Skip to content

build(deps): batch Renovate dashboard updates across all ecosystems#1166

Merged
aaylward merged 2 commits into
mainfrom
claude/grpc-1.82-upgrade-oy0edw
Jul 4, 2026
Merged

build(deps): batch Renovate dashboard updates across all ecosystems#1166
aaylward merged 2 commits into
mainfrom
claude/grpc-1.82-upgrade-oy0edw

Conversation

@aaylward

@aaylward aaylward commented Jul 4, 2026

Copy link
Copy Markdown
Collaborator

Summary

Batches the pending updates from the Renovate Dependency Dashboard plus its two open security PRs (#1160, #1161) into one change. Once this merges, those two Renovate PRs can be closed as superseded.

Security fixes

Version bumps

  • Go: lib/pq v1.12.3, prometheus/common v0.69.0, google.golang.org/grpc v1.82.0 (+ tidy)
  • Cargo: full semver-compatible cargo update (mirrors Renovate's group:all behavior)
  • Bazel modules: rules_cc 0.2.21, check 0.15.2.bcr.2, opentelemetry-cpp 1.27.0, curl 8.12.0.bcr.1, rules_go 0.61.1, gazelle 0.51.3, contrib_rules_jvm 0.33.0, rules_oci 2.3.0, rules_rust/rules_rust_prost 0.71.3, bazel_features 1.50.0, aspect_rules_lint 2.7.2
  • Bazel itself: 9.1.0 → 9.1.1 — note this makes diff-build run a full //... build+test, which is exactly the validation this PR wants
  • Actions: actions/checkout v7, setup-bazel 0.19.0, release-wordchains-ios runners macos-15 → macos-26
  • Observability images: prometheus v3.13.0, otel-collector-contrib 0.155.0, cadvisor v0.60.3

Validated locally

  • cargo check --workspace passes with otel 0.32 and the refreshed lockfile
  • 1d4_web vitest: 68/68 pass on vite 8.1.3
  • go build ./... + go test ./... results identical to main (the few failures are pre-existing mixed-package layout issues)
  • Bazel module graph resolves cleanly; MODULE.bazel.lock registry hashes refreshed

Deliberately excluded (follow-ups)

  • toolchains_llvm 1.8.0 — attempted, reverted in-PR: 1.8.0 changes -stdlib=libc++ flag handling and boringssl's -Werror turns the resulting -Wunused-command-line-argument into a hard compile error; needs its own migration PR
  • Maven artifact bumps (guava, jdbi, sentry-logback, etc.) — maven_install.json repin isn't runnable in this environment
  • Majors needing migration: rules_jvm_external 7, rules_python 2, rmcp 2, rustyline 18, tokenizers 0.23, safetensors 0.8, candle 0.11, tower-http 0.7
  • mongoose 7.22 (needs new archive sha256), java_base 26, ubuntu 26.04 CI image, docker digest pins, scalafmt

🤖 Generated with Claude Code

https://claude.ai/code/session_01Jw99o89a2UYe9NKLE9zGUx

Batches the pending updates from the Renovate dependency dashboard
(#116) and its two open security PRs into one change.

Rust (closes the #1161 security PR properly):
- opentelemetry / opentelemetry_sdk / opentelemetry-otlp 0.31 -> 0.32
  in lockstep (sdk 0.32.1 fixes CVE-2026-48504; renovate's sdk-only
  bump would have produced two api versions in the graph)
- cargo update: semver-compatible refresh of the whole lockfile
- verified locally: cargo check --workspace passes

npm / 1d4_web (closes the #1160 security PR):
- package-lock refresh; vite 8.0.7 -> 8.1.3 (includes the 8.0.16
  security fixes for CVE-2026-53571 and CVE-2026-53632)
- verified locally: vitest 68/68 pass

Go:
- lib/pq v1.11.2 -> v1.12.3, prometheus/common v0.67.5 -> v0.69.0,
  google.golang.org/grpc v1.79.3 -> v1.82.0 (+ tidy)
- verified locally: go build ./... and go test ./... match main

Bazel modules:
- rules_cc 0.2.21, check 0.15.2.bcr.2, opentelemetry-cpp 1.27.0,
  curl 8.12.0.bcr.1, rules_go 0.61.1, gazelle 0.51.3,
  contrib_rules_jvm 0.33.0, rules_oci 2.3.0, rules_rust +
  rules_rust_prost 0.71.3, toolchains_llvm 1.8.0, bazel_features
  1.50.0, aspect_rules_lint 2.7.2
- .bazelversion 9.1.0 -> 9.1.1 (also forces a full CI build+test,
  which validates every bump above)

GitHub Actions / infra:
- actions/checkout v6 -> v7, bazel-contrib/setup-bazel 0.18.0 -> 0.19.0
- release-wordchains-ios runners macos-15 -> macos-26
- o11y images: prometheus v3.13.0, otel-collector-contrib 0.155.0,
  cadvisor v0.60.3

Deliberately excluded: maven artifact bumps (maven_install.json repin
not runnable in this environment), rules_jvm_external 7 and
rules_python 2 (majors), cargo majors (rmcp 2, rustyline 18,
tokenizers 0.23, safetensors 0.8, candle 0.11, tower-http 0.7),
mongoose 7.22 (needs new archive sha), java_base 26 / ubuntu 26.04 /
image digest updates, scalafmt.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Jw99o89a2UYe9NKLE9zGUx
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 4, 2026

Copy link
Copy Markdown

Deploying with  Cloudflare Workers  Cloudflare Workers

The latest updates on your project. Learn more about integrating Git with Workers.

Status Name Latest Commit Preview URL Updated (UTC)
✅ Deployment successful!
View logs
1d4-web 7edd333 Commit Preview URL

Branch Preview URL
Jul 04 2026, 08:26 PM

toolchains_llvm 1.8.0 changes how -stdlib=libc++ is passed to compile
commands, and boringssl's -Werror turns the resulting
-Wunused-command-line-argument warning into a hard error:

  clang: error: argument unused during compilation: '-stdlib=libc++'
  [-Werror,-Wunused-command-line-argument]

Keep 1.7.0 in this batch; the 1.8.0 upgrade needs its own PR with
toolchain flag configuration.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01Jw99o89a2UYe9NKLE9zGUx
@aaylward aaylward enabled auto-merge (squash) July 4, 2026 22:17
@aaylward aaylward merged commit bfd883c into main Jul 4, 2026
12 checks passed
@aaylward aaylward deleted the claude/grpc-1.82-upgrade-oy0edw branch July 4, 2026 22:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants