Skip to content

update all rust dependencies#126

Open
mellowagain wants to merge 1 commit into
mainfrom
deps-update
Open

update all rust dependencies#126
mellowagain wants to merge 1 commit into
mainfrom
deps-update

Conversation

@mellowagain

Copy link
Copy Markdown
Owner

No description provided.

@vercel

vercel Bot commented Jun 30, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
gitarena Ready Ready Preview, Comment Jun 30, 2026 10:19pm

@qodo-code-review

Copy link
Copy Markdown

PR Summary by Qodo

Upgrade Rust workspace dependencies and migrate to newer Actix/SQLx/Base64 APIs

⚙️ Configuration changes ✨ Enhancement 🕐 40+ Minutes

Grey Divider

AI Description

• Bump workspace and crate dependency versions across the Rust workspace.
• Update application and proc-macro code for new crate APIs (actix, syn2, base64, sqlx, zip,
 sysinfo).
• Migrate auth/session handling to Actix Session + Identity middleware and adjust OpenAPI schemas.
Diagram

graph TD
  A["Cargo.toml (workspace)"] --> B["gitarena (web app)"] --> F[("Postgres (sqlx)")]
  A --> C["gitarena-macros (proc-macro)"] --> B
  A --> D["gitarena-issues (lib)"] --> B
  B --> E["HTTP / Auth stack"]
  B --> G["Encoding & Crypto"]
  B --> H["DNS resolver"]

  subgraph Legend
    direction LR
    _cfg["Config/Manifest"] ~~~ _crate["Crate/Module"] ~~~ _db[("Database")]
  end
Loading
High-Level Assessment

The following are alternative approaches to this PR:

1. Staged dependency upgrades (actix/sqlx/syn separately)
  • ➕ Smaller review surface per PR
  • ➕ Easier bisection if a regression appears
  • ➕ Allows focused testing per subsystem (auth, DB, macros)
  • ➖ More total PR overhead
  • ➖ May require temporary compatibility shims across crates
2. Use cargo-edit automation (cargo upgrade) plus a dedicated migration PR
  • ➕ Fast, reproducible dependency bumps
  • ➕ Separates mechanical version bumps from semantic code migrations
  • ➖ Still requires manual code changes for breaking APIs
  • ➖ Two-step approach may be harder to keep in sync without CI gating
3. Introduce compile-time checked SQL where possible (sqlx macros)
  • ➕ Reduces need for dynamic SQL safety assertions
  • ➕ Catches query issues earlier
  • ➖ Not always compatible with dynamically-built SQL used here
  • ➖ May require additional build-time DB setup or offline data

Recommendation: Current approach (upgrade and migrate in one PR) is reasonable given the tight coupling between dependency versions and required code changes (especially actix-identity/session, syn v2, and sqlx 0.9). To reduce risk, ensure CI runs a full build/test matrix and include targeted runtime checks around login/logout/session persistence and the dynamic SQL paths now wrapped with AssertSqlSafe.

Files changed (48) +346 / -289

Enhancement (5) +39 / -28
mod.rsUpdate lettre transport config and enrich OpenAPI schemas +3/-4

Update lettre transport config and enrich OpenAPI schemas

• Removes SMTP pool configuration calls (API changes) and adds ToSchema derives and schema ignores for internal-only fields to improve OpenAPI output.

gitarena/src/mail/mod.rs

main.rsMigrate auth from CookieIdentityPolicy to Actix SessionMiddleware +16/-13

Migrate auth from CookieIdentityPolicy to Actix SessionMiddleware

• Replaces IdentityService/CookieIdentityPolicy with SessionMiddleware + CookieSessionStore and IdentityMiddleware, derives a cookie Key from the secret, and adjusts response wrapping code for updated Actix types.

gitarena/src/main.rs

passkey.rsUpdate passkey login/register schemas and base64 helpers +7/-4

Update passkey login/register schemas and base64 helpers

• Migrates Identity login to the new API, updates URL-safe base64 encoding, and adds schema value_type hints for nested WebAuthn objects in OpenAPI.

gitarena/src/routes/user/api/auth/passkey.rs

key.rsMigrate base64 encoding and improve OpenAPI schemas for SSH keys +8/-4

Migrate base64 encoding and improve OpenAPI schemas for SSH keys

• Switches to base64 Engine API for key serialization, adds ToSchema derives, and annotates pubkey field schema/rename behavior.

gitarena/src/ssh/key.rs

user.rsUpdate identity extraction and add OpenAPI schemas for User +5/-3

Update identity extraction and add OpenAPI schemas for User

• Adds ToSchema and schema ignores for sensitive fields, and migrates identity handling from identity()/forget() to id().ok()/logout() in request extraction.

gitarena/src/user.rs

Bug fix (3) +16 / -10
download.rsUpdate zip writer options and DOS datetime conversion +2/-2

Update zip writer options and DOS datetime conversion

• Migrates from zip::write::FileOptions to SimpleFileOptions and updates DateTime creation to try_from_msdos with a default fallback for invalid values.

gitarena/src/routes/repository/api/download.rs

add_key.rsFix key title lifetime by owning comment string when needed +8/-4

Fix key title lifetime by owning comment string when needed

• Avoids referencing a temporary by storing the SSH key comment in an owned String when used as the title fallback.

gitarena/src/routes/user/api/add_key.rs

avatar.rsHarden multipart parsing and update timestamp conversion +6/-4

Harden multipart parsing and update timestamp conversion

• Improves error handling for multipart payload reads and missing content disposition, and updates timestamp conversion to newer chrono APIs with a safe fallback.

gitarena/src/routes/user/avatar.rs

Refactor (35) +222 / -185
author.rsMigrate base64 encoding to Engine API +3/-1

Migrate base64 encoding to Engine API

• Replaces deprecated base64::encode usage with the base64 Engine API (general_purpose::STANDARD) to match the upgraded base64 crate.

gitarena-issues/src/author.rs

operation.rsUpdate random nonce encoding for new base64 API +3/-1

Update random nonce encoding for new base64 API

• Switches nonce generation output to use general_purpose::STANDARD.encode after the base64 crate upgrade.

gitarena-issues/src/operation.rs

ipc_packet.rsRewrite ipc attribute parsing for syn v2 +29/-48

Rewrite ipc attribute parsing for syn v2

• Migrates attribute parsing from syn v1 Meta/NestedMeta APIs to syn v2 parse_nested_meta and updates literal parsing types (LitStr/LitInt). Also switches to proc-macro-error2 for diagnostics.

gitarena-macros/src/ipc_packet.rs

lib.rsSwitch proc-macro error attribute to proc-macro-error2 +1/-1

Switch proc-macro error attribute to proc-macro-error2

• Updates the proc_macro_error import to proc-macro-error2 to match the dependency upgrade.

gitarena-macros/src/lib.rs

route.rsMigrate route macro argument parsing to syn v2 Expr-based AST +39/-31

Migrate route macro argument parsing to syn v2 Expr-based AST

• Replaces syn v1 AttributeArgs/NestedMeta parsing with a syn v2 Parser that parses comma-terminated Expr items, updating error-type detection and first-argument sanitization accordingly.

gitarena-macros/src/route.rs

build.rsMigrate build metadata generation from vergen to vergen-gitcl +13/-3

Migrate build metadata generation from vergen to vergen-gitcl

• Replaces vergen(Config::default()) with vergen_gitcl's Emitter-based instruction emission and updates main() to return a Result.

gitarena/build.rs

geoip.rsUpdate maxminddb lookup/decode flow for new API +7/-5

Update maxminddb lookup/decode flow for new API

• Adjusts GeoIP lookup handling to use a lookup result that is decoded into geoip2::City and updates name extraction to the newer structured english fields.

gitarena/src/geoip.rs

basic_auth.rsUpdate Basic auth base64 decoding for Engine API +3/-1

Update Basic auth base64 decoding for Engine API

• Replaces base64::decode with general_purpose::STANDARD.decode to match base64 0.22+ API changes.

gitarena/src/git/basic_auth.rs

passkey.rsUpdate URL-safe base64 decoding for passkey attestation parsing +4/-2

Update URL-safe base64 decoding for passkey attestation parsing

• Moves from base64::decode_config(URL_SAFE_NO_PAD) to general_purpose::URL_SAFE_NO_PAD.decode and keeps CBOR parsing behavior consistent.

gitarena/src/passkey.rs

audit_log.rsWrap dynamic SQL strings with SQLx AssertSqlSafe +26/-20

Wrap dynamic SQL strings with SQLx AssertSqlSafe

• Updates query_as calls that use formatted SQL strings to pass sqlx::AssertSqlSafe, matching newer SQLx safety expectations.

gitarena/src/routes/admin/audit_log.rs

users.rsMark formatted admin user list SQL as AssertSqlSafe +2/-2

Mark formatted admin user list SQL as AssertSqlSafe

• Wraps the formatted query string with sqlx::AssertSqlSafe for SQLx 0.9 compatibility.

gitarena/src/routes/admin/users.rs

audit_log.rsUpdate personal audit log queries for SQLx 0.9 safety API +10/-8

Update personal audit log queries for SQLx 0.9 safety API

• Wraps formatted SQL query strings in AssertSqlSafe while preserving bind parameters and pagination behavior.

gitarena/src/routes/events/audit_log.rs

contributions.rsMark contribution queries as AssertSqlSafe +2/-2

Mark contribution queries as AssertSqlSafe

• Wraps dynamically-constructed event and contributor queries in sqlx::AssertSqlSafe for updated SQLx requirements.

gitarena/src/routes/events/contributions.rs

dashboard.rsAdjust dashboard feed queries for AssertSqlSafe +6/-2

Adjust dashboard feed queries for AssertSqlSafe

• Changes query_as to use AssertSqlSafe(query.as_str()) for both filtered and unfiltered variants, keeping parameter binding intact.

gitarena/src/routes/events/dashboard.rs

org_audit_log.rsUpdate org audit log query_as calls with AssertSqlSafe +10/-8

Update org audit log query_as calls with AssertSqlSafe

• Wraps formatted SQL in AssertSqlSafe for both filtered and unfiltered code paths.

gitarena/src/routes/events/org_audit_log.rs

user_feed.rsUpdate user feed dynamic SQL calls for SQLx safety +2/-2

Update user feed dynamic SQL calls for SQLx safety

• Switches to sqlx::query_as(AssertSqlSafe(query.as_str())) while preserving ordering/pagination binds.

gitarena/src/routes/events/user_feed.rs

explore.rsPass built explore query via AssertSqlSafe +1/-1

Pass built explore query via AssertSqlSafe

• Wraps the constructed SQL string in AssertSqlSafe before executing, aligning with SQLx 0.9 expectations.

gitarena/src/routes/explore.rs

repos.rsWrap organization repo listing SQL with AssertSqlSafe +4/-1

Wrap organization repo listing SQL with AssertSqlSafe

• Marks the dynamically-built list query as SQL-safe for SQLx and preserves existing bind usage.

gitarena/src/routes/organization/api/repos.rs

archive.rsMark repository archive toggle update SQL as AssertSqlSafe +6/-4

Mark repository archive toggle update SQL as AssertSqlSafe

• Wraps the formatted UPDATE statement with AssertSqlSafe for SQLx compatibility while keeping the archive/unarchive behavior unchanged.

gitarena/src/routes/repository/api/archive.rs

create_repo.rsWrap formatted repository create/exists checks with AssertSqlSafe +4/-4

Wrap formatted repository create/exists checks with AssertSqlSafe

• Updates both the exists query and insert query to pass AssertSqlSafe around formatted SQL statements.

gitarena/src/routes/repository/api/create_repo.rs

fork_repo.rsWrap fork validation/insert SQL with AssertSqlSafe +4/-4

Wrap fork validation/insert SQL with AssertSqlSafe

• Marks formatted SQL strings as safe for SQLx 0.9 in both pre-check and insertion steps.

gitarena/src/routes/repository/api/fork_repo.rs

import_repo.rsWrap import repo validation/insert SQL with AssertSqlSafe +4/-4

Wrap import repo validation/insert SQL with AssertSqlSafe

• Updates formatted SQL queries to use AssertSqlSafe for compatibility with newer SQLx.

gitarena/src/routes/repository/api/import_repo.rs

mod.rsMark reactions aggregation query as AssertSqlSafe +1/-1

Mark reactions aggregation query as AssertSqlSafe

• Wraps the dynamically-generated reactions query string in AssertSqlSafe while keeping bindings and grouping intact.

gitarena/src/routes/repository/api/issues/mod.rs

star.rsWrap fork count dynamic query with AssertSqlSafe +5/-1

Wrap fork count dynamic query with AssertSqlSafe

• Updates query_as call to pass AssertSqlSafe(query) and expands formatting for readability without changing behavior.

gitarena/src/routes/repository/api/star.rs

login.rsMigrate login to new Actix Identity login API +2/-3

Migrate login to new Actix Identity login API

• Stops injecting Identity as an extractor and instead logs in via Identity::login using request extensions (requires HttpMessage import).

gitarena/src/routes/user/api/auth/login.rs

logout.rsUpdate logout flow for new Identity API +2/-2

Update logout flow for new Identity API

• Switches from identity()/forget() to id().ok() and logout() for session lookup and invalidation.

gitarena/src/routes/user/api/auth/logout.rs

emails.rsWrap formatted email existence query with AssertSqlSafe +6/-4

Wrap formatted email existence query with AssertSqlSafe

• Marks the formatted SQL query string as safe for SQLx while keeping the verified-filter behavior unchanged.

gitarena/src/routes/user/api/emails.rs

profile.rsWrap dynamic profile repo query with AssertSqlSafe +1/-1

Wrap dynamic profile repo query with AssertSqlSafe

• Updates query_as to use AssertSqlSafe for the dynamically-built SQL string.

gitarena/src/routes/user/api/profile.rs

sessions.rsUpdate session lookup to new Identity id() API +3/-3

Update session lookup to new Identity id() API

• Replaces identity() string access with id().ok() across session listing and deletion endpoints.

gitarena/src/routes/user/api/sessions.rs

sso.rsUpdate SSO identity checks and login for new Actix Identity API +3/-3

Update SSO identity checks and login for new Actix Identity API

• Uses id().is_ok() to detect logged-in state and logs in via Identity::login on request extensions instead of remember().

gitarena/src/routes/user/api/sso.rs

user_create.rsUpdate registration login path for new Actix Identity API +3/-3

Update registration login path for new Actix Identity API

• Switches already-logged-in checks to id().is_ok() and uses Identity::login via request extensions after session creation.

gitarena/src/routes/user/user_create.rs

user_logout.rsUpdate logout route for new Identity id()/logout() methods +3/-3

Update logout route for new Identity id()/logout() methods

• Migrates identity presence checks and session destruction to use id().ok() and logout() instead of identity()/forget().

gitarena/src/routes/user/user_logout.rs

mod.rsUpdate russh LineEnding import path +1/-1

Update russh LineEnding import path

• Adjusts import to russh::keys::ssh_key::LineEnding due to russh API changes in the upgraded version.

gitarena/src/ssh/mod.rs

mod.rsSwitch DNS resolver from trust-dns-resolver to hickory-resolver +7/-3

Switch DNS resolver from trust-dns-resolver to hickory-resolver

• Replaces TokioAsyncResolver initialization with hickory_resolver::TokioResolver builder-based setup using system DNS config.

gitarena/src/utils/mod.rs

system.rsUpdate sysinfo refresh APIs for new sysinfo version +2/-2

Update sysinfo refresh APIs for new sysinfo version

• Removes deprecated SystemExt import and updates System initialization to use RefreshKind::nothing().with_memory(MemoryRefreshKind::everything()).

gitarena/src/utils/system.rs

Documentation (1) +1 / -0
events.rsAdjust OpenAPI schema for IpNetwork field +1/-0

Adjust OpenAPI schema for IpNetwork field

• Adds a utoipa schema override for ip_address to render as Option<String> for documentation/serialization compatibility.

gitarena/src/events.rs

Other (4) +68 / -66
Cargo.tomlBump shared workspace deps and add sha2 to workspace +8/-7

Bump shared workspace deps and add sha2 to workspace

• Updates core workspace dependency versions (anyhow/base64/chrono/serde/tracing/uuid) and adds sha2 as a shared workspace dependency to centralize usage across crates.

