Start updating dependencies (#1163)

Progress towards #1162 and fixing security alerts.

- `cargo update`: bumps versions in the lockfile
- `cargo upgrade`: bumps manifest versions within current semranges
- Then a few incompatible bumps (`dashmap 6`, `embed-resource 3`,
`env_logger 0.11`,`itertools 0.14`, `libloading 0.9`, `strum 0.28`,
`winsafe 0.0.27`,`xdg 3`)
- Switched to rust-yaml2 as rust-yaml is unmaintained
- More updates (base64 0.21 to 0.22, dirs 4 to 6, http 0.2 removed, rand
0.8 to 0.10,

Author: lionel-

Cargo.lock

@@ -24,101 +24,98 @@ result_large_err = "allow"
 too_many_arguments = "allow"
 
 [workspace.dependencies]
-actix-web = "4.4.0"
+actix-web = "4.13.0"
 aether_factory = { git = "https://github.com/posit-dev/air", package = "air_r_factory", rev = "4cbd36d552e27d8930cff1602d56bfd9ce4c1ed1" }
 aether_lsp_utils = { git = "https://github.com/posit-dev/air", rev = "4cbd36d552e27d8930cff1602d56bfd9ce4c1ed1" }
 aether_parser = { git = "https://github.com/posit-dev/air", package = "air_r_parser", rev = "4cbd36d552e27d8930cff1602d56bfd9ce4c1ed1" }
 aether_syntax = { git = "https://github.com/posit-dev/air", package = "air_r_syntax", rev = "4cbd36d552e27d8930cff1602d56bfd9ce4c1ed1" }
 amalthea = { path = "crates/amalthea" }
-anyhow = "1.0.100"
+anyhow = "1.0.102"
 ark = { path = "crates/ark" }
 ark_test = { path = "crates/ark_test" }
 assert_matches = "1.5.0"
-async-trait = "0.1.66"
-base64 = "0.21.0"
+async-trait = "0.1.89"
+base64 = "0.22.1"
 biome_line_index = { git = "https://github.com/lionel-/biome", rev = "41d799cfa4cedd25625fc3f6bd7898532873f051" }
 biome_rowan = { git = "https://github.com/lionel-/biome", rev = "41d799cfa4cedd25625fc3f6bd7898532873f051" }
-blake3 = "1.8.2"
-bus = "2.3.0"
-cc = "1.1.22"
-cfg-if = "1.0.0"
+blake3 = "1.8.4"
+bus = "2.4.1"
+cc = "1.2.60"
+cfg-if = "1.0.4"
 chrono = "0.4.44"
 crossbeam = { version = "0.8.4", features = ["crossbeam-channel"] }
-crypto-common = "0.1.6"
 ctor = "0.1.26"
 dap = { branch = "main", git = "https://github.com/sztomi/dap-rs" }
-dashmap = "5.4.0"
-dirs = "4.0.0"
-ego-tree = "0.6.2"
-embed-resource = "2.5.0"
-env_logger = "0.10.0"
+dashmap = "6.1.0"
+dirs = "6.0.0"
+ego-tree = "0.11.0"
+embed-resource = "3.0.8"
+env_logger = "0.11.10"
 etcetera = "0.11.0"
-flate2 = "1.1.1"
-futures = "0.3.30"
-generic-array = "0.14.6"
+flate2 = "1.1.9"
+futures = "0.3.32"
 harp = { path = "crates/harp" }
 harp-macros = { path = "crates/harp/harp-macros" }
 hex = "0.4.3"
-hmac = "0.12.1"
-home = "0.5.5"
-http = "0.2.9"
-insta = "1.39.0"
-itertools = "0.10.5"
-libc = "0.2.152"
-libloading = "0.8.1"
+hmac = "0.13.0"
+home = "0.5.12"
+insta = "1.47.2"
+itertools = "0.14.0"
+libc = "0.2.185"
+libloading = "0.9.0"
 libr = { path = "crates/libr" }
-log = "0.4.18"
-mime_guess = "2.0.4"
-nix = { version = "0.26.2", features = ["signal"] }
-notify = "6.0.0"
+log = "0.4.29"
+mime_guess = "2.0.5"
+nix = { version = "0.26.4", features = ["signal"] }
+notify = "8.2.0"
 oak_core = { path = "crates/oak_core" }
 oak_fs = { path = "crates/oak_fs" }
 oak_ide = { path = "crates/oak_ide" }
 oak_index = { path = "crates/oak_index" }
 oak_package = { path = "crates/oak_package" }
 oak_r_process = { path = "crates/oak_r_process" }
 oak_sources = { path = "crates/oak_sources" }
-once_cell = "1.17.1"
-parking_lot = "0.12.3"
-paste = "1.0.14"
-quote = "1.0.42"
-rand = "0.8.5"
-regex = "1.10.0"
+once_cell = "1.21.4"
+parking_lot = "0.12.5"
+paste = "1.0.15"
+quote = "1.0.45"
+rand = "0.10"
+regex = "1.12.3"
 reqwest = { version = "0.13.2", default-features = false, features = ["json"] }
 reqwest-middleware = "0.5.1"
 reqwest-retry = "0.9.1"
-rust-embed = "8.2.0"
-rustc-hash = "2.1.1"
-scraper = "0.15.0"
-semver = "1.0.19"
-serde = { version = "1.0.183", features = ["derive"] }
-serde_json = { version = "1.0.94", features = ["preserve_order"] }
-serde_repr = "0.1.17"
-serde_with = "3.0.0"
-sha2 = "0.10.6"
-smallvec = "1.13.2"
+rust-embed = "8.11.0"
+rustc-hash = "2.1.2"
+scraper = "0.26.0"
+semver = "1.0.28"
+serde = { version = "1.0.228", features = ["derive"] }
+serde_json = { version = "1.0.149", features = ["preserve_order"] }
+serde_repr = "0.1.20"
+serde_with = "3.18.0"
+sha2 = "0.11.0"
+smallvec = "1.15.1"
 stdext = { path = "crates/stdext" }
 streaming-iterator = "0.1.9"
-strum = "0.26.2"
-strum_macros = "0.26.2"
-syn = { version = "2.0.111", features = ["full"] }
-tar = "0.4.44"
-tempfile = "3.13.0"
-tokio = { version = "1.26.0", features = ["full"] }
+strum = "0.28.0"
+strum_macros = "0.28.0"
+syn = { version = "2.0.117", features = ["full"] }
+tar = "0.4.45"
+tempfile = "3.27.0"
+tokio = { version = "1.52.1", features = ["full"] }
 # For https://github.com/ebkalderon/tower-lsp/pull/428
 tower-lsp = { branch = "bugfix/patches", git = "https://github.com/lionel-/tower-lsp" }
-tracing = "0.1.40"
-tracing-appender = "0.2.3"
-tracing-error = "0.2.0"
-tracing-subscriber = { version = "0.3.18", features = ["env-filter"] }
+tracing = "0.1.44"
+tracing-appender = "0.2.5"
+tracing-error = "0.2.1"
+tracing-subscriber = { version = "0.3.23", features = ["env-filter"] }
 tree-sitter = "0.24.7"
 tree-sitter-r = { git = "https://github.com/r-lib/tree-sitter-r", rev = "95aff097aa927a66bb357f715b58cde821be8867" }
 ureq = "3.3.0"
-url = "2.5.7"
-uuid = { version = "1.3.0", features = ["v4"] }
+url = "2.5.8"
+uuid = { version = "1.23.1", features = ["v4"] }
 walkdir = "2"
 windows-sys ="0.61.2"
-winsafe = { version = "0.0.19", features = ["kernel"] }
-xdg = "2.5.2"
-yaml-rust = "0.4.5"
+winsafe = { version = "0.0.27", features = ["kernel"] }
+xdg = "3.0.0"
+yaml-rust2 = "0.9"
 zmq = "0.10.0"

Cargo.toml

@@ -17,10 +17,8 @@ async-trait.workspace = true
 cfg-if.workspace = true
 chrono.workspace = true
 crossbeam.workspace = true
-crypto-common.workspace = true
 dirs.workspace = true
 futures.workspace = true
-generic-array.workspace = true
 hex.workspace = true
 hmac.workspace = true
 log.workspace = true

crates/amalthea/Cargo.toml

@@ -29,7 +29,7 @@ pub enum Error {
     JsonSerializeSpecFailed(serde_json::Error),
     CreateSpecFailed(std::io::Error),
     WriteSpecFailed(std::io::Error),
-    HmacKeyInvalid(String, crypto_common::InvalidLength),
+    HmacKeyInvalid(String, hmac::digest::InvalidLength),
     CreateSocketFailed(String, zmq::Error),
     SocketBindError(String, String, zmq::Error),
     SocketConnectError(String, String, zmq::Error),

crates/amalthea/src/error.rs

@@ -6,7 +6,7 @@
  */
 
 use assert_matches::assert_matches;
-use rand::Rng;
+use rand::RngExt;
 use serde_json::Value;
 
 use crate::connection_file::ConnectionFile;
@@ -65,7 +65,7 @@ impl Default for DummyConnection {
 impl DummyConnection {
     pub fn new() -> Self {
         // Create a random HMAC key for signing messages.
-        let key_bytes = rand::thread_rng().gen::<[u8; 16]>();
+        let key_bytes = rand::rng().random::<[u8; 16]>();
         let key = hex::encode(key_bytes);
 
         // Create a new kernel session from the key
@@ -144,7 +144,7 @@ impl DummyFrontend {
 
         // Create a random socket identity for the shell and stdin sockets. Per
         // the Jupyter specification, these must share a ZeroMQ identity.
-        let shell_id = rand::thread_rng().gen::<[u8; 16]>();
+        let shell_id = rand::rng().random::<[u8; 16]>();
 
         let control_socket = Socket::new(
             connection.session.clone(),

crates/amalthea/src/fixtures/dummy_frontend.rs

@@ -6,7 +6,7 @@
  */
 
 use hmac::Hmac;
-use hmac::Mac;
+use hmac::KeyInit;
 use sha2::Sha256;
 use uuid::Uuid;
 

crates/amalthea/src/session.rs

@@ -5,7 +5,6 @@
  *
  */
 
-use generic_array::GenericArray;
 use hmac::Hmac;
 use log::trace;
 use serde::de::DeserializeOwned;
@@ -162,7 +161,7 @@ impl WireMessage {
             hmac_validator.update(buf);
         }
         // Verify the signature
-        if let Err(err) = hmac_validator.verify(GenericArray::from_slice(&decoded)) {
+        if let Err(err) = hmac_validator.verify_slice(&decoded) {
             return Err(Error::BadSignature(decoded, err));
         }
 

crates/amalthea/src/wire/wire_message.rs

@@ -36,7 +36,6 @@ ego-tree.workspace = true
 futures.workspace = true
 harp.workspace = true
 home.workspace = true
-http.workspace = true
 itertools.workspace = true
 libc.workspace = true
 libr.workspace = true
@@ -74,7 +73,7 @@ url.workspace = true
 uuid.workspace = true
 walkdir.workspace = true
 winsafe.workspace = true
-yaml-rust.workspace = true
+yaml-rust2.workspace = true
 
 [dev-dependencies]
 ark_test.workspace = true

crates/ark/Cargo.toml

@@ -65,7 +65,9 @@ fn main() {
     let resource = Path::new("resources")
         .join("manifest")
         .join("ark-manifest.rc");
-    embed_resource::compile_for_everything(resource, embed_resource::NONE);
+    embed_resource::compile_for_everything(resource, embed_resource::NONE)
+        .manifest_required()
+        .unwrap();
 
     cc::Build::new().file("src/debug.c").compile("debug");
 }

crates/ark/build.rs

@@ -9,14 +9,14 @@ use std::net::TcpListener;
 
 use actix_web::get;
 use actix_web::http::header::ContentType;
+use actix_web::http::uri::PathAndQuery;
 use actix_web::web;
 use actix_web::App;
 use actix_web::HttpRequest;
 use actix_web::HttpResponse;
 use actix_web::HttpServer;
 use harp::exec::RFunction;
 use harp::exec::RFunctionExt;
-use http::uri::PathAndQuery;
 use mime_guess::from_path;
 use reqwest::Client;
 use reqwest_middleware::ClientBuilder;