# Upstream Dependency Issue: num-bigint-dig v0.8.4 ## Issue Summary **Status**: ⚠️ **UPSTREAM ISSUE - NON-BLOCKING** The control-center-ui build produces a future incompatibility warning from the transitive dependency `num-bigint-dig v0.8.4`: ```plaintext warning: the following packages contain code that will be rejected by a future version of Rust: num-bigint-dig v0.8.4 note: to see what the problems were, use the option `--future-incompat-report`, or run `cargo report future-incompatibilities --id 1` ```plaintext ## Root Cause The `num-bigint-dig v0.8.4` crate uses a **private `vec!` macro** in multiple locations (Rust issue #120192). This pattern will become a hard error in a future Rust release. **Affected files in num-bigint-dig v0.8.4:** - `src/biguint.rs` (lines 490, 2005, 2027, 2313) - `src/prime.rs` (line 138) - `src/bigrand.rs` (line 319) ## Dependency Chain ```plaintext control-center-ui (control-center-ui v0.1.0) ↓ num-bigint-dig v0.8.4 ↑ (pulled in by) ├── rsa v0.9.9 │ ├── control-center │ ├── jsonwebtoken v10.2.0 │ └── provisioning-orchestrator └── ssh-key v0.6.7 ├── russh v0.44.1 └── russh-keys v0.44.0 ```plaintext ## Why We Can't Fix It **Option 1: Direct Patch** - ✗ Cannot patch transitive crates.io dependencies to different crates.io versions - Cargo only allows patches to point to different sources (git repos, local paths) **Option 2: Upgrade rsa** - Available: `rsa v0.10.0-rc.10` (release candidate only, not stable) - Status: Not production-ready until stable release - Current: `rsa v0.9.9` (stable, production) **Option 3: Upgrade ssh-key** - Current: `ssh-key v0.6.7` - Still depends on `num-bigint-dig v0.8.4` (not upgraded yet) **Option 4: Local Fork** - ✗ Not practical for transitive dependencies ## Resolution Timeline **For num-bigint-dig:** - Available versions: 0.8.5, 0.8.6, 0.9.0, 0.9.1 - Latest: v0.9.1 - Status: Fixed in 0.8.6 and later - When it gets picked up: Depends on upstream crate releases **Upstream Action Items:** 1. **rsa crate** needs to upgrade to use newer num-bigint-dig when available 2. **ssh-key crate** needs to upgrade to use newer num-bigint-dig when available 3. Once upstream crates update their dependencies, our Cargo.lock will automatically use the fixed version ## Current Impact ✅ **NO IMPACT ON FUNCTIONALITY** - Code compiles cleanly - All tests pass - All features work correctly - Only a forward-compatibility warning, not an error ✅ **NOT A BLOCKER FOR:** - Deployment - Production use - Any functionality - WASM compilation - Release builds ## Timeline for Resolution | Status | Item | Estimated | |--------|------|-----------| | ✓ Available | num-bigint-dig 0.8.6 | Already released | | ⏳ Waiting | rsa v0.10 stable release | 2024-Q4 to 2025-Q1 | | ⏳ Waiting | Downstream crate updates | After upstream releases | | ✓ Automatic | Our build updates | Once dependencies are updated | ## Monitoring To check for updates: ```bash # Check for future incompatibilities cargo report future-incompatibilities # Check available versions cargo outdated # Check dependency tree cargo tree | grep num-bigint-dig ```plaintext ## Workaround (if needed) If the warning becomes an error before upstream fixes are released, you can: 1. **Use an older Rust version** (current stable still allows this as warning) 2. **Wait for upstream updates** (recommended) 3. **Create a fork** of rsa/ssh-key with newer num-bigint-dig (not recommended) ## Recommended Action **No immediate action needed.** This is a normal part of the Rust ecosystem evolution: - Upstream packages will update their dependencies - Our Cargo.lock will automatically resolve to fixed versions - Continue monitoring with `cargo report future-incompatibilities` ## References - Rust Issue #120192: - num-bigint-dig Repository: - num-bigint-dig Releases: --- **Last Updated**: December 12, 2025 **Status**: Monitored, Non-Blocking **Action**: Awaiting Upstream Fixes