4.1 KiB
Upstream Dependency Issue: num-bigint-dig v0.8.4
Issue Summary
Status: ⚠️ UPSTREAM ISSUE - NON-BLOCKING
The control-center-ui build produces a future incompatibility warning from the transitive dependency num-bigint-dig v0.8.4:
warning: the following packages contain code that will be rejected by a future version of Rust: num-bigint-dig v0.8.4
note: to see what the problems were, use the option `--future-incompat-report`, or run `cargo report future-incompatibilities --id 1`
Root Cause
The num-bigint-dig v0.8.4 crate uses a private vec! macro in multiple locations (Rust issue #120192).
This pattern will become a hard error in a future Rust release.
Affected files in num-bigint-dig v0.8.4:
src/biguint.rs(lines 490, 2005, 2027, 2313)src/prime.rs(line 138)src/bigrand.rs(line 319)
Dependency Chain
control-center-ui (control-center-ui v0.1.0)
↓
num-bigint-dig v0.8.4
↑ (pulled in by)
├── rsa v0.9.9
│ ├── control-center
│ ├── jsonwebtoken v10.2.0
│ └── provisioning-orchestrator
└── ssh-key v0.6.7
├── russh v0.44.1
└── russh-keys v0.44.0
Why We Can't Fix It
Option 1: Direct Patch
- ✗ Cannot patch transitive crates.io dependencies to different crates.io versions
- Cargo only allows patches to point to different sources (git repos, local paths)
Option 2: Upgrade rsa
- Available:
rsa v0.10.0-rc.10(release candidate only, not stable) - Status: Not production-ready until stable release
- Current:
rsa v0.9.9(stable, production)
Option 3: Upgrade ssh-key
- Current:
ssh-key v0.6.7 - Still depends on
num-bigint-dig v0.8.4(not upgraded yet)
Option 4: Local Fork
- ✗ Not practical for transitive dependencies
Resolution Timeline
For num-bigint-dig:
- Available versions: 0.8.5, 0.8.6, 0.9.0, 0.9.1
- Latest: v0.9.1
- Status: Fixed in 0.8.6 and later
- When it gets picked up: Depends on upstream crate releases
Upstream Action Items:
- rsa crate needs to upgrade to use newer num-bigint-dig when available
- ssh-key crate needs to upgrade to use newer num-bigint-dig when available
- Once upstream crates update their dependencies, our Cargo.lock will automatically use the fixed version
Current Impact
✅ NO IMPACT ON FUNCTIONALITY
- Code compiles cleanly
- All tests pass
- All features work correctly
- Only a forward-compatibility warning, not an error
✅ NOT A BLOCKER FOR:
- Deployment
- Production use
- Any functionality
- WASM compilation
- Release builds
Timeline for Resolution
| Status | Item | Estimated |
|---|---|---|
| ✓ Available | num-bigint-dig 0.8.6 | Already released |
| ⏳ Waiting | rsa v0.10 stable release | 2024-Q4 to 2025-Q1 |
| ⏳ Waiting | Downstream crate updates | After upstream releases |
| ✓ Automatic | Our build updates | Once dependencies are updated |
Monitoring
To check for updates:
# Check for future incompatibilities
cargo report future-incompatibilities
# Check available versions
cargo outdated
# Check dependency tree
cargo tree | grep num-bigint-dig
Workaround (if needed)
If the warning becomes an error before upstream fixes are released, you can:
- Use an older Rust version (current stable still allows this as warning)
- Wait for upstream updates (recommended)
- Create a fork of rsa/ssh-key with newer num-bigint-dig (not recommended)
Recommended Action
No immediate action needed. This is a normal part of the Rust ecosystem evolution:
- Upstream packages will update their dependencies
- Our Cargo.lock will automatically resolve to fixed versions
- Continue monitoring with
cargo report future-incompatibilities
References
- Rust Issue #120192: https://github.com/rust-lang/rust/issues/120192
- num-bigint-dig Repository: https://github.com/dignifiedquire/num-bigint
- num-bigint-dig Releases: https://github.com/dignifiedquire/num-bigint/releases
Last Updated: December 12, 2025 Status: Monitored, Non-Blocking Action: Awaiting Upstream Fixes