jesus/prvng_platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
prvng_platform/crates/control-center-ui/UPSTREAM_DEPENDENCY_ISSUE.md
Jesús Pérez 09a97ac8f5
chore: update platform submodule to monorepo crates structure 
Platform restructured into crates/, added AI service and detector,
       migrated control-center-ui to Leptos 0.8
2026-01-08 21:32:59 +00:00

4.1 KiB
Raw Blame History

Upstream Dependency Issue: num-bigint-dig v0.8.4

Issue Summary

Status: ⚠️ UPSTREAM ISSUE - NON-BLOCKING

The control-center-ui build produces a future incompatibility warning from the transitive dependency num-bigint-dig v0.8.4:

warning: the following packages contain code that will be rejected by a future version of Rust: num-bigint-dig v0.8.4
note: to see what the problems were, use the option `--future-incompat-report`, or run `cargo report future-incompatibilities --id 1`
```plaintext

## Root Cause

The `num-bigint-dig v0.8.4` crate uses a **private `vec!` macro** in multiple locations (Rust issue #120192). This pattern will become a hard error in a future Rust release.

**Affected files in num-bigint-dig v0.8.4:**

- `src/biguint.rs` (lines 490, 2005, 2027, 2313)
- `src/prime.rs` (line 138)
- `src/bigrand.rs` (line 319)

## Dependency Chain

```plaintext
control-center-ui (control-center-ui v0.1.0)
    ↓
num-bigint-dig v0.8.4
    ↑ (pulled in by)
├── rsa v0.9.9
│   ├── control-center
│   ├── jsonwebtoken v10.2.0
│   └── provisioning-orchestrator
└── ssh-key v0.6.7
    ├── russh v0.44.1
    └── russh-keys v0.44.0
```plaintext

## Why We Can't Fix It

**Option 1: Direct Patch**

- ✗ Cannot patch transitive crates.io dependencies to different crates.io versions
- Cargo only allows patches to point to different sources (git repos, local paths)

**Option 2: Upgrade rsa**

- Available: `rsa v0.10.0-rc.10` (release candidate only, not stable)
- Status: Not production-ready until stable release
- Current: `rsa v0.9.9` (stable, production)

**Option 3: Upgrade ssh-key**

- Current: `ssh-key v0.6.7`
- Still depends on `num-bigint-dig v0.8.4` (not upgraded yet)

**Option 4: Local Fork**

- ✗ Not practical for transitive dependencies

## Resolution Timeline

**For num-bigint-dig:**

- Available versions: 0.8.5, 0.8.6, 0.9.0, 0.9.1
- Latest: v0.9.1
- Status: Fixed in 0.8.6 and later
- When it gets picked up: Depends on upstream crate releases

**Upstream Action Items:**

1. **rsa crate** needs to upgrade to use newer num-bigint-dig when available
2. **ssh-key crate** needs to upgrade to use newer num-bigint-dig when available
3. Once upstream crates update their dependencies, our Cargo.lock will automatically use the fixed version

## Current Impact

✅ **NO IMPACT ON FUNCTIONALITY**

- Code compiles cleanly
- All tests pass
- All features work correctly
- Only a forward-compatibility warning, not an error

✅ **NOT A BLOCKER FOR:**

- Deployment
- Production use
- Any functionality
- WASM compilation
- Release builds

## Timeline for Resolution

| Status | Item | Estimated |
|--------|------|-----------|
| ✓ Available | num-bigint-dig 0.8.6 | Already released |
| ⏳ Waiting | rsa v0.10 stable release | 2024-Q4 to 2025-Q1 |
| ⏳ Waiting | Downstream crate updates | After upstream releases |
| ✓ Automatic | Our build updates | Once dependencies are updated |

## Monitoring

To check for updates:

```bash
# Check for future incompatibilities
cargo report future-incompatibilities

# Check available versions
cargo outdated

# Check dependency tree
cargo tree | grep num-bigint-dig
```plaintext

## Workaround (if needed)

If the warning becomes an error before upstream fixes are released, you can:

1. **Use an older Rust version** (current stable still allows this as warning)
2. **Wait for upstream updates** (recommended)
3. **Create a fork** of rsa/ssh-key with newer num-bigint-dig (not recommended)

## Recommended Action

**No immediate action needed.** This is a normal part of the Rust ecosystem evolution:

- Upstream packages will update their dependencies
- Our Cargo.lock will automatically resolve to fixed versions
- Continue monitoring with `cargo report future-incompatibilities`

## References

- Rust Issue #120192: <https://github.com/rust-lang/rust/issues/120192>
- num-bigint-dig Repository: <https://github.com/dignifiedquire/num-bigint>
- num-bigint-dig Releases: <https://github.com/dignifiedquire/num-bigint/releases>

---

**Last Updated**: December 12, 2025
**Status**: Monitored, Non-Blocking
**Action**: Awaiting Upstream Fixes