chore(deps)(deps): bump axum-test from 19.1.1 to 21.0.0#937
Conversation
Bumps [axum-test](https://github.com/JosephLenton/axum-test) from 19.1.1 to 21.0.0. - [Release notes](https://github.com/JosephLenton/axum-test/releases) - [Commits](https://github.com/JosephLenton/axum-test/commits) --- updated-dependencies: - dependency-name: axum-test dependency-version: 21.0.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
AlexMikhalev
left a comment
There was a problem hiding this comment.
Summary
This PR is a Dependabot major-version bump of axum-test from 19.1.1 to 21.0.0 across terraphim_validation and terraphim_server test dependencies.
- Dependency bump: updates axum-test and adds its new transitive dependencies educe and enum-ordinalize.
- Test surface: the main direct call sites use TestServer::new, request builders, json bodies, and TestResponse helpers, so the source-level impact appears limited.
- Lockfile impact: Cargo.lock contains unrelated Terraphim registry/source changes that are outside the stated dependency update.
The bump may be technically valid, but the lockfile drift should be corrected before merge. It changes private/public registry resolution for Terraphim packages and removes/replaces unrelated package entries, which makes this PR unsafe to treat as a simple axum-test update.
Confidence Score: 3/5
- Safe to merge with caution after regenerating Cargo.lock so only axum-test and its true transitive dependency changes remain.
- I found 1 P1 lockfile-integrity issue and no P0 issues. The dependency call sites look straightforward, but the lockfile currently includes unrelated registry drift.
- Files requiring attention: Cargo.lock.
Important Files Changed
| Filename | Overview |
|---|---|
| Cargo.lock | Updates axum-test and adds new transitive crates, but also changes unrelated Terraphim package source/resolution entries. Needs attention. |
| crates/terraphim_validation/Cargo.toml | Bumps axum-test from 19.1.1 to 21.0.0. Source usage appears limited to the server API test harness. |
| terraphim_server/Cargo.toml | Bumps the dev dependency from axum-test 19 to 21. No direct source changes included. |
Diagram
%%{init: {"theme": "neutral"}}%%
flowchart TD
A[Dependabot PR #937] --> B[Cargo.toml axum-test version bump]
B --> C[Cargo.lock refresh]
C --> D{Lockfile changes limited to axum-test graph?}
D -->|yes| E[Run server and validation tests]
D -->|no| F[Block: unrelated registry/source drift]
E --> G[Merge dependency update]
F:::risk
classDef risk fill:#f8d7da,stroke:#dc3545;
Inline Findings
P1 Cargo.lock, line 8478: Lockfile includes unrelated Terraphim registry/source drift
The PR is scoped as an axum-test 19.1.1 to 21.0.0 bump, but Cargo.lock also changes unrelated Terraphim package resolution. Examples include adding a second terraphim-session-analyzer 1.20.3 entry from the private sparse registry, removing the crates.io terraphim_mcp_search 0.2.0 entry, changing terraphim_merge_coordinator from thiserror 2.0.18 to 1.0.69, and changing terraphim_server dependencies to private-registry terraphim_mcp_search 0.1.0 plus terraphim-firecracker.
That drift is not caused by axum-test itself and changes the dependency graph for unrelated packages. The consequence is that a test-helper bump can unexpectedly change which Terraphim crates are resolved from private versus public registries, making build and runtime behaviour difficult to audit.
Suggested fix: regenerate or edit the lockfile from current main so the diff only contains axum-test 21.0.0 plus its actual new transitive dependencies, such as educe and enum-ordinalize. If the Terraphim registry drift is intentional, split it into a separate PR with an explicit rationale and test plan.
Comments Outside Diff (0)
Last reviewed commit: 7621a27 | Reviews (1)
|
Cleaned the Cargo.lock drift identified in review. The net PR diff now contains only the axum-test 21.0.0 update, its true transitive additions educe and enum-ordinalize, and the two axum-test manifest version bumps. |
Bumps axum-test from 19.1.1 to 21.0.0.
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)