Description
Tracking issue for major-version dependency upgrades that need dedicated migration sessions, not fire-and-forget Dependabot merges.
Current backlog
Frontend
Rust (src-tauri)
All 5 cargo majors landed and were reverted in 2026-05-01 because of compile errors. PR CI only runs cargo audit (vulnerability check), not cargo build — so green CI didn't catch the API changes.
Why this is one issue, not five
These should be migrated together in a single dedicated session because:
- The Rust cargo bumps share
Cargo.lock and conflict on rebase
- The hmac/sha2/rand chain is interconnected (hmac depends on sha2 macros, RNG used in HMAC tests)
- A single migration session can run
cargo test after each step instead of relying on PR CI
Approach when picking this up
- Add a CI job that runs
cargo build + cargo test + npm run type-check on PRs (not just cargo audit). This is the prerequisite — without it, the same trap will re-fire next time. Open this as a separate PR first.
- After CI is real: reopen the cargo bump PRs (or let Dependabot re-offer), let them re-rebase, and merge as the new CI passes. Each major should land in its own commit.
- Frontend (React 19 + Tailwind v4) belongs in its own session after cargo is sorted.
Automation Hints
scope: src-tauri/Cargo.toml + Cargo.lock + .github/workflows/, package.json + tailwind.config.js
do-not-touch: trial signing path until CI changes land
approach: refactor-types
risk: high
max-files-changed: 30
blocked-by: needs CI changes first
bail-if: cargo test fails after any single major bump
Priority
Low — all current deps are functional. Migrate when there's appetite for an intentional 2-3 hour session, not as a hot fix.
Related closed PRs (for reference)
Description
Tracking issue for major-version dependency upgrades that need dedicated migration sessions, not fire-and-forget Dependabot merges.
Current backlog
Frontend
npm run type-check+ manual click-through across chat / roster / settings / import wizard before merge.@themedirectives), new engine,tailwind.config.jsgets gutted. Needs visual QA across every screen, especially the warm-stone palette + teal accents + Instrument Serif italic gradient + radial-glow hero treatment.Rust (src-tauri)
All 5 cargo majors landed and were reverted in 2026-05-01 because of compile errors. PR CI only runs
cargo audit(vulnerability check), notcargo build— so green CI didn't catch the API changes.RngCoremoved out ofrand::root;OsRng.fill_bytes()API changed. 4 call sites inbackup.rs.new_from_sliceremoved/relocated. Affectschat.rs:556(the trial proxy signing path — load-bearing, recently verified live in production).notify::RecursiveModeand the debouncer's bundlednotify::RecursiveMode. Affectsdocuments/watcher.rs(just refactored in [MEDIUM] Document watcher: folder-deletion handling, debouncing, thread cleanup #38).Why this is one issue, not five
These should be migrated together in a single dedicated session because:
Cargo.lockand conflict on rebasecargo testafter each step instead of relying on PR CIApproach when picking this up
cargo build+cargo test+npm run type-checkon PRs (not just cargo audit). This is the prerequisite — without it, the same trap will re-fire next time. Open this as a separate PR first.Automation Hints
scope: src-tauri/Cargo.toml + Cargo.lock + .github/workflows/, package.json + tailwind.config.js
do-not-touch: trial signing path until CI changes land
approach: refactor-types
risk: high
max-files-changed: 30
blocked-by: needs CI changes first
bail-if: cargo test fails after any single major bump
Priority
Low — all current deps are functional. Migrate when there's appetite for an intentional 2-3 hour session, not as a hot fix.
Related closed PRs (for reference)