Cargo.toml

Cargo.tomlUse workspace sha2 and update dev-dependencies +3/-3

Use workspace sha2 and update dev-dependencies

• Switches sha2 to the workspace dependency and bumps dev tools (tempfile/which) to newer versions.

gitarena-issues/Cargo.toml

Cargo.tomlUpgrade proc-macro stack (syn2, proc-macro-error2) +4/-4

Upgrade proc-macro stack (syn2, proc-macro-error2)

• Moves from proc-macro-error to proc-macro-error2 and upgrades proc-macro2/quote/syn to modern versions (syn v2).

gitarena-macros/Cargo.toml

Cargo.tomlMajor dependency upgrades (Actix, SQLx, telemetry, tooling) +53/-52

Major dependency upgrades (Actix, SQLx, telemetry, tooling)

• Upgrades a large set of app dependencies, including Actix identity/multipart/web, SQLx, Tokio, tracing/opentelemetry, zip, sysinfo, and introduces actix-session and hickory-resolver while removing trust-dns-resolver usage.

gitarena/Cargo.toml

@qodo-code-review

Copy link
Copy Markdown

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📜 Skill insights (0)

Grey Divider


Informational

1. Multipart error chain lost 🐞 Bug ◔ Observability
Description
put_avatar now turns multipart read errors into formatted strings (anyhow!("{err}") /
anyhow!("{e}")), which discards the original error type/source chain and makes failures harder to
debug.
Code

gitarena/src/routes/user/avatar.rs[R88-94]

+        Err(err) => return Err(anyhow::anyhow!("{err}")),
    };

-    let content_disposition = field.content_disposition();
+    let content_disposition = field.content_disposition().ok_or_else(|| err!(BAD_REQUEST, "No content disposition header"))?;
    let file_name = content_disposition.get_filename().ok_or_else(|| err!(BAD_REQUEST, "No file name"))?;
    let extension = file_name
        .rsplit_once('.')
Evidence
The updated code converts multipart errors into new anyhow errors built from a formatted string,
which by construction cannot preserve the original error as a source; this is visible directly in
the new match arm and chunk read mapping.

gitarena/src/routes/user/avatar.rs[85-103]

Agent prompt
The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

### Issue description
`put_avatar` currently stringifies multipart errors into a fresh `anyhow` error, which drops the original error as the source (no chained causes). This reduces diagnostic value in logs/error rendering.

### Issue Context
This regression was introduced during the dependency update (actix-multipart API changes). The handler previously preserved the underlying error via conversion.

### Fix Focus Areas
- gitarena/src/routes/user/avatar.rs[85-103]

### Suggested fix
- Replace `return Err(anyhow::anyhow!("{err}"))` with `return Err(err.into())` **or** `return Err(anyhow::Error::new(err))`.
- Replace `.map_err(|e| anyhow::anyhow!("{e}"))?` with `.map_err(anyhow::Error::new)?` or `.context("Failed to read multipart data chunk")?` to keep the source chain while adding context.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools


Grey Divider

Qodo Logo

Comment on lines +88 to 94
Err(err) => return Err(anyhow::anyhow!("{err}")),
};

let content_disposition = field.content_disposition();
let content_disposition = field.content_disposition().ok_or_else(|| err!(BAD_REQUEST, "No content disposition header"))?;
let file_name = content_disposition.get_filename().ok_or_else(|| err!(BAD_REQUEST, "No file name"))?;
let extension = file_name
.rsplit_once('.')

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Informational

1. Multipart error chain lost 🐞 Bug ◔ Observability

put_avatar now turns multipart read errors into formatted strings (anyhow!("{err}") /
anyhow!("{e}")), which discards the original error type/source chain and makes failures harder to
debug.
Agent Prompt
### Issue description
`put_avatar` currently stringifies multipart errors into a fresh `anyhow` error, which drops the original error as the source (no chained causes). This reduces diagnostic value in logs/error rendering.

### Issue Context
This regression was introduced during the dependency update (actix-multipart API changes). The handler previously preserved the underlying error via conversion.

### Fix Focus Areas
- gitarena/src/routes/user/avatar.rs[85-103]

### Suggested fix
- Replace `return Err(anyhow::anyhow!("{err}"))` with `return Err(err.into())` **or** `return Err(anyhow::Error::new(err))`.
- Replace `.map_err(|e| anyhow::anyhow!("{e}"))?` with `.map_err(anyhow::Error::new)?` or `.context("Failed to read multipart data chunk")?` to keep the source chain while adding context.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant