chore(deps): bump tonic-web from 0.12.3 to 0.14.5#490
Closed
dependabot[bot] wants to merge 1 commit intomainfrom
Closed
chore(deps): bump tonic-web from 0.12.3 to 0.14.5#490dependabot[bot] wants to merge 1 commit intomainfrom
dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [tonic-web](https://github.com/hyperium/tonic) from 0.12.3 to 0.14.5. - [Release notes](https://github.com/hyperium/tonic/releases) - [Changelog](https://github.com/hyperium/tonic/blob/master/CHANGELOG.md) - [Commits](hyperium/tonic@v0.12.3...v0.14.5) --- updated-dependencies: - dependency-name: tonic-web dependency-version: 0.14.5 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
|
🤖 Dependabot auto-merge skipped — CI not green (status: failed). Manual review required. |
|
🤖 Dependabot auto-merge skipped — compatibility score % is below 75% threshold. Manual review required. |
Member
|
Superseded by #504 — these 4 major version bumps cross-depend (tonic 0.14 needs prost 0.14, sha2 0.11 needs pbkdf2 0.13) so they must land bundled. Single PR contains all migrations + verifier. Closing. |
Contributor
Author
|
OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting If you change your mind, just re-open this PR and I'll resolve any conflicts on it. |
satyakwok
added a commit
that referenced
this pull request
May 6, 2026
* chore(deps): bundle major bumps tonic 0.14, prost 0.14, sha2 0.11, pbkdf2 0.13 Supersedes dependabot PRs #490 #492 #493 #494 — those individual bumps fail CI in isolation because the four crates are cross-dependent: - tonic 0.14 requires prost 0.14 (ProstCodec moved from tonic::codec to a new tonic-prost crate) - tonic-web 0.14 follows tonic - sha2 0.11 needs pbkdf2 0.13 (older pbkdf2's hmac trait bound on sha2 doesn't satisfy under sha2 0.11's CoreProxy) Bundling lands all four together so the workspace compiles + tests pass at every step. Migration notes: - tonic-build 0.14 split prost-specific codegen into tonic-prost-build. crates/sentrix-grpc/build.rs now uses tonic_prost_build::configure + compile_with_config (the old compile_protos_with_config method was renamed). Added tonic-prost + tonic-prost-build deps. - No sentrix code uses tonic::codec types directly (gRPC service is skeleton-only with Unimplemented handlers; runtime codec is generated by the build script). So no src changes needed beyond build.rs. - sha2 0.11 + pbkdf2 0.13 just bumped together; existing call sites use the trait re-exports unchanged. Versions on workspace: sha2: 0.10 → 0.11 (7 Cargo.toml files) pbkdf2: 0.12 → 0.13 (2 files: workspace + sentrix-wallet) tonic: 0.12 → 0.14 (sentrix-node + sentrix-grpc) tonic-web: 0.12 → 0.14 (sentrix-node) tonic-build: 0.12 → 0.14 (sentrix-grpc dev) tonic-prost: NEW 0.14 (sentrix-grpc dep) tonic-prost-build: NEW 0.14 (sentrix-grpc dev) prost: 0.13 → 0.14 (sentrix-grpc) prost-build: 0.13 → 0.14 (sentrix-grpc dev) Verification: cargo check --workspace --tests → pass cargo clippy --workspace --tests -- -D warnings → zero warnings cargo test --workspace --lib → 714 unit tests pass cargo test --workspace --tests → all integration tests pass * chore: cargo update -p multihash — drop yanked core2 0.4.0 dep cargo audit warning surfaced on every CI run since core2's upstream yanked 0.4.0 from crates.io. Path: sentrix-network → libp2p 0.56.0 → libp2p-noise → multiaddr → multihash 0.19.3 → core2 0.4.0 ← yanked multihash 0.19.5 drops the core2 dep entirely (no_std std::io shim inlined or replaced). `cargo update -p multihash` was the right lever — multihash 0.19.x semver caret allows the bump without disturbing libp2p 0.56.0 or anything above. Bump removes core2 from Cargo.lock; build + cargo check stay clean (20s). Not addressed here (separate PR): - hickory-proto 0.25.2 RUSTSEC-2026-0118 + 0119 - tracing-subscriber 0.2.25 RUSTSEC-2025-0055 These are real vulnerabilities, pre-existing, and currently shown as ::warning:: annotations because the CI audit step is wrapped in `|| true`. Out of scope for this one-line lockfile bump.
satyakwok
added a commit
that referenced
this pull request
May 6, 2026
…kdf2 0.13 (#504) Supersedes dependabot PRs #490 #492 #493 #494 — those individual bumps fail CI in isolation because the four crates are cross-dependent: - tonic 0.14 requires prost 0.14 (ProstCodec moved from tonic::codec to a new tonic-prost crate) - tonic-web 0.14 follows tonic - sha2 0.11 needs pbkdf2 0.13 (older pbkdf2's hmac trait bound on sha2 doesn't satisfy under sha2 0.11's CoreProxy) Bundling lands all four together so the workspace compiles + tests pass at every step. Migration notes: - tonic-build 0.14 split prost-specific codegen into tonic-prost-build. crates/sentrix-grpc/build.rs now uses tonic_prost_build::configure + compile_with_config (the old compile_protos_with_config method was renamed). Added tonic-prost + tonic-prost-build deps. - No sentrix code uses tonic::codec types directly (gRPC service is skeleton-only with Unimplemented handlers; runtime codec is generated by the build script). So no src changes needed beyond build.rs. - sha2 0.11 + pbkdf2 0.13 just bumped together; existing call sites use the trait re-exports unchanged. Versions on workspace: sha2: 0.10 → 0.11 (7 Cargo.toml files) pbkdf2: 0.12 → 0.13 (2 files: workspace + sentrix-wallet) tonic: 0.12 → 0.14 (sentrix-node + sentrix-grpc) tonic-web: 0.12 → 0.14 (sentrix-node) tonic-build: 0.12 → 0.14 (sentrix-grpc dev) tonic-prost: NEW 0.14 (sentrix-grpc dep) tonic-prost-build: NEW 0.14 (sentrix-grpc dev) prost: 0.13 → 0.14 (sentrix-grpc) prost-build: 0.13 → 0.14 (sentrix-grpc dev) Verification: cargo check --workspace --tests → pass cargo clippy --workspace --tests -- -D warnings → zero warnings cargo test --workspace --lib → 714 unit tests pass cargo test --workspace --tests → all integration tests pass
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps tonic-web from 0.12.3 to 0.14.5.
Release notes
Sourced from tonic-web's releases.
... (truncated)
Changelog
Sourced from tonic-web's changelog.
Commits
3f7caf3chore: prepare v0.14.5 release (#2516)3f56644grpc(chore): add missing copyright notices (#2513)1769c91feat(xds): implement xDS subscription worker (#2478)56f8c6dfeat(grpc): Add TCP listener API in the Runtime trait + tests for server cred...149f366feat(grpc) Add channel credentials API + Insecure credentials (#2495)cd5b32fchore: prepare 0.14.4 release (#2504)27640d2fix(web): allow space after:ingrpc-status(#2506)0c26ee1Fix permission of a series of files (#2502)c25daa6fix(ci): remove comment from manifest to unblock version parsing (#2501)3efc5f9chore(doc): Replace doc_auto_cfg config with doc_cfg (#2428)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)