build: Bump Cargo.lock dependencies

[phylum-bot]

Bump dependencies in Cargo.lock for all SemVer-compatible updates.

[phylum-io]

Phylum OSS Supply Chain Risk Analysis - INCOMPLETE

The analysis contains 10 package(s) Phylum has not yet processed,
preventing a complete risk analysis. Phylum is processing these
packages currently and should complete soon.
Please wait for up to 30 minutes, then re-run the analysis.

View this project in the Phylum UI

[phylum-io]

Phylum OSS Supply Chain Risk Analysis - FAILED

Background

This repository analyzes the risk of new dependencies. An administrator of this repository has set score requirements for Phylum's five risk domains.

If you see this comment, one or more dependencies added to the package manager lockfile have failed Phylum's risk analysis.

Package: birdcage@0.2.1 failed.

Risk Domain	Identified Score	Requirement	Requirement Source
License	20	60	project per-axis threshold

Issues Summary

Risk Domain	Risk Level	Title
License	high	Commercial license risk detected in birdcage@0.2.1

View this project in the Phylum UI

[andreaphylum]

The following new packages are transitive dependencies of clap@4.2.1: anstream, anstyle-parse, anstyle-wincon, clap_builder, concolor-query, concolor-override

Still related to clap@4.2.1, the addition of the windows-targets@0.48.0 and its many arch-specific dependencies. Deduplication of this is blocked by chrono which is already at its latest available version and still depends on windows-targets@0.42.2.

The following changes are related to deno-crypto:

• Addition of packed_symd_2, platforms,

• Addition of libm@0.1.4 alongside libm@0.2.6; this looks like an inconsistency starting from deno-crypto's direct dependencies x25519-dalek and rsa requiring a different version of libm. Bumping rsa to attempt to fix the issue breaks our codebase.

• The newly introduced dependency on redox_syscall is related to tempfile and the minor bump is incompatible with a number of other packages which still rely on the old version (notably parking_lot).

Overall I'm not too happy with the volume of changes, but manually bumping packages to try and reduce that has proven unfruitful and actually resulted either in even more additions (deno_runtime and related) or breaking changes (rsa).

If we want to reduce the impact of these changes, we can hold off on merging this PR. If we want to stay current, we can merge this in. I'd like to ask for a second opinion from team members on this.

I'm in favor of the latter, as the new additions look okay and I think the only real downside is the resulting fragmentation. But I would also like to plan a refactoring pass where we bump our direct dependencies with the objective of staying current and getting leaner as we merge as many duplications as possible.

[kylewillmon]

I agree completely. This PR adds 11 new duplicated packages.

> git show origin/main:Cargo.lock | grep '^name =' | sort | uniq -c | awk '{s+=$1-1} END {print s}'
31
> git show origin/auto-cargo-update:Cargo.lock | grep '^name =' | sort | uniq -c | awk '{s+=$1-1} END {print s}'
42

And we still don't have a workaround for #725, which makes this worse.

As you suggested, we should go ahead and merge this PR and plan on a push to reduce our duplicate dependencies in the near future.

[phylum-io]

Phylum OSS Supply Chain Risk Analysis - SUCCESS

The Phylum risk analysis is complete and did not identify any issues.

View this project in the Phylum UI