chore(deps): bump rustls-webpki from 0.103.7 to 0.103.10 in /src/500-application/502-rust-http-connector/services/broker#294
Closed
dependabot[bot] wants to merge 1 commit intomainfrom
Conversation
Bumps [rustls-webpki](https://github.com/rustls/webpki) from 0.103.7 to 0.103.10. - [Release notes](https://github.com/rustls/webpki/releases) - [Commits](rustls/webpki@v/0.103.7...v/0.103.10) --- updated-dependencies: - dependency-name: rustls-webpki dependency-version: 0.103.10 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
dependabot
bot
added
dependencies
This was referenced Mar 23, 2026
katriendg
added a commit
that referenced
this pull request
Mar 25, 2026
…, and cspell v9 (#297) This PR batches all open dependabot PRs (#271–#294) into a conflict-aware, risk-prioritized merge sequence. The changes span four ecosystems and three NPM scopes (root, *docs/_server*, *docs/assets/js*), upgrading multiple major versions while maintaining full lint and test compatibility. > Merges all 16 open dependabot PRs into a single integration branch, covering dependency updates across NPM, Python, Rust, and GitHub Actions. Manual fix commits addressed breaking changes from eslint v10, vitest v4, and post-merge regressions from dependency resolution conflicts. Dependabot PRs will be closed when this one merges in. ### ESLint v10 Migration Upgraded **eslint** from v9 to v10.0.3 across all three NPM scopes. ESLint v10 decoupled `@eslint/js` from its bundle, requiring it as an explicit devDependency in the root *package.json*. The existing flat config (`eslint.config.js`) required no structural changes. ESLint v10 dropped ~10 transitive dependencies including `chalk`, `lodash.merge`, `globals`, and `@eslint/eslintrc`, resulting in a leaner dependency tree. Minimum Node.js raised to `^20.19.0 || ^22.13.0 || >=24`. ### Vitest v4 and Vite 8 Upgraded **vitest** to 4.1.0 and **@vitest/coverage-v8** to 4.1.0 in both *docs/_server* and *docs/assets/js*. Vite 8 replaced Rollup with **Rolldown** (Rust-based bundler) and promoted **LightningCSS** as a direct dependency. Adapted *docs/assets/js/vitest.config.js* for three vitest v4 breaking changes: reporter `'basic'` renamed to `'default'`, `poolOptions.threads` flattened to top-level `maxThreads`/`minThreads`, and `experimentalVmThreads` removed. Migrated *docs/_server/vitest.config.js* and *docs/_server/vitest.integration.config.js* from deprecated `poolOptions.forks` to top-level `maxWorkers`. ### cspell v9 Upgraded **cspell** from v8.19.4 to v9.7.0 in root scope. All sub-packages moved in lockstep. Adds TOML config support via `smol-toml` and introduces `@cspell/cspell-worker` for improved performance. Minimum Node raised to 20. ### Python Dependency Updates Updated root *requirements.txt*: **python-hcl2** 4.3.0→7.3.1, **checkov** 3.2.0→3.2.510. Updated *src/500-application/506-ros2-connector/services/requirements.txt* with 7 package bumps including **opencv-python** 4.10→4.13, **psutil** 6→7.2, **pytest** 8→9, and **pytest-cov** 5→7. ### Rust Security Patches Applied **rustls-webpki** 0.103.7→0.103.10 (TLS certificate verification fix) in *502-rust-http-connector* and **tar** 0.4.44→0.4.45 (security fix) in *507-ai-inference*. ### Post-merge Fixes Resolved several regressions surfaced during post-merge validation: - Removed erroneous `"overrides": { "js-yaml": "^4.1.0" }` from *docs/_server/package.json* that forced `js-yaml@4` on `gray-matter` (which requires `^3.13.1`), breaking YAML frontmatter parsing and disabling path-to-kata expansion entirely. - Added **uuid** as a direct dependency in *docs/_server/package.json* — previously resolved as a transitive dependency but lost after lock file regeneration. - Added a third regex pattern to `parseStepsFromMarkdown` in *docs/_server/services/learning-path-manifest.js* to match the bold-title format (`- [ ] [**Kata: ...**](../katas/...)`) used in learning path markdown files. - Fixed flaky CPU performance test in *docs/_server/tests/performance/file-watch.test.js* by widening the comparison tolerance from 1.2x to 2x to account for container environment measurement variability. - Corrected 9 boundary assertions in *docs/_server/tests/integration/learning-path-selections.test.js* from `toBeGreaterThan` to `toBeGreaterThanOrEqual` for `selectionCount` and `selectedItems.length` checks. - Updated *docs/_server/tests/integration/progress-endpoint.test.js* to match the current API response format (`{ progressData: [...] }`) instead of the legacy `{ katas: [], paths: [] }` structure. ### Other Updates - Bumped **markdownlint-cli** 0.47.0→0.48.0 (root) - Bumped **happy-dom** to 20.8.4 (docs/_server and docs/assets/js) - Upgraded **ajv-formats** v2→v3.0.1 in *docs/_server* (now enforces timezone in `date-time` format) - Upgraded **express-rate-limit** v6→v8.3.1 in *docs/_server* - Updated **azure/login** action hash in *cluster-test-terraform.yml* ## Related Issue Related to #271, #272, #273, #274, #275, #276, #277, #278, #279, #280, #282, #284, #285, #286, #293, #294 ## Type of Change - [ ] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [x] Breaking change (fix or feature that would cause existing functionality to not work as expected) - [ ] Blueprint modification or addition - [ ] Component modification or addition - [ ] Documentation update - [x] CI/CD pipeline change - [ ] Other (please describe): ## Implementation Details Merged all 16 dependabot PRs in a risk-prioritized sequence using an integration branch based on `origin/main`. Security patches (Rust) and isolated changes merged first, followed by scope-grouped NPM updates with sequential merging within shared lock file scopes to avoid corruption. Lock file conflicts resolved using delete-and-reinstall strategy. Three manual fix commits addressed eslint v10 and vitest v4 breaking changes: - **`994f3a39`** — Added `@eslint/js` as explicit devDependency for eslint v10 (root scope) - **`cec1db67`** — Adapted vitest v4 config breaking changes in *docs/assets/js/vitest.config.js* - **`845089f9`** — Migrated deprecated `poolOptions.forks` to top-level `maxWorkers` in *docs/_server/vitest.config.js* and *docs/_server/vitest.integration.config.js* Additional post-merge fixes resolved regressions from dependency resolution conflicts: - Removed `js-yaml` v4 override from *docs/_server/package.json* that broke `gray-matter` frontmatter parsing - Added missing `uuid` direct dependency in *docs/_server/package.json* - Extended `parseStepsFromMarkdown` in *docs/_server/services/learning-path-manifest.js* with a bold-title regex pattern for learning path kata references - Fixed flaky CPU comparison in *docs/_server/tests/performance/file-watch.test.js* - Corrected boundary assertions in *docs/_server/tests/integration/learning-path-selections.test.js* - Updated response format expectations in *docs/_server/tests/integration/progress-endpoint.test.js* ## Testing Performed - [ ] Terraform plan/apply - [ ] Blueprint deployment test - [x] Unit tests - [x] Integration tests - [ ] Bug fix includes regression test (see [Test Policy](docs/contributing/testing-validation.md)) - [x] Manual validation - [ ] Other: ## Validation Steps 1. Verify `npm install && npm run lint` passes at root 2. Verify `cd docs/_server && npm install && npm run lint && npm test` passes (42 test files, 554 tests passed) 3. Verify `cd docs/assets/js && npm install && npm run lint && npm test` passes 4. Verify `npm run mdlint` passes at root 5. Verify `npm run cspell` passes at root 6. Verify `pip install -r requirements.txt` succeeds ## Checklist - [ ] I have updated the documentation accordingly - [ ] I have added tests to cover my changes - [x] All new and existing tests passed - [ ] I have run `terraform fmt` on all Terraform code - [ ] I have run `terraform validate` on all Terraform code - [ ] I have run `az bicep format` on all Bicep code - [ ] I have run `az bicep build` to validate all Bicep code - [x] I have checked for any sensitive data/tokens that should not be committed - [ ] I have run MegaLinter on my code (`mega-linter-runner`) ## Additional Notes - Node.js minimum version raised to 20+ across eslint v10 and cspell v9. The dev container runs Node v24.14.0, satisfying all requirements. - The **ajv-formats** v3 upgrade enforces timezone in `date-time` format validation. Existing docs/_server tests pass with this change. - The `js-yaml` v4 override was introduced during the eslint v10 merge but broke `gray-matter@4.0.3` (requires `js-yaml@^3.13.1`), silently disabling all YAML frontmatter parsing in the learning path manifest service. - The `uuid` package was previously available as a transitive dependency but was dropped after lock file regeneration, requiring explicit declaration. - ~95% of the diff is lock file churn, typical for a dependabot consolidation PR. Actual manifest and source changes are minimal. ## Screenshots (if applicable) N/A — dependency updates only, no UI changes. --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Marcel Bindseil <marcbind@microsoft.com>
Contributor
Author
|
Looks like rustls-webpki is up-to-date now, so this is no longer needed. |
dependabot
bot
deleted the
dependabot/cargo/src/500-application/502-rust-http-connector/services/broker/rustls-webpki-0.103.10
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps rustls-webpki from 0.103.7 to 0.103.10.
Release notes
Sourced from rustls-webpki's releases.
Commits
348ce01Prepare 0.103.10dbde592crl: fix authoritative_for() support for multiple URIs9c4838eavoid std::prelude imports009ef66fix rust 1.94 ambiguous panic macro warningsc41360dbuild(deps): bump taiki-e/cache-cargo-install-action from 2 to 3e401d00generate.py: reformat for black 2026.1.006cedecTake semver-compatible deps6bc9931Bump version to 0.103.992dbfc6Tie lifetime of valid_dns_names/valid_uri_names to struct lifetime2c46166ci: sync cargo-check-external-types nightlyDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.