20260413 update clvmr main 0 17 5

[prozacchiwawa]

Note

Medium Risk
Moderate risk due to a major dependency upgrade (clvmr) plus changes to dialect flag handling during program execution, which could subtly affect CLVM operator behavior. CI/toolchain pinning and lockfile churn are lower risk but may impact build reproducibility across environments.

Overview
Upgrades core Rust dependencies to align with clvmr 0.17.5 (and related crypto/random crates), updating Cargo.toml/Cargo.lock and the wasm crate’s dependency set.

Updates classic CLVM execution/compilation glue to match the new clvmr dialect API: replaces raw flag bitmasks with ClvmFlags, adds choose_run_flags, and ensures CompilerOperatorsInternal synchronizes/restores dialect flags around nested run_program calls.

Pins CI and repo toolchains to Rust 1.94.1 across workflows and rust-toolchain.toml/wasm/rust-toolchain.toml, and adjusts the npm wasm build step to set RUSTFLAGS for a custom getrandom backend and MVP CPU target.

^{Reviewed by Cursor Bugbot for commit f2fcd69. Bugbot is set up for automated code reviews on this repo. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	cargo/​wasm-bindgen@​0.2.100 ⏵ 0.2.93	-5		-3
	cargo/​getrandom@​0.2.15 ⏵ 0.4.2	-19
	cargo/​js-sys@​0.3.77 ⏵ 0.3.70	+1		-3
	cargo/​chia-bls@​0.42.0 ⏵ 0.37.0
	cargo/​rand@​0.8.5 ⏵ 0.10.1	+1	+1
	cargo/​rand_chacha@​0.3.1 ⏵ 0.10.0
	cargo/​rand_core@​0.6.4 ⏵ 0.10.1
	cargo/​clvmr@​0.16.2 ⏵ 0.17.6

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Native binaries present: cargo wit-component Location: Package overview From: ? → cargo/getrandom@0.4.2 → cargo/wit-component@0.244.0 ℹ Read more on: This package | This alert | Why is native code a concern? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Verify that the inclusion of native code is expected and necessary for this package's functionality. If it is unnecessary or unexpected, consider using alternative packages without native code to mitigate potential risks. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore cargo/wit-component@0.244.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Ignoring alerts on:

• cargo/anyhow@1.0.102
• cargo/libm@0.2.16
• cargo/malachite-nz@0.9.1
• cargo/paste@1.0.15
• cargo/prettyplease@0.2.36
• cargo/prettyplease@0.2.34
• cargo/wasmparser@0.244.0
• cargo/wit-bindgen@0.51.0
• cargo/wit-bindgen@0.57.1
• cargo/wit-bindgen-rust@0.51.0
• cargo/wit-bindgen-rust-macro@0.51.0

View full report

[prozacchiwawa]

@SocketSecurity ignore cargo/libm@0.2.16

[prozacchiwawa]

@SocketSecurity ignore cargo/malachite-nz@0.9.1

[prozacchiwawa]

@SocketSecurity ignore cargo/paste@1.0.15

[prozacchiwawa]

@SocketSecurity ignore cargo/anyhow@1.0.102

[aqk]

@SocketSecurity ignore cargo/prettyplease@0.2.34 cargo/wasmparser@0.244.0 cargo/wit-bindgen-rust-macro@0.51.0 cargo/wit-bindgen-rust@0.51.0 cargo/wit-bindgen@0.57.1

[aqk]

@SocketSecurity ignore cargo/prettyplease@0.2.34 cargo/wasmparser@0.244.0 cargo/wit-bindgen-rust-macro@0.51.0 cargo/wit-bindgen-rust@0.51.0 cargo/wit-bindgen@0.57.1 cargo/prettyplease@0.2.36 cargo/wit-bindgen@0.51.0

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.}

^{Reviewed by Cursor Bugbot for commit 5cc5d54. Configure here.}