chore(deps)(deps): bump napi-derive from 3.5.7 to 3.5.9#936
Conversation
Bumps [napi-derive](https://github.com/napi-rs/napi-rs) from 3.5.7 to 3.5.9. - [Release notes](https://github.com/napi-rs/napi-rs/releases) - [Commits](napi-rs/napi-rs@napi-derive-v3.5.7...napi-derive-v3.5.9) --- updated-dependencies: - dependency-name: napi-derive dependency-version: 3.5.9 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
AlexMikhalev
left a comment
There was a problem hiding this comment.
Summary
This PR is a Dependabot patch update for napi-derive from 3.5.7 to 3.5.9.
- Dependency bump: updates napi-derive and napi-derive-backend in Cargo.lock.
- Scope: no source files or Cargo.toml manifests are changed, so this should be a narrow lockfile-only patch update.
- Problem: the lockfile also changes unrelated Terraphim package resolution and private/public registry sources.
The napi-derive update itself appears low risk, but the Cargo.lock diff is not clean enough to merge as a Dependabot patch update. The unrelated Terraphim registry drift should be removed or split into its own explicitly reviewed PR.
Confidence Score: 3/5
- Safe to merge with caution after regenerating Cargo.lock so only napi-derive and napi-derive-backend changes remain.
- I found 1 P1 lockfile-integrity issue and no P0 issues. The intended dependency update is narrow, but the current lockfile diff changes unrelated dependency resolution.
- Files requiring attention: Cargo.lock.
Important Files Changed
| Filename | Overview |
|---|---|
| Cargo.lock | Updates napi-derive and napi-derive-backend, but also changes unrelated Terraphim private/public registry package resolution. Needs attention. |
Diagram
%%{init: {"theme": "neutral"}}%%
flowchart TD
A[Dependabot PR #936] --> B[napi-derive patch bump]
B --> C[Cargo.lock update]
C --> D{Only napi-derive graph changed?}
D -->|yes| E[Accept low-risk patch update]
D -->|no| F[Block: unrelated Terraphim registry drift]
F:::risk
classDef risk fill:#f8d7da,stroke:#dc3545;
Inline Findings
P1 Cargo.lock, line 8445: Lockfile includes unrelated Terraphim registry/source drift
This PR should only update napi-derive and napi-derive-backend, but Cargo.lock also adds a private-registry terraphim-session-analyzer entry, removes terraphim_mcp_search 0.2.0 from crates.io, changes terraphim_merge_coordinator dependency resolution, and switches terraphim_server to private-registry terraphim_mcp_search 0.1.0 plus terraphim-firecracker.
Those changes are unrelated to napi-derive. The consequence is that a patch-level macro dependency update also changes which Terraphim crates are resolved from private versus public registries, which is a dependency-integrity risk and makes the PR hard to audit.
Suggested fix: regenerate the lockfile from current main in a way that preserves unrelated Terraphim package resolution, leaving only napi-derive 3.5.9 and napi-derive-backend 5.1.1 changes. If the Terraphim registry resolution change is intended, split it into a separate PR with rationale and validation.
Comments Outside Diff (0)
Last reviewed commit: 4edfaf9 | Reviews (1)
|
Cleaned the Cargo.lock drift identified in review. The net PR diff now contains only napi-derive 3.5.9 and napi-derive-backend 5.1.1. |
Bumps napi-derive from 3.5.7 to 3.5.9.
Release notes
Sourced from napi-derive's releases.
Commits
2785de5chore: release (#3367)441ae7afix(napi): release Error's exception reference via the custom GC when dropped...cfa3b77fix(deps): update emnapi to v1.11.2 (#3371)65918a6fix(napi): stop ref exception object in ThreadsafeFunction sync-throw path on...324c550perf(napi): share class accessor trampolines (#3364)80caf60perf: optimize object field raw property access (#3365)f72afd5chore: release (#3354)4effa4dchore(deps): lock file maintenance (#3363)f2bf197chore(deps): lock file maintenance (#3362)962a2f0fix(napi): route custom-GC Buffer/TypedArray cross-thread drops through the o...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)