chore(deps): update Rust and Bun dependencies#620
chore(deps): update Rust and Bun dependencies#620staging-devin-ai-integration[bot] wants to merge 22 commits into
Conversation
Refresh Cargo.lock and the ui/docs/e2e bun lockfiles with all in-range (patch/minor) updates via cargo update and bun update. The @xyflow/react minor bump tightened the onNodeDragStop event type from React.MouseEvent to the DOM MouseEvent | TouchEvent; adjust FlowCanvas and MonitorView handler signatures to match. The moq stack (moq-lite, moq-native, hang) is held at its locked versions: their 0.16.0->0.16.1/0.16.3 and 0.14.0->0.14.4 'patch' releases split out a separate moq-net crate, producing a Track type mismatch. The major moq upgrade is handled in a dedicated commit. Signed-off-by: streamkit-devin <devin@streamkit.dev>
Breaking 0.0.x release; the from_str / to_string / Error surface used in crates/api, engine, nodes, and apps/skit is unchanged. Signed-off-by: streamkit-devin <devin@streamkit.dev>
Dev/bench-only dependency (crates/engine benches). The criterion_group!/ criterion_main!/Criterion/Throughput API used by the benches is unchanged. Signed-off-by: streamkit-devin <devin@streamkit.dev>
…try 0.33 Bumps opentelemetry, opentelemetry_sdk, opentelemetry-otlp, opentelemetry-http (0.31 -> 0.32) and tracing-opentelemetry (0.32 -> 0.33) together since they must share a compatible API version. The exporter/provider builder surface used in apps/skit telemetry is unchanged. Signed-off-by: streamkit-devin <devin@streamkit.dev>
The CorsLayer / TraceLayer / SetResponseHeaderLayer surface used by apps/skit's HTTP server is unchanged. A transitive 0.6.x copy remains (pulled by reqwest via moq-native/opendal); they coexist without conflict. Signed-off-by: streamkit-devin <devin@streamkit.dev>
… jemalloc_pprof 0.9) tikv-jemallocator 0.6 -> 0.7 and jemalloc_pprof 0.8 -> 0.9 are bumped together because jemalloc_pprof 0.9 requires tikv-jemalloc-ctl 0.7 (shared tikv-jemalloc-sys). The Jemalloc global allocator and PROF_CTL/dump_pprof API used under the 'profiling' feature is unchanged. Signed-off-by: streamkit-devin <devin@streamkit.dev>
Object-store (S3) node only. The Operator::from_iter / services::S3 / Writer API used by object_store_write is unchanged. Signed-off-by: streamkit-devin <devin@streamkit.dev>
Script node (QuickJS) only. The Ctx/Value/Object/Array/Function/Func/Opt API used by core/script.rs is unchanged. Signed-off-by: streamkit-devin <devin@streamkit.dev>
Audio resampler node only. The Async::new_poly / Resampler::process / take_data API is unchanged. audioadapter-buffers is intentionally kept at 3.0 because rubato 3.0 still depends on audioadapter-buffers 3.x; see skip note. Signed-off-by: streamkit-devin <devin@streamkit.dev>
symphonia 0.6 is a major API rewrite. Migrated the mp3/flac decoders, the wav and ogg container demuxers, and their tests: - probe: get_probe().format(..) -> get_probe().probe(..); default_track(TrackType::Audio) - codec params: match on CodecParameters::Audio variant - decoder: get_codecs().make() -> make_audio_decoder(); DecoderOptions -> AudioDecoderOptions - audio buffer: SampleBuffer removed; use GenericAudioBufferRef::copy_to_vec_interleaved - next_packet() now returns Result<Option<Packet>>; Ok(None) signals EOF - Packet::track_id()/ts()/dur() methods are now pts/dur fields (Timestamp/Duration) Signed-off-by: streamkit-devin <devin@streamkit.dev>
No source changes required; the component-model + async APIs used in plugin-wasm are unchanged across 44->46. All plugin-wasm tests pass. Signed-off-by: streamkit-devin <devin@streamkit.dev>
…g 0.19.2) moq-lite 0.17 re-exports moq-net; hang 0.19 marks catalog AudioConfig/VideoConfig #[non_exhaustive], so construct them via ::new() + field assignment. moq-native moved TLS server config to the tls module (ServerTlsConfig -> tls::Server). GroupProducer::abort now drops cached frames, so a consumer surfaces the abort error instead of the buffered frame; updated the propagation test accordingly. Signed-off-by: streamkit-devin <devin@streamkit.dev>
Signed-off-by: streamkit-devin <devin@streamkit.dev>
Signed-off-by: streamkit-devin <devin@streamkit.dev>
Babel 8 removed preset-typescript's isTSX/allExtensions options. Add an explicit @babel/plugin-syntax-jsx (8.x) and enable it only for .tsx files in the vitest React-Compiler transform, preserving .ts type-assertion parsing. Signed-off-by: streamkit-devin <devin@streamkit.dev>
js-yaml 5 ships its own type definitions, so drop the now-redundant @types/js-yaml dev dependency. The load/dump named exports used by the UI are unchanged. Signed-off-by: streamkit-devin <devin@streamkit.dev>
Starlight 0.39 removed support for a 'label' on an autogenerated sidebar group; wrap the reference autogenerate config in an explicit group with an items array. Signed-off-by: streamkit-devin <devin@streamkit.dev>
Signed-off-by: streamkit-devin <devin@streamkit.dev>
Align e2e's @types/node major with ui. Signed-off-by: streamkit-devin <devin@streamkit.dev>
- symphonia 0.6: rewrite codec-params matches as let...else (flac/mp3/wav) - moq/hang: drop needless ..Default::default() on fully-specified Catalog structs - moq-native 0.17: Box::pin the now-larger connect()/discover_tracks() futures to satisfy clippy::large_futures Signed-off-by: streamkit-devin <devin@streamkit.dev>
🤖 Devin AI EngineerI'll be helping with this pull request! Here's what you should know: ✅ I will automatically:
Note: I can only respond to comments from users who have write access to this repository. ⚙️ Control Options:
|
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #620 +/- ##
==========================================
- Coverage 85.00% 84.95% -0.05%
==========================================
Files 248 248
Lines 74752 74569 -183
Branches 2381 2437 +56
==========================================
- Hits 63541 63352 -189
- Misses 11206 11211 +5
- Partials 5 6 +1
Flags with carried forward coverage won't be shown. Click here to find out more.
🚀 New features to boost your workflow:
|
![staging-devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/870844?s=60&v=4){kind=small}
| let pts = packet.pts.get(); | ||
| let metadata = if pts > 0 { | ||
| // Opus uses 48kHz timebase | ||
| let timestamp_us = (packet.ts() * 1_000_000) / 48000; | ||
| let duration_us = (packet.dur() * 1_000_000) / 48000; | ||
| let timestamp_us = (pts.unsigned_abs() * 1_000_000) / 48000; | ||
| let duration_us = (packet.dur.get() * 1_000_000) / 48000; |
There was a problem hiding this comment.
🚩 OGG demuxer uses unsigned_abs() for pts but not for dur — verify type consistency
The OGG demuxer's timestamp extraction changed from packet.ts() (which returned u64 in symphonia 0.5) to packet.pts.get() (symphonia 0.6). The code calls pts.unsigned_abs() at crates/nodes/src/containers/ogg.rs:665, implying pts is a signed integer type. However, packet.dur.get() at line 666 is used directly in arithmetic without unsigned_abs(). If dur.get() also returns a signed type, the expression (packet.dur.get() * 1_000_000) / 48000 produces a signed result that must fit into Option<u64>. The compiler would catch a type mismatch, but the reviewer should verify that dur.get() returns u64 (not i64) in symphonia 0.6, or that there's an implicit conversion. If dur can be negative (which would be semantically odd for a duration), the arithmetic could silently produce a wrong value via wrapping.
Was this helpful? React with 👍 or 👎 to provide feedback.
Debug
There was a problem hiding this comment.
Verified against symphonia 0.6 source: Packet.pts is Timestamp(i64) and Packet.dur is Duration(u64). So dur.get() already returns u64 (no unsigned_abs() needed and no wrapping risk), while pts.get() returns i64, hence the unsigned_abs() — guarded by the pts > 0 check above it. Types are consistent; no change needed.
|
|
||
| // Connect to the MoQ server and fetch the catalog | ||
| let tracks = match self.discover_tracks().await { | ||
| let tracks = match Box::pin(self.discover_tracks()).await { |
There was a problem hiding this comment.
📝 Info: Box::pin wrapping added for MoQ connect futures — indicates increased future size
Several MoQ connection calls gained Box::pin() wrapping: Box::pin(self.discover_tracks()) at crates/nodes/src/transport/moq/pull.rs:504, Box::pin(client.clone().with_consume(origin).connect(url)) at line 762 and 938, and similarly in push.rs:192. This is typically needed when async futures exceed the stack frame size limit. The Box::pin is correct but worth noting: the moq-native 0.17 upgrade apparently increased the size of connection futures significantly. This is a runtime allocation on every connect/reconnect, which is fine for connection setup but worth being aware of for latency-sensitive paths.
Was this helpful? React with 👍 or 👎 to provide feedback.
Debug
| // hasn't drained surfaces the abort error instead of the buffered frame. | ||
| let err = MoqPullNode::read_next_raw_moq(&mut consumer, &mut group, &mut is_first).await; | ||
| assert!(err.is_err(), "an aborted group should surface as an error"); | ||
| assert!(group.is_none(), "the errored group is cleared"); |
There was a problem hiding this comment.
📝 Info: Aborted-group test behavior changed — moq-lite 0.17 drops buffered frames on abort
The test test_read_next_raw_moq_propagates_group_error at crates/nodes/src/transport/moq/pull.rs:2476-2479 was updated: the old test expected to successfully read frame b"a" before encountering the abort error, but the new test expects the abort error immediately without reading any frames. The added comment explains: 'Aborting a group drops its cached frames (moq-net), so a consumer that hasn't drained surfaces the abort error instead of the buffered frame.' This is a behavioral change in moq-lite 0.17 — previously buffered frames survived an abort; now they don't. The pull node's read_next_raw_moq handles this correctly (it clears the group on error and lets the caller decide), but downstream code that relied on reading partial group data before an abort would now see fewer frames. This seems intentional and the test correctly documents the new behavior.
Was this helpful? React with 👍 or 👎 to provide feedback.
Debug
| rotation: None, | ||
| flip: None, | ||
| }, | ||
| ..Default::default() | ||
| }; |
There was a problem hiding this comment.
📝 Info: Catalog struct construction drops ..Default::default() — relies on hang 0.19 having no extra fields
In crates/nodes/src/transport/moq/push.rs:297-305 and crates/nodes/src/transport/moq/peer/mod.rs:2283-2281, the hang::catalog::Catalog construction removed ..Default::default(). This means the struct literal now exhaustively lists all fields (audio and video). If a future hang version adds new fields to Catalog, this code would fail to compile — which is actually desirable (forces explicit handling of new fields). However, the test at pull.rs:1926 still uses ..Default::default() for Catalog, suggesting the struct does still support it. The production code's removal is a deliberate choice to be explicit rather than silently defaulting new fields.
(Refers to lines 297-305)
Was this helpful? React with 👍 or 👎 to provide feedback.
Debug
| configFile: false, | ||
| presets: [ | ||
| [babelPresetTypescript, { isTSX: file.endsWith('.tsx'), allExtensions: true }], | ||
| compilerPreset, | ||
| ], | ||
| presets: [babelPresetTypescript, compilerPreset], | ||
| // Babel 8's preset-typescript dropped the isTSX option; enable JSX parsing | ||
| // only for .tsx so .ts type-assertion syntax (`<T>x`) still parses. | ||
| plugins: file.endsWith('.tsx') ? [babelSyntaxJsx] : [], |
There was a problem hiding this comment.
📝 Info: Babel 8 migration removes isTSX preset option — JSX parsing now via explicit plugin
The vitest config at ui/vitest.config.ts:43-47 changed from passing { isTSX: true, allExtensions: true } to @babel/preset-typescript to instead adding @babel/plugin-syntax-jsx conditionally for .tsx files. This matches the Babel 8 breaking change where preset-typescript dropped the isTSX option. The new approach is correct: .tsx files get JSX syntax support via the plugin, while .ts files don't (preserving type assertion syntax <T>x). The allExtensions: true option was also dropped — in Babel 8, preset-typescript handles all extensions by default. The @babel/plugin-syntax-jsx dependency was correctly added to ui/package.json devDependencies.
Was this helpful? React with 👍 or 👎 to provide feedback.
Debug
reqsign-core 3.0.1 added a non-optional rsa 0.9.10 dependency, affected by RUSTSEC-2023-0071 (Marvin Attack timing sidechannel, no fix available), which opendal 0.57 pulled transitively. Pin the reqsign family (core/aws-v4/ file-read-tokio) to 3.0.0 (matching main) so opendal 0.57 no longer pulls rsa; AWS SigV4 signing uses HMAC, not RSA, so functionality is unaffected. Also drop the now-stale RUSTSEC-2025-0134 (rustls-pemfile) advisory ignore, which the moq 0.17 upgrade in this PR already resolved. Signed-off-by: streamkit-devin <devin@streamkit.dev>
| Ok(Some(packet)) => packet, | ||
| Ok(None) => { | ||
| tracing::debug!("Reached end of FLAC stream after {} frames", frame_count); | ||
| break; | ||
| }, |
There was a problem hiding this comment.
📝 Info: Symphonia EOF detection changed from error-matching to Option-based
The symphonia 0.5→0.6 migration changes end-of-stream detection from matching Err(Error::IoError(e)) if e.kind() == UnexpectedEof to Ok(None). This is applied consistently across all four decoder/demuxer files (flac.rs, mp3.rs, wav.rs, ogg.rs). The new pattern is cleaner and less fragile — the old pattern could miss EOF if symphonia changed its internal error wrapping. The migration is complete and consistent across all sites.
Was this helpful? React with 👍 or 👎 to provide feedback.
Debug
| let mut interleaved: Vec<f32> = Vec::new(); | ||
| audio_buf.copy_to_vec_interleaved(&mut interleaved); | ||
| rechunk_buffer.extend(interleaved.iter().copied()); |
There was a problem hiding this comment.
📝 Info: Per-iteration Vec allocation replaces reused SampleBuffer
The old symphonia 0.5 code lazily initialized a SampleBuffer<f32> once and reused it across all decoded packets via copy_interleaved_ref. The new code creates a fresh Vec<f32> on every iteration (let mut interleaved: Vec<f32> = Vec::new()) and calls audio_buf.copy_to_vec_interleaved(&mut interleaved). This is the idiomatic symphonia 0.6 API. The per-iteration allocation is unlikely to be a performance concern since the decoded samples are immediately moved into the rechunk_buffer anyway, and the allocator will typically reuse the same memory. This pattern is applied consistently across flac.rs, mp3.rs, and wav.rs.
Was this helpful? React with 👍 or 👎 to provide feedback.
Debug
The semver-compatible update pass pulled shiguredo_nvcodec 2026.1.0 -> 2026.2.0 (the date-based version satisfies the "2026.1" caret range). 2026.2.0 reworked the Encoder/Decoder API (generic handler params, Option-based frame retrieval), breaking the nvcodec-feature GPU code which only compiles on GPU CI runners. Pin to =2026.1.0 (matching main) and document; migration to 2026.2.0 deferred. Signed-off-by: streamkit-devin <devin@streamkit.dev>
| "js-yaml": "^4.1.1", | ||
| "jotai": "^2.20.1", | ||
| "jotai-family": "^1.0.2", | ||
| "js-yaml": "^5.1.0", |
There was a problem hiding this comment.
🚩 js-yaml major version bump (4.x → 5.x) may have breaking API changes
The UI's js-yaml dependency was bumped from ^4.1.1 to ^5.1.0. js-yaml 5.x is a major version that may have breaking changes in its API (schema handling, type coercion behavior, etc.). The UI imports js-yaml for YAML parsing in the pipeline editor. If the 5.x API changed how certain YAML values are parsed (e.g., handling of null, boolean strings like yes/no, or numeric formats), it could subtly affect pipeline YAML round-tripping in the editor without causing obvious errors.
Was this helpful? React with 👍 or 👎 to provide feedback.
Debug
There was a problem hiding this comment.
Checked this — low risk, and arguably an alignment improvement.
The behavioral change in js-yaml 5 is the default schema: v4 defaulted to the YAML 1.1 schema, v5 defaults to CORE_SCHEMA (YAML 1.2). The backend parses pipeline YAML with serde_saphyr (saphyr is a YAML 1.2 implementation — see crates/api/src/yaml/mod.rs), so moving the UI to 1.2 makes the editor's client-side parse more consistent with the server, which is the source of truth for execution.
The 1.1→1.2 differences that could bite (bare yes/no/on/off parsed as booleans, 0NNN octal, sexagesimals) only matter for literals StreamKit pipelines don't use — params use true/false. All 1358 UI tests pass, including the YAML round-trip/parse tests in pipelineGraph.test.ts and yamlAutocompletion.test.ts (the latter explicitly cross-checks parser behavior). Leaving the bump as-is.
| # Pinned to 2026.1: 2026.2.0 reworked the Encoder/Decoder API (generic handler | ||
| # params, Option-based frame retrieval) and needs a non-trivial GPU-code migration. | ||
| shiguredo_nvcodec = { version = "=2026.1.0", optional = true } |
There was a problem hiding this comment.
📝 Info: shiguredo_nvcodec pinned to exact version with migration comment
The shiguredo_nvcodec dependency was changed from version = "2026.1" (semver-compatible range) to version = "=2026.1.0" (exact pin) with a comment explaining that 2026.2.0 reworked the API and needs a non-trivial migration. This is a deliberate decision to avoid accidentally pulling in the breaking 2026.2.0 release via cargo update. The pin should be tracked as tech debt to be resolved when the GPU codec migration is done.
Was this helpful? React with 👍 or 👎 to provide feedback.
Debug
There was a problem hiding this comment.
Agreed — tracked as tech debt in #621 (covers the shiguredo_nvcodec 2026.2 GPU-code migration plus the related audioadapter-buffers 4 deferral). The exact pin keeps cargo update from silently re-pulling 2026.2.0 and breaking the GPU build until that migration is done on NVENC/NVDEC hardware.
2 participants
Summary
ui/,docs/,e2e/). All semver-compatible bumps land in one commit; each breaking/major bump is isolated into its own commit so any regression is attributable.@moq/*, lucide-react, uuid,@commitlint, knip, typescript) turned out to be in-range and were handled by the safebun updatepass.reqsign-core3.0.1, which added a non-optionalrsa0.9.10 (RUSTSEC-2023-0071, Marvin Attack). A follow-up commit pins thereqsignfamily back to 3.0.0 sorsaleaves the tree — AWS SigV4 uses HMAC, not RSA, so signing is unaffected.Backend majors (one commit each)
reqsign-core/reqsign-aws-v4/reqsign-file-read-tokioto 3.0.0 to keep vulnerablersa0.9.10 out of the tree (see Summary)TrackType/CodecParametersAPI in flac/mp3/wav/ogg readershangAudioConfig/VideoConfignow#[non_exhaustive];moq-nativeTLS moved totls::Server;moq-netGroupProducer::abortnow drops cached frames (test updated)Skipped (tracked in #621):
audioadapter-buffers3 → 4 —rubato3.0 pinsaudioadapter-buffers ^3; bumping to 4 would split the dep across incompatible versions. Deferred until rubato moves to 4.shiguredo_nvcodec2026.1 → 2026.2 — the date-based version satisfies the"2026.1"caret range so the safe pass initially pulled it, but 2026.2.0 reworked theEncoder/DecoderAPI (generic handler params,Option-based frame retrieval) and breaks thenvcodec-feature GPU code (only compiled on GPU CI runners). Pinned to=2026.1.0with a comment; migration deferred since it needs NVENC/NVDEC hardware to compile/validate.Frontend majors (one commit each)
isTSX/allExtensions; added explicit@babel/plugin-syntax-jsxenabled only for.tsxin the vitest react-compiler transformCORE_SCHEMA(YAML 1.2), aligning the editor's client-side parse with the backend'sserde_saphyr(YAML 1.2); ships its own types so@types/js-yamlwas droppedlabelon an autogenerated sidebar group — wrapped in an explicit group withitemsExcluded per the plan:
plugins/,tests/,examples/(outside the workspace) and native-lib versions tied to sherpa-onnx.Review & Validation
All verification commands pass on this branch:
just lint-skit(fmt + clippy-D warnings+cargo deny check licenses)cargo deny check advisories(norsa/RUSTSEC-2023-0071 after the reqsign pin)just test-skitjust lint-ui/just test-ui(1358 tests) /just build-uidocs/:bun run builde2e/:bun run typecheckNotes
nvcodecfeature isn't compiled by the local verification commands or non-GPU CI; the first push surfaced a GPU build break from the accidentalshiguredo_nvcodec2026.2.0 bump, now held at 2026.1 (see Skipped / Deferred dependency majors: shiguredo_nvcodec 2026.2 and audioadapter-buffers 4 #621).cargo deny check licensesstays green; no new license exceptions were needed. The now-staleRUSTSEC-2025-0134(rustls-pemfile) advisory ignore was dropped since the moq 0.17 upgrade removed that transitive dep.markdown.remarkPluginsdeprecation warning from astro 7; left as-is to keep the bump minimal (no functional impact).Link to Devin session: https://staging.itsdev.in/sessions/ce9c2319c3ea421283b5bfebe765b95a
Requested by: @streamer45
Devin Review
0689339