From 4125541b4ffe057a312be77ba4ab39636fa413ed Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Mon, 13 Jul 2026 09:39:29 +0000 Subject: [PATCH 1/2] chore(deps): bump the rust-dependencies group with 5 updates Bumps the rust-dependencies group with 5 updates: | Package | From | To | | --- | --- | --- | | [regex](https://github.com/rust-lang/regex) | `1.12.4` | `1.13.0` | | [napi](https://github.com/napi-rs/napi-rs) | `3.10.3` | `3.10.5` | | [napi-derive](https://github.com/napi-rs/napi-rs) | `3.5.9` | `3.5.10` | | [mira-eval](https://github.com/everruns/mira) | `0.3.0` | `0.4.0` | | [num-bigint](https://github.com/rust-num/num-bigint) | `0.4.8` | `0.5.1` | Updates `regex` from 1.12.4 to 1.13.0 - [Release notes](https://github.com/rust-lang/regex/releases) - [Changelog](https://github.com/rust-lang/regex/blob/master/CHANGELOG.md) - [Commits](https://github.com/rust-lang/regex/compare/1.12.4...1.13.0) Updates `napi` from 3.10.3 to 3.10.5 - [Release notes](https://github.com/napi-rs/napi-rs/releases) - [Commits](https://github.com/napi-rs/napi-rs/compare/napi-v3.10.3...napi-v3.10.5) Updates `napi-derive` from 3.5.9 to 3.5.10 - [Release notes](https://github.com/napi-rs/napi-rs/releases) - [Commits](https://github.com/napi-rs/napi-rs/compare/napi-derive-v3.5.9...napi-derive-v3.5.10) Updates `mira-eval` from 0.3.0 to 0.4.0 - [Release notes](https://github.com/everruns/mira/releases) - [Changelog](https://github.com/everruns/mira/blob/main/CHANGELOG.md) - [Commits](https://github.com/everruns/mira/compare/v0.3.0...v0.4.0) Updates `num-bigint` from 0.4.8 to 0.5.1 - [Changelog](https://github.com/rust-num/num-bigint/blob/main/RELEASES.md) - [Commits](https://github.com/rust-num/num-bigint/compare/num-bigint-0.4.8...num-bigint-0.5.1) --- updated-dependencies: - dependency-name: regex dependency-version: 1.13.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: rust-dependencies - dependency-name: napi dependency-version: 3.10.5 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: rust-dependencies - dependency-name: napi-derive dependency-version: 3.5.10 dependency-type: direct:production update-type: version-update:semver-patch dependency-group: rust-dependencies - dependency-name: mira-eval dependency-version: 0.4.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: rust-dependencies - dependency-name: num-bigint dependency-version: 0.5.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: rust-dependencies ... Signed-off-by: dependabot[bot] --- Cargo.lock | 58 +++++++++++++++++++------------- crates/bashkit-eval/Cargo.toml | 2 +- crates/bashkit-python/Cargo.toml | 2 +- 3 files changed, 36 insertions(+), 26 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index 0eef1946..42393741 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -477,7 +477,7 @@ name = "bashkit-python" version = "0.13.0" dependencies = [ "bashkit", - "num-bigint", + "num-bigint 0.5.1", "pyo3", "pyo3-async-runtimes", "serde_json", @@ -503,7 +503,7 @@ checksum = "4d6867f1565b3aad85681f1015055b087fcfd840d6aeee6eee7f2da317603695" dependencies = [ "autocfg", "libm", - "num-bigint", + "num-bigint 0.4.8", "num-integer", "num-traits", ] @@ -2371,7 +2371,7 @@ dependencies = [ "indexmap", "jaq-core", "jaq-std", - "num-bigint", + "num-bigint 0.4.8", "num-traits", "ryu", "self_cell", @@ -2444,7 +2444,7 @@ dependencies = [ "ahash", "bitvec", "lexical-parse-float", - "num-bigint", + "num-bigint 0.4.8", "num-traits", "pyo3", "smallvec", @@ -2771,9 +2771,9 @@ dependencies = [ [[package]] name = "mira-eval" -version = "0.3.0" +version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf935bd40f8219ff9e63c4759ae0fdecc0b4630f39e43698672c27c915066872" +checksum = "a8a983e47b39772faf20d898dad72f124eb4e8929679f561ec2193d77aef56d5" dependencies = [ "async-trait", "inventory", @@ -2787,9 +2787,9 @@ dependencies = [ [[package]] name = "mira-macros" -version = "0.3.0" +version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7370b92382487f6e7e0b62b8dc4c94a504b2a8169d999fc85a87e5df448bce2c" +checksum = "0a770347f4ce22c743dbf02c1a55af1dd88ee9bc35decc392e69e8df911fd38b" dependencies = [ "proc-macro2", "quote", @@ -2835,7 +2835,7 @@ dependencies = [ "jiter", "libm", "monty-macros", - "num-bigint", + "num-bigint 0.4.8", "num-integer", "num-traits", "postcard", @@ -2862,9 +2862,9 @@ dependencies = [ [[package]] name = "napi" -version = "3.10.3" +version = "3.10.5" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0c71997d6f7ad4a756966e452426848ac27d3b37a295302d63afbbcce0270f93" +checksum = "6826e5ddc15589b2d68c8ad5321c18e85d40488e93e32962f362e572669bccf6" dependencies = [ "bitflags 2.13.0", "ctor", @@ -2884,9 +2884,9 @@ checksum = "c9c366d2c8c60b86fa632df75f745509b52f9128f91a6bad4c796e44abb505e1" [[package]] name = "napi-derive" -version = "3.5.9" +version = "3.5.10" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d4ba572deef53e2c386759a8c2014175a62679d74ff83adc205c8bc0e0285727" +checksum = "b0fe526e81c105d3640516fcde83909dd1afe757c0d7a15af58830b5bc0fb9a1" dependencies = [ "convert_case", "ctor", @@ -2898,9 +2898,9 @@ dependencies = [ [[package]] name = "napi-derive-backend" -version = "5.1.1" +version = "5.1.2" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ddd961eb2aa8965e3f29722d754f3a86907eb1984e2fbcbe3fe87b9a02d6bfba" +checksum = "514281397bcddd9ea9a876c7a21a57bff2374237a000ca9a64ea0211ec1993e2" dependencies = [ "convert_case", "proc-macro2", @@ -2911,9 +2911,9 @@ dependencies = [ [[package]] name = "napi-sys" -version = "3.2.2" +version = "3.2.3" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1f5bcdf71abd3a50d00b49c1c2c75251cb3c913777d6139cd37dabc093a5e400" +checksum = "73e43cf2eb0bd1bf95a43c07c076ebd2da5d1e015a71c3d201faeffffcc0ecac" dependencies = [ "libloading 0.9.0", ] @@ -2971,6 +2971,16 @@ dependencies = [ "serde", ] +[[package]] +name = "num-bigint" +version = "0.5.1" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "93e7820bc0a80a0238e650327316f929ba18d5be054b647490a3a6a339f3e7c0" +dependencies = [ + "num-integer", + "num-traits", +] + [[package]] name = "num-integer" version = "0.1.46" @@ -3140,7 +3150,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "71b23b64fa8c4a84b1406de383c4666366c9f54ffb9cb11a63b8d7433950460a" dependencies = [ "cow-utils", - "num-bigint", + "num-bigint 0.4.8", "num-traits", "oxc_allocator", "oxc_ast", @@ -3174,7 +3184,7 @@ dependencies = [ "bitflags 2.13.0", "cow-utils", "memchr", - "num-bigint", + "num-bigint 0.4.8", "num-traits", "oxc_allocator", "oxc_ast", @@ -3792,7 +3802,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cd274650b21d4bfc26a0a47587962c1edb425f69287324355cd040c3ea66071c" dependencies = [ "libc", - "num-bigint", + "num-bigint 0.4.8", "num-traits", "once_cell", "portable-atomic", @@ -4057,9 +4067,9 @@ dependencies = [ [[package]] name = "regex" -version = "1.12.4" +version = "1.13.0" source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f1292b7759ae1cb9ec195452d1390a074f0cd8541ab7a5a8c31cd6db45d4a6ba" +checksum = "2a0e75113e14dc5acb068cd0786884f214f1312650a3d36d269f5c4f3cdee8a2" dependencies = [ "aho-corasick", "memchr", @@ -4298,7 +4308,7 @@ dependencies = [ "md5", "ml-kem", "module-lattice", - "num-bigint", + "num-bigint 0.4.8", "p256", "p384", "p521", @@ -5509,7 +5519,7 @@ dependencies = [ "libm", "loom", "miette", - "num-bigint", + "num-bigint 0.4.8", "num-traits", "pack1", "parking_lot", diff --git a/crates/bashkit-eval/Cargo.toml b/crates/bashkit-eval/Cargo.toml index 1b4922e7..aef34519 100644 --- a/crates/bashkit-eval/Cargo.toml +++ b/crates/bashkit-eval/Cargo.toml @@ -22,7 +22,7 @@ path = "src/main.rs" # Mira eval framework (crates.io). Imported as `mira`; the `macros` feature # provides the #[eval] discovery attribute. We use the in-process Subject path # (our own agent loop + provider stack) so we do NOT need mira-everruns. -mira-eval = { version = "0.3", features = ["macros"] } +mira-eval = { version = "0.4", features = ["macros"] } bashkit = { path = "../bashkit", features = ["scripted_tool", "jq"] } tokio = { workspace = true, features = ["rt-multi-thread", "io-std", "io-util", "fs"] } diff --git a/crates/bashkit-python/Cargo.toml b/crates/bashkit-python/Cargo.toml index 4e29d6ec..1532115e 100644 --- a/crates/bashkit-python/Cargo.toml +++ b/crates/bashkit-python/Cargo.toml @@ -27,7 +27,7 @@ serde_json = { workspace = true } # hands them to `MontyObject::BigInt`, and monty (git tag v0.0.18) depends on # num-bigint 0.4. Bumping to 0.5 makes the two BigInt types mismatch and fails # to compile, so this must track whatever major version bashkit core / monty use. -num-bigint = "^0.4.6" +num-bigint = "^0.5.1" # Native (non-wasm) targets: full feature set. # realfs: always-on so Python callers can use mount_real_* APIs. From fe296c52c266ee87a7f8e878fbd4004d97e73827 Mon Sep 17 00:00:00 2001 From: Mykhailo Chalyi Date: Tue, 14 Jul 2026 09:27:58 +0000 Subject: [PATCH 2/2] chore(deps): keep num-bigint on 0.4.x; take regex/napi/mira bumps Dependabot's grouped bump raised num-bigint to 0.5.1, overriding the hard `^0.4.6` pin in bashkit-python. monty (git v0.0.18) depends on num-bigint 0.4, so py_to_monty's `num_bigint::BigInt` no longer matches `MontyObject::BigInt` and the crate fails to compile (E0308). Revert num-bigint to 0.4.8 and add a dependabot ignore for its major/minor updates so the 0.5 jump stops recurring (0.4.x patches still flow). The rest of the group is safe and kept: regex 1.13.0, napi 3.10.5, napi-derive 3.5.10, mira-eval 0.4.0. cargo-vet exemptions updated to the new versions (bashkit-python + bashkit-eval compile clean, vet passes). --- .github/dependabot.yml | 11 +++++++++++ Cargo.lock | 30 ++++++++++-------------------- crates/bashkit-python/Cargo.toml | 2 +- supply-chain/config.toml | 14 +++++++------- 4 files changed, 29 insertions(+), 28 deletions(-) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 59bc2b6e..97849129 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -21,6 +21,17 @@ updates: # extra scrutiny. The `groups` section above already excludes them # from the aggregated PR; no additional config needed here for # standalone delivery. + ignore: + # num-bigint is hard-pinned to 0.4.x in crates/bashkit-python: monty + # (git v0.0.18) depends on num-bigint 0.4, and py_to_monty hands a + # `num_bigint::BigInt` to `MontyObject::BigInt`. A 0.5 bump makes the two + # BigInt types mismatch and fails to compile. Block major/minor jumps + # (0.4 -> 0.5) while still allowing 0.4.x patch updates, until monty + # upgrades upstream. See the pin comment in bashkit-python/Cargo.toml. + - dependency-name: "num-bigint" + update-types: + - "version-update:semver-major" + - "version-update:semver-minor" # GitHub Actions - package-ecosystem: "github-actions" diff --git a/Cargo.lock b/Cargo.lock index 42393741..e26be6be 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -477,7 +477,7 @@ name = "bashkit-python" version = "0.13.0" dependencies = [ "bashkit", - "num-bigint 0.5.1", + "num-bigint", "pyo3", "pyo3-async-runtimes", "serde_json", @@ -503,7 +503,7 @@ checksum = "4d6867f1565b3aad85681f1015055b087fcfd840d6aeee6eee7f2da317603695" dependencies = [ "autocfg", "libm", - "num-bigint 0.4.8", + "num-bigint", "num-integer", "num-traits", ] @@ -2371,7 +2371,7 @@ dependencies = [ "indexmap", "jaq-core", "jaq-std", - "num-bigint 0.4.8", + "num-bigint", "num-traits", "ryu", "self_cell", @@ -2444,7 +2444,7 @@ dependencies = [ "ahash", "bitvec", "lexical-parse-float", - "num-bigint 0.4.8", + "num-bigint", "num-traits", "pyo3", "smallvec", @@ -2835,7 +2835,7 @@ dependencies = [ "jiter", "libm", "monty-macros", - "num-bigint 0.4.8", + "num-bigint", "num-integer", "num-traits", "postcard", @@ -2971,16 +2971,6 @@ dependencies = [ "serde", ] -[[package]] -name = "num-bigint" -version = "0.5.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "93e7820bc0a80a0238e650327316f929ba18d5be054b647490a3a6a339f3e7c0" -dependencies = [ - "num-integer", - "num-traits", -] - [[package]] name = "num-integer" version = "0.1.46" @@ -3150,7 +3140,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "71b23b64fa8c4a84b1406de383c4666366c9f54ffb9cb11a63b8d7433950460a" dependencies = [ "cow-utils", - "num-bigint 0.4.8", + "num-bigint", "num-traits", "oxc_allocator", "oxc_ast", @@ -3184,7 +3174,7 @@ dependencies = [ "bitflags 2.13.0", "cow-utils", "memchr", - "num-bigint 0.4.8", + "num-bigint", "num-traits", "oxc_allocator", "oxc_ast", @@ -3802,7 +3792,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "cd274650b21d4bfc26a0a47587962c1edb425f69287324355cd040c3ea66071c" dependencies = [ "libc", - "num-bigint 0.4.8", + "num-bigint", "num-traits", "once_cell", "portable-atomic", @@ -4308,7 +4298,7 @@ dependencies = [ "md5", "ml-kem", "module-lattice", - "num-bigint 0.4.8", + "num-bigint", "p256", "p384", "p521", @@ -5519,7 +5509,7 @@ dependencies = [ "libm", "loom", "miette", - "num-bigint 0.4.8", + "num-bigint", "num-traits", "pack1", "parking_lot", diff --git a/crates/bashkit-python/Cargo.toml b/crates/bashkit-python/Cargo.toml index 1532115e..4e29d6ec 100644 --- a/crates/bashkit-python/Cargo.toml +++ b/crates/bashkit-python/Cargo.toml @@ -27,7 +27,7 @@ serde_json = { workspace = true } # hands them to `MontyObject::BigInt`, and monty (git tag v0.0.18) depends on # num-bigint 0.4. Bumping to 0.5 makes the two BigInt types mismatch and fails # to compile, so this must track whatever major version bashkit core / monty use. -num-bigint = "^0.5.1" +num-bigint = "^0.4.6" # Native (non-wasm) targets: full feature set. # realfs: always-on so Python callers can use mount_real_* APIs. diff --git a/supply-chain/config.toml b/supply-chain/config.toml index 091949e7..3a3ca517 100644 --- a/supply-chain/config.toml +++ b/supply-chain/config.toml @@ -1064,11 +1064,11 @@ version = "1.2.1" criteria = "safe-to-deploy" [[exemptions.mira-eval]] -version = "0.3.0" +version = "0.4.0" criteria = "safe-to-deploy" [[exemptions.mira-macros]] -version = "0.3.0" +version = "0.4.0" criteria = "safe-to-deploy" [[exemptions.ml-kem]] @@ -1080,7 +1080,7 @@ version = "0.2.3" criteria = "safe-to-deploy" [[exemptions.napi]] -version = "3.10.3" +version = "3.10.5" criteria = "safe-to-deploy" [[exemptions.napi-build]] @@ -1088,15 +1088,15 @@ version = "2.3.2" criteria = "safe-to-deploy" [[exemptions.napi-derive]] -version = "3.5.9" +version = "3.5.10" criteria = "safe-to-deploy" [[exemptions.napi-derive-backend]] -version = "5.1.1" +version = "5.1.2" criteria = "safe-to-deploy" [[exemptions.napi-sys]] -version = "3.2.2" +version = "3.2.3" criteria = "safe-to-deploy" [[exemptions.nibble_vec]] @@ -1528,7 +1528,7 @@ version = "0.5.18" criteria = "safe-to-deploy" [[exemptions.regex]] -version = "1.12.4" +version = "1.13.0" criteria = "safe-to-deploy" [[exemptions.regex-automata]]