-
Notifications
You must be signed in to change notification settings - Fork 66
fix(deps): update rust crate sha2 to 0.11.0 #714
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
svc-secops
wants to merge
1
commit into
main
Choose a base branch
from
renovate/sha2-0.x
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+1
β1
Open
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
π΄ This PR introduces a dependency version conflict that breaks the workspace build:
jsonwebtoken v10.3.0requiressha2 = "^0.10.7"(i.e., >=0.10.7, <0.11.0), which is incompatible with the sha2 0.11.0 bump here. The Renovate bot'scargo updatecommand already failed with this exact conflict, leaving Cargo.lock unmodified and the workspace in an inconsistent state. This PR cannot be merged until jsonwebtoken is upgraded to a version that supports sha2 0.11.0, or sha2 is kept at a 0.10.x release.Extended reasoning...
What the bug is and how it manifests
The PR bumps
sha2from0.10.9to0.11.0incrates/apollo-mcp-rhai/Cargo.toml. However, another workspace dependency,jsonwebtoken v10.3.0(required byapollo-mcp-server), declaressha2 = "^0.10.7". In Cargo's semver semantics for pre-1.0 crates,^0.10.7means>=0.10.7, <0.11.0β it does not include 0.11.0. This creates an irreconcilable conflict:apollo-mcp-rhaidemands sha2 0.11.0, whilejsonwebtokendemands sha2 <0.11.0.The specific code path that triggers it
Cargo's resolver must find a single version of
sha2satisfying both constraints simultaneously. Because the two version requirements are mutually exclusive β one requires exactly 0.11.0 and the other requires <0.11.0 β the resolver fails. This is precisely what the svc-secops bot reported: Renovate rancargo update --package sha2@0.10.9 --precise 0.11.0, and cargo exited witherror: failed to select a version for the requirement sha2 = "^0.10.7".Why existing code doesn't prevent it
Renovate's automatic dependency-update process does not verify transitive dependency compatibility before opening a PR. The Cargo.lock file was never updated (it still pins sha2 to 0.10.9) because the update command failed. As a result,
Cargo.tomlandCargo.lockare now inconsistent: any build using--locked(as is typical in CI) will fail immediately because the lock file doesn't satisfy the manifest.Impact
Merging this PR as-is will break the workspace build for all consumers. CI pipelines using
cargo build --lockedorcargo test --lockedwill fail with the same resolver error. Any downstream release or deployment will be blocked until the conflict is resolved.How to fix it
Two viable remedies exist: (1) Keep
sha2at a 0.10.x release (e.g., the latest0.10.xpatch) inapollo-mcp-rhai/Cargo.tomluntiljsonwebtokenis upgraded to a version that depends on sha2^0.11. (2) Upgradejsonwebtokento a release that declaressha2 = "^0.11"(if one exists), allowing both constraints to be satisfied simultaneously.Step-by-step proof
crates/apollo-mcp-rhai/Cargo.tomlline 19:sha2 = "0.11.0"β pinned to exactly 0.11.0.crates/apollo-mcp-server/Cargo.toml(workspace):jsonwebtoken = "^10.3", locked tojsonwebtoken v10.3.0.jsonwebtoken v10.3.0's ownCargo.tomldeclaressha2 = "^0.10.7"β semver range[0.10.7, 0.11.0).sha2 == 0.11.0β©sha2 β [0.10.7, 0.11.0)= β (empty set).error: failed to select a version for the requirement sha2 = "^0.10.7", candidate versions found which didn't match: 0.11.0β exactly as reported by svc-secops bot on 2026-03-28.