What are you really trying to do?
Keep the Rust SDK's dependency tree free of unmaintained crates reported by cargo audit / RustSec.
Describe the issue
The SDK currently depends on the backoff crate for exponential retry delays. RUSTSEC-2025-0012 (RustSec advisory) reports that backoff is unmaintained and recommends migrating to backon for exponential backoff/retry.
backoff is used in:
temporalio-client — gRPC call retry (TonicErrorHandler in crates/client/src/retry.rs)temporalio-sdk-core — poller autoscaling error backoff (crates/sdk-core/src/pollers/poll_buffer.rs)
Proposed change
Replace backoff with backon in both crates, using backon::ExponentialBuilder / ExponentialBackoff (Iterator::next() for delays). Each crate should depend on backon directly so sdk-core does not need to route retry utilities through client.
Additional context
What are you really trying to do?
Keep the Rust SDK's dependency tree free of unmaintained crates reported by
cargo audit/ RustSec.Describe the issue
The SDK currently depends on the
backoffcrate for exponential retry delays. RUSTSEC-2025-0012 (RustSec advisory) reports thatbackoffis unmaintained and recommends migrating tobackonfor exponential backoff/retry.backoffis used in:temporalio-client— gRPC call retry (TonicErrorHandlerincrates/client/src/retry.rs)temporalio-sdk-core— poller autoscaling error backoff (crates/sdk-core/src/pollers/poll_buffer.rs)Proposed change
Replace
backoffwithbackonin both crates, usingbackon::ExponentialBuilder/ExponentialBackoff(Iterator::next()for delays). Each crate should depend onbackondirectly sosdk-coredoes not need to route retry utilities throughclient.Additional context