Dependency Debt
The following dependency upgrades were investigated and intentionally deferred because they are blocked by ecosystem compatibility, synchronized stack updates, or unacceptable large-crate duplication.
| Dependency |
Current |
Next available |
Blocker / comment |
alloy |
1.7 |
1.8 |
Currently pinned to stay on reqwest v0.12. Can be upgraded as soon as we're ready to move to reqwest v0.13 |
digest |
0.10 |
0.11 |
Blocked by sha2, sha3 and other crates from RustCrypto ecosystem used by arrow-digest. We need to wait for 0.11 release (tracking issue) |
rand |
0.9 |
0.10 |
Not safe as a standalone upgrade. Coupled to rand_core and crypto-related crates; duplication may be tolerable in isolated cases, but not where RNG traits cross API boundaries. Needs coordinated review. |
rand_core |
0.6 |
0.10 |
Blocked by crypto stack. ed25519-dalek 2.2.0 still pins rand_core 0.6.4, and local code passes RNG types through that boundary. Also indirectly coupled to password-hash 0.5. |
password-hash |
0.5 |
0.6 |
Blocked by stable argon2. Current stable argon2 0.5.3 still depends on password-hash 0.5. Upgrading would require either splitting password-hash traits/types or adopting argon2 0.6.0-rc.*, which is not desirable for release work. |
reqwest |
0.12 |
0.13 |
Direct crates can move, but important transitive dependencies still pin 0.12, notably alloy (new version exists), async-openai (new version exists), and object-store (PR). We do not want duplicate versions for such a core HTTP stack. This should be upgraded as a synchronized ecosystem move. |
sha3 |
0.10 |
0.11 |
Same reasons as digest |
whoami |
1.6 |
2.1 |
Blocked by sqlx 0.8.x, which still depends on whoami 1.x. This should move only when the sqlx ecosystem catches up. |
Dependency Debt
The following dependency upgrades were investigated and intentionally deferred because they are blocked by ecosystem compatibility, synchronized stack updates, or unacceptable large-crate duplication.
alloy1.71.8reqwest v0.12. Can be upgraded as soon as we're ready to move toreqwest v0.13digest0.100.11sha2,sha3and other crates fromRustCryptoecosystem used byarrow-digest. We need to wait for0.11release (tracking issue)rand0.90.10rand_coreand crypto-related crates; duplication may be tolerable in isolated cases, but not where RNG traits cross API boundaries. Needs coordinated review.rand_core0.60.10ed25519-dalek 2.2.0still pinsrand_core 0.6.4, and local code passes RNG types through that boundary. Also indirectly coupled topassword-hash 0.5.password-hash0.50.6argon2. Current stableargon2 0.5.3still depends onpassword-hash 0.5. Upgrading would require either splitting password-hash traits/types or adoptingargon2 0.6.0-rc.*, which is not desirable for release work.reqwest0.120.130.12, notablyalloy(new version exists),async-openai(new version exists), andobject-store(PR). We do not want duplicate versions for such a core HTTP stack. This should be upgraded as a synchronized ecosystem move.sha30.100.11digestwhoami1.62.1sqlx 0.8.x, which still depends onwhoami 1.x. This should move only when thesqlxecosystem catches up.