close the read transaction before returning `TxError` when attempting to start concurrent transaction from deferred to avoid `cannot start a new read tx without ending an existing one` panic. Using the same cleanup pattern as rest of the codebase. Fixes: #5953 Asked codex for review of the changes Reviewed-by: Avinash Sajjanshetty (@avinassh) Closes #6048
… Enberg This adds a concurrent simulator config that captures code coverage of a simulator run. There's a new top-level `make whopper-coverage` command to run it. The coverage files are stored in `.coverage/whopper` directory. Closes #6609
…hetty This PR adds initial support for `vacuum`, the last standing major SQLite feature missing in Turso. We already have `vacuum into`; now this patch adds `vacuum`. `vacuum` op is experimental, users need to opt in to use. Vacuum is a defragmentation op. When you update/delete some rows, the space isn't claimed but rather reused. Vacuum compacts that, releasing the free space. The logic of vacuum is quite simple: 1. Reinsert all the rows to a temporary db 2. Copy the pages from temporary db to main db The complexities are in the copy back logic: you need the right lock semantics, commit/transaction semantics, fsync. The tricky part is copying those pages safely. 1. Vacuum as an op is very conservative. Vacuum can start only when there are no readers or writers. We cannot move around pages if we have readers. New writes during vacuum could get missed during the copy phase, causing data loss. 2. Vacuum also blocks new readers and writers. Hence this patch introduces a new vacuum lock, very similar to the checkpoint lock. Every read txn needs to acquire this, and the vacuum op takes an exclusive lock on this. 3. During copy back, we need to atomically copy the pages from temp db to main db. A partial commit will cause a weird inconsistent state and/or data loss. 4. When building the temp db, we have to make sure we are rewriting everything. A missing internal table or index can cause corruption / data loss. The vacuum implementation is different from SQLite's. In SQLite: 1. A temporary db is created and attached 2. DB is rewritten into the temporary file 3. Then it is copied back to the main db 4. Then auto checkpoint Ours: 1. We don't have stable attach, so we keep a separate connection with the temporary db 2. We don't have a rollback journal, so we write the frames back to the WAL using WAL APIs 3. Do checkpoint truncate Here is a quick overview of the vacuum state machine: 1. Do base validations: like no txns are active, etc. 2. Acquire checkpoint lock 3. Acquire vacuum lock 4. Rewrite the DB to a temporary path. This uses the existing code from vacuum into. We disable auto checkpoint so that during copy back we can copy the frames from WAL. 5. Once the temporary db is ready, we copy frames from WAL to the source DB's WAL. This will be done as a single transaction. If something fails midway, those frames will be discarded on the next run. 6. Then we checkpoint using the checkpoint state machine. Previously, we hand off the locks we held earlier to the checkpoint machine. 7. Once checkpoint is done, we refresh the schema. 8. Release them locks. ### Performance Right now Turso's vacuum is slightly slower than SQLite for small dbs and faster for large databases. I haven't started perf work yet, but here are some reasons which I will optimise next: 1. We copy row by row, doing insert via SQL. SQLite has a fast path optimisation for vacuum where it copies bytes to bytes without parsing overhead. 2. Current vacuum implementation does more fsync than required. It is safe, but for temporary db it is not needed. 3. We have lot more allocations in the vacuum path which can be optimised 4. We could probably introduce a fast path checkpoint op just for vacuum. 5. We don't do read and writes concurrently. Right now it reads a bunch of frames, waits for IO to complete and then writes them, and so on. We can issue read and write i/o concurrently. ### How to review This is a large PR; however, it is split into small commits nicely. You can review commit by commit. 1. The first commit is a refactor of our `vacuum into` so that vacuum machinery can use the existing code (~300 lines of diff). While extracting, I also fixed some bugs related to check constraints, custom types and auto vacuum which were present in vacuum into as well. I tried extracting that first, then fixing, but it became bit awkward since i had to make changes for vacuum as well. 2. The next commits add new APIs which vacuum will use (~1000 lines with tests). For example, I added `read_batch_frame` where we can read a batch of frames from WAL, instead of `read_frame` which lets you read a single frame. 7. The vacuum state machine. In a way it is small because it uses the existing vacuum into state machine and checkpoint state machine (~1500 lines) 8. Tests (~5000 lines). I have more tests, but I will add them in a follow-up PR. Where do I need your eyes most: - Lock semantics - RAW WAL API usage - Clean up on error ### What's next This patch adds only the foundational support, and we still have a lot to do before we can remove the experimental tag: - [ ] Multiprocess support - [ ] Integration with all bindings, SDKs and tests - [ ] More tests covering the feature matrix (including experimental): mvcc, encryption, views, custom types, fts, checksum etc - [ ] VACUUM to change page_size, reserved bytes - [ ] Performance: `preadv` and parallel read/writes - [ ] Checksum, Encryption - [ ] Let users specify the temp space for vacuum - [ ] CDC, Sync, IVM - [ ] Simulator and whopper tests - [ ] Antithesis tests - [ ] Documentation / Manual I already have a working branch here: tursodatabase/turso#6516 and tursodatabase/turso#6577 There are also some minor bugs / edge cases. I am tracking them separately and those are fixed in #6516 AI did quite horribly on this feature, which is kinda expected. You cannot just one shot into VACUUM. I made a plan first, learning from SQLite's implementation. Yet that implementation sucked and had many bugs: vacuum would try to replace the main file with the temp one, incorrect lock semantics, not blocking readers, incorrect checkpoint handling, and many more. I let AI write the skeleton, then went in to rewrite all the parts. However, some of the bugs introduced by me, due to oversight, were caught by AI. Anyways, AGI when? Reviewed-by: Jussi Saurio <jussi.saurio@gmail.com> Closes #6402
# Conflicts: # .github/workflows/labeler.yml # .github/workflows/perf_nightly.yml # .github/workflows/publish-cli-npm.yml # Cargo.lock # Cargo.toml # README.md # core/connection.rs # core/function.rs # core/lib.rs # core/schema.rs # core/translate/delete.rs # core/translate/expr.rs # core/translate/planner.rs # core/translate/schema.rs # core/translate/update.rs # core/vdbe/execute.rs # parser/src/ast/fmt.rs
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Merge new Turso
Enable
UPGRADE ... FROMand also has the initial code forCREATE DOMAIN(not yet wired up)