chore(deps)(deps): bump napi from 3.9.4 to 3.10.3#935
Conversation
Bumps [napi](https://github.com/napi-rs/napi-rs) from 3.9.4 to 3.10.3. - [Release notes](https://github.com/napi-rs/napi-rs/releases) - [Commits](napi-rs/napi-rs@napi-v3.9.4...napi-v3.10.3) --- updated-dependencies: - dependency-name: napi dependency-version: 3.10.3 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
AlexMikhalev
left a comment
There was a problem hiding this comment.
Summary
This PR is a Dependabot minor update for napi from 3.9.4 to 3.10.3.
- Dependency bump: updates napi in Cargo.lock.
- Scope: no source files or manifests are changed, so this should be a narrow lockfile-only update.
- Problem: the lockfile also changes unrelated Terraphim package resolution and private/public registry sources.
The napi release notes include relevant fixes for off-thread JS error handling, so the intended update is reasonable. However, the current Cargo.lock diff is polluted by unrelated Terraphim registry drift and should not be merged as-is.
Confidence Score: 3/5
- Safe to merge with caution after regenerating Cargo.lock so only napi-related changes remain.
- I found 1 P1 lockfile-integrity issue and no P0 issues. The intended dependency update is narrow, but the lockfile currently changes unrelated dependency resolution.
- Files requiring attention: Cargo.lock.
Important Files Changed
| Filename | Overview |
|---|---|
| Cargo.lock | Updates napi, but also changes unrelated Terraphim private/public registry package resolution. Needs attention. |
Diagram
%%{init: {"theme": "neutral"}}%%
flowchart TD
A[Dependabot PR #935] --> B[napi minor bump]
B --> C[Cargo.lock update]
C --> D{Only napi dependency graph changed?}
D -->|yes| E[Accept after normal CI]
D -->|no| F[Block: unrelated Terraphim registry drift]
F:::risk
classDef risk fill:#f8d7da,stroke:#dc3545;
Inline Findings
P1 Cargo.lock, line 8445: Lockfile includes unrelated Terraphim registry/source drift
This PR should only update napi from 3.9.4 to 3.10.3, but Cargo.lock also adds a private-registry terraphim-session-analyzer entry, removes terraphim_mcp_search 0.2.0 from crates.io, changes terraphim_merge_coordinator dependency resolution, and switches terraphim_server to private-registry terraphim_mcp_search 0.1.0 plus terraphim-firecracker.
Those changes are unrelated to napi. The consequence is that a minor Node binding dependency update also changes which Terraphim crates are resolved from private versus public registries, which is a dependency-integrity risk and makes the PR hard to audit.
Suggested fix: regenerate the lockfile from current main in a way that preserves unrelated Terraphim package resolution, leaving only the napi 3.10.3 change and any true transitive changes. If the Terraphim registry resolution change is intended, split it into a separate PR with rationale and validation.
Comments Outside Diff (0)
Last reviewed commit: 97be915 | Reviews (1)
|
Cleaned the Cargo.lock drift identified in review. The net PR diff now contains only napi 3.10.3. |
Bumps napi from 3.9.4 to 3.10.3.
Release notes
Sourced from napi's releases.
Commits
1ac467echore(napi): release v3.10.3 (#3376)9d672f9fix(napi): preserve the JS error object when cloning an Error off-thread (#3375)35476aechore(napi): release v3.10.2 (#3374)7844c73ci: dogfood script-jail@v0.2.10 (lifecycle audit gate + safe install) (#3343)d449ccdfix(napi): keep message and cause when cloning a JS-exception Error off-threa...2ec02a6chore(deps): update dependency electron to v43 (#3361)fd0a99fchore(deps): update dependency@types/sinonto v22 (#3366)745cd85fix: de-flake Windows CI (ava import-from-project EPERM race + cli e2e timeou...2785de5chore: release (#3367)441ae7afix(napi): release Error's exception reference via the custom GC when dropped...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)