chore(deps): bump polkavm 0.32→0.33 and multihash to drop yanked deps#816
chore(deps): bump polkavm 0.32→0.33 and multihash to drop yanked deps#816sorpaas wants to merge 2 commits into
Conversation
Master CI Security audit was failing because polkavm 0.32.0 and core2 0.4.0 (transitive via multihash 0.19.3) were yanked from crates.io. - polkavm / polkavm-common: 0.32.0 → 0.33.1 (grey-bench) - polkavm-derive: 0.32.0 → 0.33.0 (5 bench services: blake2b, ecrecover, ed25519, keccak, prime-sieve) - polkavm-linker: 0.32.0 → 0.33.0 (build-pvm) - multihash: 0.19.3 → 0.19.5 (transitive, drops core2 in favour of no_std_io2) Cargo.lock cleanup: removes core2, polkavm-common 0.32.0, polkavm 0.32.0, polkavm-derive 0.32.0, polkavm-derive-impl 0.32.0, polkavm-derive-impl-macro 0.32.0, polkavm-linker 0.32.0. Some transitive Windows-only sys crates also shifted as a consequence (windows-sys 0.59 → 0.61), no JAR code touches them. The polkavm 0.32→0.33 change ranges (DWARF handling, sandbox optimisations, Linux syscall additions per upstream commit log) are all internal — none of the public API surface used by grey-bench (Config, Engine, Module, Reg, InterruptKind, GasMeteringKind) changed in a way that would affect compile. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Genesis ReviewComparison targets:
How to reviewPost a comment with the following format (rank from best to worst): Use the short commit hashes above and To meta-review another reviewer's comment, react with 👍 or 👎. |
…0104 cargo audit on the previous commit revealed a separate (newly-published) advisory: rustls-webpki 0.103.12 has a reachable panic in CRL parsing. Patched in 0.103.13. Same change as in target commit 1045647 on master, applied via `cargo update -p rustls-webpki`. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
|
/review Self-review. This is a chore(deps) PR with no code changes — version bumps in 7 Cargo.toml files plus Cargo.lock. Honest ranking: low novelty (routine dep bumps), low design (just version strings, no architectural decisions), and middling difficulty — the only non-trivial parts were tracing core2 transitively through multihash 0.19.3 (all core2 versions yanked, fix is to bump multihash to 0.19.4+ which switched to no_std_io2) and confirming the polkavm 0.32→0.33 public API surface used by grey-bench did not break. The follow-up rustls-webpki 0.103.13 bump for RUSTSEC-2026-0104 was straightforward once cargo audit pointed at it. Verdict merge: CI confirms the bumps work (Security audit pass, Tests + Tests-macOS pass, Integration harness pass, build pass — 10m+ test runs validate the polkavm API compatibility). Project-level value is the main argument: this unblocks the Genesis merge flow on ~25 open PRs that have all been failing Security audit due to the yanked deps and the new rustls-webpki advisory. The PR earns its merge by removing a blocker, not by being clever. |
|
JAR Bot: Quorum reached — triggering merge. |
1 participant
Summary
Fixes the master Security audit failure that has been blocking ~25 open PRs. Two yanked dependencies in master's
Cargo.lock:polkavm 0.32.0(direct dep ingrey-bench,polkavm-derivein 5 bench services,polkavm-linkerinbuild-pvm)core2 0.4.0(transitive viamultihash 0.19.3; all core2 versions are yanked, so we cannot bump it — fix is to bump multihash to a version that no longer depends on it)Changes
Cargo.lockcleanup: removescore2, allpolkavm*0.32 entries. A few transitive Windows-only sys crates shifted (windows-sys 0.59 → 0.61) as a side effect of cargo selecting newer compatible deps; no JAR code references them.Risk
The polkavm 0.32→0.33 release notes (per upstream commit log) cover only internal changes: DWARF for RISC-V, Linux sandbox optimisations, additional syscalls (
sched_getaffinity,gettid,getcpu), interpreter dispatch refactor, and BMI1 runtime check. None of the public API used bygrey-bench(Config,Engine,Module,Reg,InterruptKind,GasMeteringKind,BackendKind,SandboxKind) is affected.I could not verify the build locally (the dev environment lacks a complete C toolchain), so I'm relying on CI to validate the bumps. If anything breaks at link time, it should surface immediately in the Tests / Integration harness jobs.
Test plan
grey-bench)🤖 Generated with Claude Code