Skip to content

chore(deps)(deps): bump napi from 3.9.4 to 3.10.3#935

Merged
AlexMikhalev merged 2 commits into
mainfrom
dependabot/cargo/napi-3.10.3
Jul 6, 2026
Merged

chore(deps)(deps): bump napi from 3.9.4 to 3.10.3#935
AlexMikhalev merged 2 commits into
mainfrom
dependabot/cargo/napi-3.10.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps napi from 3.9.4 to 3.10.3.

Release notes

Sourced from napi's releases.

napi-v3.10.3

Fixed

  • (napi) preserve the JS error object when cloning an Error off-thread (#3375)

napi-v3.10.2

Fixed

  • (napi) keep message and cause when cloning a JS-exception Error off-thread (#3373)

napi-v3.10.1

Fixed

  • (napi) release Error's exception reference via the custom GC when dropped off-thread. (#3370)
  • (napi) stop ref exception object in ThreadsafeFunction sync-throw path on wasm targets (#3369)

Other

  • (napi) share class accessor trampolines (#3364)
  • optimize object field raw property access (#3365)

napi-v3.10.0

Added

  • (napi) implement To/FromNapiValue for OsString, OsStr, Path and PathBuf (#3339)

Fixed

  • (napi) route custom-GC Buffer/TypedArray cross-thread drops through the owning isolate (#3357) (#3360)
Commits
  • 1ac467e chore(napi): release v3.10.3 (#3376)
  • 9d672f9 fix(napi): preserve the JS error object when cloning an Error off-thread (#3375)
  • 35476ae chore(napi): release v3.10.2 (#3374)
  • 7844c73 ci: dogfood script-jail @​v0.2.10 (lifecycle audit gate + safe install) (#3343)
  • d449ccd fix(napi): keep message and cause when cloning a JS-exception Error off-threa...
  • 2ec02a6 chore(deps): update dependency electron to v43 (#3361)
  • fd0a99f chore(deps): update dependency @​types/sinon to v22 (#3366)
  • 745cd85 fix: de-flake Windows CI (ava import-from-project EPERM race + cli e2e timeou...
  • 2785de5 chore: release (#3367)
  • 441ae7a fix(napi): release Error's exception reference via the custom GC when dropped...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [napi](https://github.com/napi-rs/napi-rs) from 3.9.4 to 3.10.3.
- [Release notes](https://github.com/napi-rs/napi-rs/releases)
- [Commits](napi-rs/napi-rs@napi-v3.9.4...napi-v3.10.3)

---
updated-dependencies:
- dependency-name: napi
  dependency-version: 3.10.3
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>

@AlexMikhalev AlexMikhalev left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary

This PR is a Dependabot minor update for napi from 3.9.4 to 3.10.3.

  • Dependency bump: updates napi in Cargo.lock.
  • Scope: no source files or manifests are changed, so this should be a narrow lockfile-only update.
  • Problem: the lockfile also changes unrelated Terraphim package resolution and private/public registry sources.

The napi release notes include relevant fixes for off-thread JS error handling, so the intended update is reasonable. However, the current Cargo.lock diff is polluted by unrelated Terraphim registry drift and should not be merged as-is.

Confidence Score: 3/5

  • Safe to merge with caution after regenerating Cargo.lock so only napi-related changes remain.
  • I found 1 P1 lockfile-integrity issue and no P0 issues. The intended dependency update is narrow, but the lockfile currently changes unrelated dependency resolution.
  • Files requiring attention: Cargo.lock.

Important Files Changed

Filename Overview
Cargo.lock Updates napi, but also changes unrelated Terraphim private/public registry package resolution. Needs attention.

Diagram

%%{init: {"theme": "neutral"}}%%
flowchart TD
    A[Dependabot PR #935] --> B[napi minor bump]
    B --> C[Cargo.lock update]
    C --> D{Only napi dependency graph changed?}
    D -->|yes| E[Accept after normal CI]
    D -->|no| F[Block: unrelated Terraphim registry drift]
    F:::risk
    classDef risk fill:#f8d7da,stroke:#dc3545;
Loading

Inline Findings

P1 Cargo.lock, line 8445: Lockfile includes unrelated Terraphim registry/source drift

This PR should only update napi from 3.9.4 to 3.10.3, but Cargo.lock also adds a private-registry terraphim-session-analyzer entry, removes terraphim_mcp_search 0.2.0 from crates.io, changes terraphim_merge_coordinator dependency resolution, and switches terraphim_server to private-registry terraphim_mcp_search 0.1.0 plus terraphim-firecracker.

Those changes are unrelated to napi. The consequence is that a minor Node binding dependency update also changes which Terraphim crates are resolved from private versus public registries, which is a dependency-integrity risk and makes the PR hard to audit.

Suggested fix: regenerate the lockfile from current main in a way that preserves unrelated Terraphim package resolution, leaving only the napi 3.10.3 change and any true transitive changes. If the Terraphim registry resolution change is intended, split it into a separate PR with rationale and validation.

Comments Outside Diff (0)

Last reviewed commit: 97be915 | Reviews (1)

@AlexMikhalev

Copy link
Copy Markdown
Contributor

Cleaned the Cargo.lock drift identified in review. The net PR diff now contains only napi 3.10.3.

@AlexMikhalev AlexMikhalev merged commit 4f24231 into main Jul 6, 2026
1 check passed
@AlexMikhalev AlexMikhalev deleted the dependabot/cargo/napi-3.10.3 branch July 6, 2026 13:51
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant