Skip to content

deps(core)(deps): update bincode requirement from 1 to 3 in /src/lib/mlxcel-core#10

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/src/lib/mlxcel-core/bincode-3
Closed

deps(core)(deps): update bincode requirement from 1 to 3 in /src/lib/mlxcel-core#10
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/src/lib/mlxcel-core/bincode-3

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 18, 2026
edited
Loading

Updates the requirements on bincode to permit the latest version.

Commits

@dependabot dependabot Bot added area:core mlxcel-core: MLX FFI, primitives, KV cache, layers type:dependency Dependency updates labels May 18, 2026
@dependabot
deps(core)(deps): update bincode requirement in /src/lib/mlxcel-core
2f14fa3 
Updates the requirements on [bincode](https://github.com/bincode-org/bincode) to permit the latest version.
- [Commits](https://github.com/bincode-org/bincode/commits)

---
updated-dependencies:
- dependency-name: bincode
  dependency-version: 3.0.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/cargo/src/lib/mlxcel-core/bincode-3 branch from 5a659c2 to 2f14fa3 Compare May 18, 2026 08:29
@inureyes
Copy link
Copy Markdown
Member

inureyes commented May 18, 2026

Closing — superseded by the postcard migration scheduled for #8.

The mlxcel team has decided to migrate mlxcel-core off bincode
entirely (to postcard 1.x) per the architectural choice in #8,
rather than upgrading to bincode 3.x. Reasons:

  • bincode 1.x → 3.x is not a drop-in upgrade — the API changes
    significantly, and the 2.x / 3.x project is maintained by a
    different team than the original (1.x). Same crate name, different
    project history; carries name-confusion risk.
  • postcard is a stable 1.0+ serde-based alternative with a frozen
    wire format and a much wider embedded-Rust ecosystem footprint,
    which is a better fit for an inference-runtime cache.
  • Once refactor: migrate mlxcel-core off unmaintained bincode 1.x #8 lands, bincode is removed from the dependency tree
    entirely, and the RUSTSEC-2025-0141 ignore in deny.toml is
    removed as part of that PR.

So this auto-generated security update is no longer applicable.

@inureyes inureyes closed this May 18, 2026
@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot Bot commented on behalf of github May 18, 2026

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/cargo/src/lib/mlxcel-core/bincode-3 branch May 18, 2026 08:44
inureyes added a commit that referenced this pull request May 18, 2026
@inureyes
refactor(core): migrate lang_analyzer cache from bincode to postcard (#…
a84284e 
…16)

Closes #8.

Migrates `mlxcel-core`'s `TokenLanguageIndex` on-disk cache off the
unmaintained `bincode` 1.x (RUSTSEC-2025-0141 — project permanently
ceased development) to `postcard` 1.x.

## Architectural choice — postcard

- Drop-in serde-based API (`postcard::to_allocvec(&v)?` /
  `postcard::from_bytes::<T>(&bytes)?`) — minimal call-site change.
- 1.0+ stable with frozen wire format — protects production users'
  cache compatibility across future dependency upgrades.
- Embedded Rust ecosystem standard — natural fit for an
  inference-runtime cache.

Alternatives considered: `bitcode` (faster but pre-1.0, wire-format
changes between minors), `rkyv` (zero-copy over-engineering for a
startup-time cache), `bincode` 2.x / 3.x (different maintainer team,
name-confusion risk — Dependabot's auto-PR #10 to bincode 3.x was
explicitly closed in favor of this approach).

## Cache compatibility — graceful degradation

`lang_analyzer/cache.rs` already has corrupt-detection: a
deserialization failure renames the existing bincode-format file to
`*.broken.<epoch>.bak` and rebuilds the cache from source. Users
upgrading from a prior mlxcel release will trip this path
automatically on the first cache read — no explicit migration code
needed.

## Scope (3 files + Cargo.lock)

- `src/lib/mlxcel-core/Cargo.toml` — `bincode = "1"` → `postcard = { version = "1", features = ["alloc"] }`
- `src/lib/mlxcel-core/src/lang_analyzer/cache.rs` — 3 call sites + doc comments
- `src/lib/mlxcel-core/src/lang_analyzer/mod.rs` — error variant `Bincode` → `Postcard` (no external match-arms on it, safe rename)
- `deny.toml` — RUSTSEC-2025-0141 `[advisories.ignore]` entry removed (no longer applicable)

Verified locally: `cargo deny check` clean (advisories ok, bans ok,
licenses ok, sources ok); `cargo tree -p mlxcel-core -i bincode`
returns "package not found" — bincode is fully removed from the
dependency tree.

Self-hosted clippy + test gate is queued behind the PR #14 cold-build
backlog at merge time; will run on main after the runner clears.
@inureyes inureyes self-assigned this May 18, 2026
@inureyes inureyes added the status:done Completed label May 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@inureyes inureyes

Labels

area:core mlxcel-core: MLX FFI, primitives, KV cache, layers status:done Completed type:dependency Dependency updates

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@inureyes