chore(deps): consolidate Dependabot PRs #125–#147 (latest compatible)#148
Merged
Conversation
Applies every open Dependabot bump on one branch, resolving each dependency to the latest compatible release rather than the (sometimes already-stale) version the PR pinned. Where the applied version is newer than the PR target, it is noted below. Frontend (pnpm): - vitest: → 4.1.8 [#127, target 4.1.7 superseded] - @storybook/react + storybook: → 10.4.2 [#128, target 10.4.1 superseded] - eslint: → 10.4.1; typescript-eslint: → 8.61.0 [#139, ts-eslint 8.60.1 superseded] - idb-keyval: → 6.2.5 [#140] - vite: → 8.0.16 [#141] - date-fns: → 4.4.0 [#142] - turbo: → 2.9.16 [#143] - @tanstack/react-query 5.101.0, react-router 1.170.15 (target 1.170.11 superseded), react-virtual 3.14.2 [#144] - react-dom: → 19.2.7 [#145]; react bumped to 19.2.7 to satisfy peer - zustand: → 5.0.14 [#146] Backend (Cargo): - openssl: → 0.10.80 [#125] - serde_json: → 1.0.150 [#132] - axum-test: → 20.1.0 [#133] - redis: → 1.2.2 [#134] - sqlx: 0.8 → 0.9.0 [#135] (breaking — see below) - fastembed: → 5.16.0 [#136, target 5.15.0 superseded] - uuid: → 1.23.2 [#137] - llama-cpp-4: 0.2 → 0.3.1 [#138, target 0.3.0 superseded] Rust toolchain: - Docker base image rust 1.95-slim → 1.96-slim [#147] - Align rust-toolchain.toml channel and Cargo.toml MSRV to 1.96.0, plus docker-compose RUST_VERSION and the setup/deployment/maintainer/README docs. sqlx 0.9 breaking change: - sqlx 0.9 only implements SqlSafeStr for &'static str; runtime-built query strings now require an explicit safety assertion. Added a single audited choke point `db::audited_sql()` (wraps sqlx::AssertSqlSafe) with one authoritative doc comment, and routed all dynamic-SQL call sites through it (vectors, api, cleanup, mcp, main, integration tests). Every such string is composed only from literals and bind-parameter markers; all values are bound. Verified: backend build (all targets) + 1900+ tests + clippy (strict) + fmt; frontend typecheck + build + tests + eslint + prettier; markdown/yaml lint + internal link check.
Owner
Author
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
This was referenced Jun 8, 2026
Closed
Follow-up to the dep consolidation: bump the two plan-doc Rust references (builtin-llm prerequisites and the illustrative CI Dockerfile snippet) from 1.95 to 1.96 to match the upgraded toolchain. Immutable historical records (ADRs, the march-2026 audit) are intentionally left as-is.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Consolidates all 19 open Dependabot PRs onto a single branch. Per the
no-downgrade policy, each dependency is resolved to the latest compatible
release rather than the version the individual PR pinned — several PR targets
were already stale and are superseded here (noted with ⬆️).
This supersedes and closes every PR listed below.
Frontend (pnpm)
Backend (Cargo)
Rust toolchain
rust:1.95-slim→rust:1.96-slim(deps(docker)(deps): bump rust from 1.95-slim to 1.96-slim in /backend #147)rust-toolchain.tomlchannel andCargo.tomlMSRV to 1.96.0, plusdocker-compose.ymlRUST_VERSIONand the setup / deployment / maintainer /README docs. (CI uses
dtolnay/rust-toolchain@stableandnode-version: 26,which already track these.)
Breaking change handled: sqlx 0.8 → 0.9
sqlx 0.9 implements
SqlSafeStronly for&'static str; runtime-built querystrings now require an explicit safety assertion. Rather than scatter
sqlx::AssertSqlSafe(...)across ~20 call sites, this adds a single auditedchoke point —
db::audited_sql()— with one authoritative doc commentexplaining the injection-safety invariant, and routes all dynamic-SQL sites
through it (
vectors,api,cleanup,mcp,main, integration tests).Every such string is composed only from string literals and bind-parameter
markers (
?/?N); all values are passed through.bind(...).Verification
cargo build --all-targets, 1900+ tests pass,clippy(strict,-D warnings),cargo fmt --checkturbo typecheck,turbo build,turbo test(271 tests),eslint,prettier --checkCloses
Closes #125, #127, #128, #132, #133, #134, #135, #136, #137, #138, #139, #140, #141, #142, #143, #144, #145, #146, #147