Skip to content

chore(deps)(deps): bump napi-derive from 3.5.7 to 3.5.9#936

Merged
AlexMikhalev merged 2 commits into
mainfrom
dependabot/cargo/napi-derive-3.5.9
Jul 6, 2026
Merged

chore(deps)(deps): bump napi-derive from 3.5.7 to 3.5.9#936
AlexMikhalev merged 2 commits into
mainfrom
dependabot/cargo/napi-derive-3.5.9

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps napi-derive from 3.5.7 to 3.5.9.

Release notes

Sourced from napi-derive's releases.

napi-derive-v3.5.9

Other

  • updated the following local packages: napi-derive-backend

napi-derive-v3.5.8

Other

  • updated the following local packages: napi-derive-backend
Commits
  • 2785de5 chore: release (#3367)
  • 441ae7a fix(napi): release Error's exception reference via the custom GC when dropped...
  • cfa3b77 fix(deps): update emnapi to v1.11.2 (#3371)
  • 65918a6 fix(napi): stop ref exception object in ThreadsafeFunction sync-throw path on...
  • 324c550 perf(napi): share class accessor trampolines (#3364)
  • 80caf60 perf: optimize object field raw property access (#3365)
  • f72afd5 chore: release (#3354)
  • 4effa4d chore(deps): lock file maintenance (#3363)
  • f2bf197 chore(deps): lock file maintenance (#3362)
  • 962a2f0 fix(napi): route custom-GC Buffer/TypedArray cross-thread drops through the o...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [napi-derive](https://github.com/napi-rs/napi-rs) from 3.5.7 to 3.5.9.
- [Release notes](https://github.com/napi-rs/napi-rs/releases)
- [Commits](napi-rs/napi-rs@napi-derive-v3.5.7...napi-derive-v3.5.9)

---
updated-dependencies:
- dependency-name: napi-derive
  dependency-version: 3.5.9
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>

@AlexMikhalev AlexMikhalev left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Summary

This PR is a Dependabot patch update for napi-derive from 3.5.7 to 3.5.9.

  • Dependency bump: updates napi-derive and napi-derive-backend in Cargo.lock.
  • Scope: no source files or Cargo.toml manifests are changed, so this should be a narrow lockfile-only patch update.
  • Problem: the lockfile also changes unrelated Terraphim package resolution and private/public registry sources.

The napi-derive update itself appears low risk, but the Cargo.lock diff is not clean enough to merge as a Dependabot patch update. The unrelated Terraphim registry drift should be removed or split into its own explicitly reviewed PR.

Confidence Score: 3/5

  • Safe to merge with caution after regenerating Cargo.lock so only napi-derive and napi-derive-backend changes remain.
  • I found 1 P1 lockfile-integrity issue and no P0 issues. The intended dependency update is narrow, but the current lockfile diff changes unrelated dependency resolution.
  • Files requiring attention: Cargo.lock.

Important Files Changed

Filename Overview
Cargo.lock Updates napi-derive and napi-derive-backend, but also changes unrelated Terraphim private/public registry package resolution. Needs attention.

Diagram

%%{init: {"theme": "neutral"}}%%
flowchart TD
    A[Dependabot PR #936] --> B[napi-derive patch bump]
    B --> C[Cargo.lock update]
    C --> D{Only napi-derive graph changed?}
    D -->|yes| E[Accept low-risk patch update]
    D -->|no| F[Block: unrelated Terraphim registry drift]
    F:::risk
    classDef risk fill:#f8d7da,stroke:#dc3545;
Loading

Inline Findings

P1 Cargo.lock, line 8445: Lockfile includes unrelated Terraphim registry/source drift

This PR should only update napi-derive and napi-derive-backend, but Cargo.lock also adds a private-registry terraphim-session-analyzer entry, removes terraphim_mcp_search 0.2.0 from crates.io, changes terraphim_merge_coordinator dependency resolution, and switches terraphim_server to private-registry terraphim_mcp_search 0.1.0 plus terraphim-firecracker.

Those changes are unrelated to napi-derive. The consequence is that a patch-level macro dependency update also changes which Terraphim crates are resolved from private versus public registries, which is a dependency-integrity risk and makes the PR hard to audit.

Suggested fix: regenerate the lockfile from current main in a way that preserves unrelated Terraphim package resolution, leaving only napi-derive 3.5.9 and napi-derive-backend 5.1.1 changes. If the Terraphim registry resolution change is intended, split it into a separate PR with rationale and validation.

Comments Outside Diff (0)

Last reviewed commit: 4edfaf9 | Reviews (1)

@AlexMikhalev

Copy link
Copy Markdown
Contributor

Cleaned the Cargo.lock drift identified in review. The net PR diff now contains only napi-derive 3.5.9 and napi-derive-backend 5.1.1.

@AlexMikhalev AlexMikhalev merged commit e9c6d50 into main Jul 6, 2026
1 check passed
@AlexMikhalev AlexMikhalev deleted the dependabot/cargo/napi-derive-3.5.9 branch July 6, 2026 13:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant