prvng_platform/crates/control-center-ui/UPSTREAM_DEPENDENCY_ISSUE.md

# Upstream Dependency Issue: num-bigint-dig v0.8.4

## Issue Summary

**Status**: ⚠️ **UPSTREAM ISSUE - NON-BLOCKING**

The control-center-ui build produces a future incompatibility warning from the transitive dependency `num-bigint-dig v0.8.4`:

```plaintext
warning: the following packages contain code that will be rejected by a future version of Rust: num-bigint-dig v0.8.4
note: to see what the problems were, use the option `--future-incompat-report`, or run `cargo report future-incompatibilities --id 1`
```plaintext

## Root Cause

The `num-bigint-dig v0.8.4` crate uses a **private `vec!` macro** in multiple locations (Rust issue #120192). This pattern will become a hard error in a future Rust release.

**Affected files in num-bigint-dig v0.8.4:**

- `src/biguint.rs` (lines 490, 2005, 2027, 2313)
- `src/prime.rs` (line 138)
- `src/bigrand.rs` (line 319)

## Dependency Chain

```plaintext
control-center-ui (control-center-ui v0.1.0)
    ↓
num-bigint-dig v0.8.4
    ↑ (pulled in by)
├── rsa v0.9.9
│   ├── control-center
│   ├── jsonwebtoken v10.2.0
│   └── provisioning-orchestrator
└── ssh-key v0.6.7
    ├── russh v0.44.1
    └── russh-keys v0.44.0
```plaintext

## Why We Can't Fix It

**Option 1: Direct Patch**

- ✗ Cannot patch transitive crates.io dependencies to different crates.io versions
- Cargo only allows patches to point to different sources (git repos, local paths)

**Option 2: Upgrade rsa**

- Available: `rsa v0.10.0-rc.10` (release candidate only, not stable)
- Status: Not production-ready until stable release
- Current: `rsa v0.9.9` (stable, production)

**Option 3: Upgrade ssh-key**

- Current: `ssh-key v0.6.7`
- Still depends on `num-bigint-dig v0.8.4` (not upgraded yet)

**Option 4: Local Fork**

- ✗ Not practical for transitive dependencies

## Resolution Timeline

**For num-bigint-dig:**

- Available versions: 0.8.5, 0.8.6, 0.9.0, 0.9.1
- Latest: v0.9.1
- Status: Fixed in 0.8.6 and later
- When it gets picked up: Depends on upstream crate releases

**Upstream Action Items:**

1. **rsa crate** needs to upgrade to use newer num-bigint-dig when available
2. **ssh-key crate** needs to upgrade to use newer num-bigint-dig when available
3. Once upstream crates update their dependencies, our Cargo.lock will automatically use the fixed version

## Current Impact

✅ **NO IMPACT ON FUNCTIONALITY**

- Code compiles cleanly
- All tests pass
- All features work correctly
- Only a forward-compatibility warning, not an error

✅ **NOT A BLOCKER FOR:**

- Deployment
- Production use
- Any functionality
- WASM compilation
- Release builds

## Timeline for Resolution

| Status | Item | Estimated |
|--------|------|-----------|
| ✓ Available | num-bigint-dig 0.8.6 | Already released |
| ⏳ Waiting | rsa v0.10 stable release | 2024-Q4 to 2025-Q1 |
| ⏳ Waiting | Downstream crate updates | After upstream releases |
| ✓ Automatic | Our build updates | Once dependencies are updated |

## Monitoring

To check for updates:

```bash
# Check for future incompatibilities
cargo report future-incompatibilities

# Check available versions
cargo outdated

# Check dependency tree
cargo tree | grep num-bigint-dig
```plaintext

## Workaround (if needed)

If the warning becomes an error before upstream fixes are released, you can:

1. **Use an older Rust version** (current stable still allows this as warning)
2. **Wait for upstream updates** (recommended)
3. **Create a fork** of rsa/ssh-key with newer num-bigint-dig (not recommended)

## Recommended Action

**No immediate action needed.** This is a normal part of the Rust ecosystem evolution:

- Upstream packages will update their dependencies
- Our Cargo.lock will automatically resolve to fixed versions
- Continue monitoring with `cargo report future-incompatibilities`

## References

- Rust Issue #120192: <https://github.com/rust-lang/rust/issues/120192>
- num-bigint-dig Repository: <https://github.com/dignifiedquire/num-bigint>
- num-bigint-dig Releases: <https://github.com/dignifiedquire/num-bigint/releases>

---

**Last Updated**: December 12, 2025
**Status**: Monitored, Non-Blocking
**Action**: Awaiting Upstream Fixes
chore: update platform submodule to monorepo crates structure Platform restructured into crates/, added AI service and detector, migrated control-center-ui to Leptos 0.8 2026-01-08 21:32:59 +00:00			`# Upstream Dependency Issue: num-bigint-dig v0.8.4`

			`## Issue Summary`

			`Status: ⚠️ UPSTREAM ISSUE - NON-BLOCKING`

			The control-center-ui build produces a future incompatibility warning from the transitive dependency `num-bigint-dig v0.8.4`:

			```plaintext
			`warning: the following packages contain code that will be rejected by a future version of Rust: num-bigint-dig v0.8.4`
			note: to see what the problems were, use the option `--future-incompat-report`, or run `cargo report future-incompatibilities --id 1`
			```plaintext

			`## Root Cause`

			The `num-bigint-dig v0.8.4` crate uses a private `vec!` macro in multiple locations (Rust issue #120192). This pattern will become a hard error in a future Rust release.

