fix(crypto): drop dangling serde_json/std refs in 4 crypto crates#1420
Merged
Conversation
v0.17.1 lands the post-audit follow-up batch: - M-2 escrow rescue: `withdrawRemainingEscrowTo(serviceId, to)` — owner-chosen recipient escape hatch when escrow token blocklists the service owner. - H-1 oracle snapshot at activation/join — per-(serviceId, op, asset) USD price pinned at activation; post-activation oracle drift cannot inflate one operator's bill share against honest co-operators. - F-001 pull-payment staker forward — distributor pulls ERC20 via `safeTransferFrom`; reverting distributor no longer strands tokens. - Governance-tunable operator cap — `setMaxOperatorsPerService` / `maxOperatorsPerService` view, default 256 (was hardcoded 64). - New events: PushTransferFailed, PriceOracleFallback, MaxOperatorsPerServiceUpdated. Switches off the git-branch pin and onto the published crates.io release. `cargo check --workspace` clean — no ABI break sites in the workspace.
… + audit follow-up Per-crate prerelease bump preserving each crate's major/minor lineage: - blueprint-* core/sdk/runner/etc.: 0.2.0-alpha.4 → 0.2.0-alpha.5 - blueprint-manager: 0.4.0-alpha.3 → 0.4.0-alpha.4 - blueprint-pricing-engine: 0.3.0-alpha.3 → 0.3.0-alpha.4 - cargo-tangle: 0.5.0-alpha.3 → 0.5.0-alpha.4 Picks up tnt-core-bindings v0.17.1 transitively (M-2 escrow rescue, H-1 oracle snapshot, F-001 pull-payment, governance-tunable operator cap).
`serde_json` is a dev-dependency, not a top-level dep — its `std` feature can't be activated from the package's own `std` feature gate. Cargo's strict manifest validation rejects this on publish. Triggered by `cargo workspaces publish` halting on: > error: feature `std` includes `serde_json/std`, but `serde_json` is not a dependency
Same bug as #1419 in 4 more crypto crates (ed25519, bn254, sr25519, k256). serde_json is only a dev-dependency in these crates; referencing its `std` feature from the package's own `std` feature is a manifest validation error that halts `cargo publish`. Removed the dangling references; serde_json isn't used in non-test paths.
PR Quality Gate Summary
Blocking issues
|
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Same class of bug as #1419 in 4 more crates (ed25519, bn254, sr25519, k256).
serde_jsonis dev-only in these crates; manifest validation rejects thestdfeature gate. Haltscargo workspaces publishmid-batch.