Skip to content

Upgrade dependencies to the latest incompatible version #299

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
tgross35 wants to merge 11 commits into
base: master
Choose a base branch
from
Open

Upgrade dependencies to the latest incompatible version #299

tgross35 wants to merge 11 commits into from

Conversation

@tgross35
Copy link
Contributor

@tgross35 tgross35 commented Jun 17, 2025

Upgrade rand, tiny_http, env_logger, and brotli to the latest across breaking versions.

Based on top of #298 so there is less to do.

tgross35 added 11 commits June 17, 2025 18:09
@tgross35
Remove unused integrations from rouille-multipart
8d46eb5 
Perform a first pass to eliminate a large number of dependencies and
features from `rouille-multipart` that are not needed for `rouille`.

The `rouille-multipart` version is bumped here since this represents an
API break.
@tgross35
ci: Include rouille-multipart in tests
e60417f
@tgross35
multipart: Replace quick-error with the more modern thiserror
3bf43bd
@tgross35
multipart: Replace extern crate imports
91984c3 
Eliminate `extern crate` that isn't needed in the 2021 edition. Also use
this as an opportunity to apply std-external-crate import sorting.

Some of the fuzzers and binary files got reformatted here, but they
still don't build correctly.
@tgross35
multipart: Replace twoway with the more modern memchr
d542842 
`memchr` is already in the tree via `serde_json` and `buffer-redux`.
@tgross35
multipart: Drop the clippy dependency
68899cb 
Clippy is now a standalone tool so this isn't needed.
@tgross35
multipart: Replace the safemem dependency with Vec::splice
bf9a18a
@tgross35
Upgrade rand to 0.9
4d83268 
Perform the incompatible upgrade for both `rouille` and
`rouille-multipart`. The MSRV is still 1.63.

This eliminates one version of `rand` from the graph.
@tgross35
multipart: Upgrade tiny_http to the latest version
97b4528 
The same version is now used in both `rouille` and `rouille-multipart`.
@tgross35
multipart: Upgrade env_logger to the latest version
dc41b8e
@tgross35
Upgrade brotli to the latest version
d9bdb33 
Brotli's MSRV is still 1.59.0.
cbandy
cbandy approved these changes Dec 19, 2025
View reviewed changes
rouille-multipart/Cargo.toml

# Only for Rocket example but dev-dependencies can't be optional
rocket = { version = "0.4", optional = true }
tiny_http = { version = "0.12", optional = true }
Copy link

@cbandy cbandy Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍🏻 This resolves an indirect vulnerability identified by cargo-deny.

rouille-multipart/Cargo.toml

[dev-dependencies]
env_logger = "0.5"
env_logger = "0.11"
Copy link

@cbandy cbandy Dec 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍🏻 This removes unsound behavior caused by an unmaintained dependency identified by cargo-deny.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@cbandy cbandy cbandy approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tgross35 @cbandy