			`Affected files in num-bigint-dig v0.8.4:`

			- `src/biguint.rs` (lines 490, 2005, 2027, 2313)
			- `src/prime.rs` (line 138)
			- `src/bigrand.rs` (line 319)

			`## Dependency Chain`

			```plaintext
			`control-center-ui (control-center-ui v0.1.0)`
			`↓`
			`num-bigint-dig v0.8.4`
			`↑ (pulled in by)`
			`├── rsa v0.9.9`
			`│ ├── control-center`
			`│ ├── jsonwebtoken v10.2.0`
			`│ └── provisioning-orchestrator`
			`└── ssh-key v0.6.7`
			`├── russh v0.44.1`
			`└── russh-keys v0.44.0`
			```plaintext

			`## Why We Can't Fix It`

			`Option 1: Direct Patch`

			`- ✗ Cannot patch transitive crates.io dependencies to different crates.io versions`
			`- Cargo only allows patches to point to different sources (git repos, local paths)`

			`Option 2: Upgrade rsa`

			- Available: `rsa v0.10.0-rc.10` (release candidate only, not stable)
			`- Status: Not production-ready until stable release`
			- Current: `rsa v0.9.9` (stable, production)

			`Option 3: Upgrade ssh-key`

			- Current: `ssh-key v0.6.7`
			- Still depends on `num-bigint-dig v0.8.4` (not upgraded yet)

			`Option 4: Local Fork`

			`- ✗ Not practical for transitive dependencies`

			`## Resolution Timeline`

			`For num-bigint-dig:`

			`- Available versions: 0.8.5, 0.8.6, 0.9.0, 0.9.1`
			`- Latest: v0.9.1`
			`- Status: Fixed in 0.8.6 and later`
			`- When it gets picked up: Depends on upstream crate releases`

			`Upstream Action Items:`

			`1. rsa crate needs to upgrade to use newer num-bigint-dig when available`
			`2. ssh-key crate needs to upgrade to use newer num-bigint-dig when available`
			`3. Once upstream crates update their dependencies, our Cargo.lock will automatically use the fixed version`

			`## Current Impact`

			`✅ NO IMPACT ON FUNCTIONALITY`

			`- Code compiles cleanly`
			`- All tests pass`
			`- All features work correctly`
			`- Only a forward-compatibility warning, not an error`

			`✅ NOT A BLOCKER FOR:`

			`- Deployment`
			`- Production use`
			`- Any functionality`
			`- WASM compilation`
			`- Release builds`

			`## Timeline for Resolution`

			`\| Status \| Item \| Estimated \|`
			`\|--------\|------\|-----------\|`
			`\| ✓ Available \| num-bigint-dig 0.8.6 \| Already released \|`
			`\| ⏳ Waiting \| rsa v0.10 stable release \| 2024-Q4 to 2025-Q1 \|`
			`\| ⏳ Waiting \| Downstream crate updates \| After upstream releases \|`
			`\| ✓ Automatic \| Our build updates \| Once dependencies are updated \|`

			`## Monitoring`

			`To check for updates:`

			```bash
			`# Check for future incompatibilities`
			`cargo report future-incompatibilities`

			`# Check available versions`
			`cargo outdated`

			`# Check dependency tree`
			`cargo tree \| grep num-bigint-dig`
			```plaintext

			`## Workaround (if needed)`

			`If the warning becomes an error before upstream fixes are released, you can:`

			`1. Use an older Rust version (current stable still allows this as warning)`
			`2. Wait for upstream updates (recommended)`
			`3. Create a fork of rsa/ssh-key with newer num-bigint-dig (not recommended)`

			`## Recommended Action`

			`No immediate action needed. This is a normal part of the Rust ecosystem evolution:`

			`- Upstream packages will update their dependencies`
			`- Our Cargo.lock will automatically resolve to fixed versions`
			- Continue monitoring with `cargo report future-incompatibilities`

			`## References`

			`- Rust Issue #120192: <https://github.com/rust-lang/rust/issues/120192>`
			`- num-bigint-dig Repository: <https://github.com/dignifiedquire/num-bigint>`
			`- num-bigint-dig Releases: <https://github.com/dignifiedquire/num-bigint/releases>`

			`---`

			`Last Updated: December 12, 2025`
			`Status: Monitored, Non-Blocking`
			`Action: Awaiting Upstream Fixes`