jesus/prvng_platform
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
prvng_platform/crates/control-center-ui/UPSTREAM_DEPENDENCY_ISSUE.md
Jesús Pérez 09a97ac8f5
chore: update platform submodule to monorepo crates structure 
Platform restructured into crates/, added AI service and detector,
       migrated control-center-ui to Leptos 0.8
2026-01-08 21:32:59 +00:00

145 lines
4.1 KiB
Markdown
Raw Blame History

# Upstream Dependency Issue: num-bigint-dig v0.8.4
## Issue Summary
**Status**: ⚠️ **UPSTREAM ISSUE - NON-BLOCKING**
The control-center-ui build produces a future incompatibility warning from the transitive dependency `num-bigint-dig v0.8.4`:
```plaintext
warning: the following packages contain code that will be rejected by a future version of Rust: num-bigint-dig v0.8.4
note: to see what the problems were, use the option `--future-incompat-report`, or run `cargo report future-incompatibilities --id 1`
```plaintext
## Root Cause
The `num-bigint-dig v0.8.4` crate uses a **private `vec!` macro** in multiple locations (Rust issue #120192). This pattern will become a hard error in a future Rust release.
**Affected files in num-bigint-dig v0.8.4:**
- `src/biguint.rs` (lines 490, 2005, 2027, 2313)
- `src/prime.rs` (line 138)
- `src/bigrand.rs` (line 319)
## Dependency Chain
```plaintext
control-center-ui (control-center-ui v0.1.0)
num-bigint-dig v0.8.4
↑ (pulled in by)
├── rsa v0.9.9
│ ├── control-center
│ ├── jsonwebtoken v10.2.0
│ └── provisioning-orchestrator
└── ssh-key v0.6.7
├── russh v0.44.1
└── russh-keys v0.44.0
```plaintext
## Why We Can't Fix It
**Option 1: Direct Patch**
- ✗ Cannot patch transitive crates.io dependencies to different crates.io versions
- Cargo only allows patches to point to different sources (git repos, local paths)
**Option 2: Upgrade rsa**
- Available: `rsa v0.10.0-rc.10` (release candidate only, not stable)
- Status: Not production-ready until stable release
- Current: `rsa v0.9.9` (stable, production)
**Option 3: Upgrade ssh-key**
- Current: `ssh-key v0.6.7`
- Still depends on `num-bigint-dig v0.8.4` (not upgraded yet)
**Option 4: Local Fork**
- ✗ Not practical for transitive dependencies
## Resolution Timeline
**For num-bigint-dig:**
- Available versions: 0.8.5, 0.8.6, 0.9.0, 0.9.1
- Latest: v0.9.1
- Status: Fixed in 0.8.6 and later
- When it gets picked up: Depends on upstream crate releases
**Upstream Action Items:**
1. **rsa crate** needs to upgrade to use newer num-bigint-dig when available
2. **ssh-key crate** needs to upgrade to use newer num-bigint-dig when available
3. Once upstream crates update their dependencies, our Cargo.lock will automatically use the fixed version
## Current Impact
✅ **NO IMPACT ON FUNCTIONALITY**
- Code compiles cleanly
- All tests pass
- All features work correctly
- Only a forward-compatibility warning, not an error
✅ **NOT A BLOCKER FOR:**
- Deployment
- Production use
- Any functionality
- WASM compilation
- Release builds
## Timeline for Resolution
| Status | Item | Estimated |
|--------|------|-----------|
| ✓ Available | num-bigint-dig 0.8.6 | Already released |
| ⏳ Waiting | rsa v0.10 stable release | 2024-Q4 to 2025-Q1 |
| ⏳ Waiting | Downstream crate updates | After upstream releases |
| ✓ Automatic | Our build updates | Once dependencies are updated |
## Monitoring
To check for updates:
```bash
# Check for future incompatibilities
cargo report future-incompatibilities
# Check available versions
cargo outdated
# Check dependency tree
cargo tree | grep num-bigint-dig
```plaintext
## Workaround (if needed)
If the warning becomes an error before upstream fixes are released, you can:
1. **Use an older Rust version** (current stable still allows this as warning)
2. **Wait for upstream updates** (recommended)
3. **Create a fork** of rsa/ssh-key with newer num-bigint-dig (not recommended)
## Recommended Action
**No immediate action needed.** This is a normal part of the Rust ecosystem evolution:
- Upstream packages will update their dependencies
- Our Cargo.lock will automatically resolve to fixed versions
- Continue monitoring with `cargo report future-incompatibilities`
## References
- Rust Issue #120192: <https://github.com/rust-lang/rust/issues/120192>
- num-bigint-dig Repository: <https://github.com/dignifiedquire/num-bigint>
- num-bigint-dig Releases: <https://github.com/dignifiedquire/num-bigint/releases>
---
**Last Updated**: December 12, 2025
**Status**: Monitored, Non-Blocking
**Action**: Awaiting Upstream Fixes
Reference in New Issue View Git Blame Copy Permalink