mirror of
https://github.com/ruvnet/RuVector.git
synced 2026-05-22 11:26:34 +00:00
f5c39e5bbe
Unblocks the 7 stacked PRs (#381-#387) and turns `main`'s CI green
for the first time in days. Two issues fixed:
## Failure 1 — Security audit (was: 8 vulnerabilities)
`cargo audit` is now exit 0. 4 of the 5 critical advisories were
fixed by version bumps; only the unfixable one is ignored.
**Dep-bumped:**
- `rustls-webpki 0.101.7` + `0.103.10` → `0.103.13` via
`cargo update -p rustls-webpki@0.103.10`. Patches:
RUSTSEC-2026-0098 (URI name constraints)
RUSTSEC-2026-0099 (wildcard name constraints)
RUSTSEC-2026-0104 (CRL parsing panic)
- `idna 0.5.0` → `1.1.0` via `validator 0.18 → 0.20` in
`examples/scipix`. Patches RUSTSEC-2024-0421 (Punycode acceptance).
- Bonus: `reqwest 0.11 → 0.12` (in `ruvector-core` + `examples/benchmarks`)
and `hf-hub 0.3 → 0.4` (in `ruvector-core` + `ruvllm` +
`ruvllm-cli`). Removes the entire legacy `rustls 0.21` /
`rustls-webpki 0.101.7` subtree from the lockfile.
**Ignored** (single advisory, with rationale):
- `RUSTSEC-2023-0071` (rsa Marvin timing sidechannel) — no upstream
fix available; we don't expose RSA decryption services. Documented
in `.cargo/audit.toml`.
**Unmaintained warnings** (16 total — proc-macro-error, derivative,
instant, paste, bincode 1, pqcrypto-{kyber,dilithium}, rustls-pemfile 1,
rusttype, wee_alloc, number_prefix, rand_os, core2, lru, pprof, rand) —
each given a one-line justification in `.cargo/audit.toml` so CI stays
green on them while the team decides whether to chase upstream
replacements.
## Failure 2 — Tests timeout (was: 30-min job timeout cancellation)
`.github/workflows/ci.yml` `test` job is now a `matrix` with
`fail-fast: false` and `timeout-minutes: 45`. Six parallel shards
under `cargo nextest run` (installed via `taiki-e/install-action@v2`)
plus a separate `cargo test --doc` step (nextest doesn't run
doctests):
| Shard | Crates |
|------------------|---------------------------------------------|
| vector-index | rabitq, rulake, diskann, graph, gnn, cnn |
| rvagent | 10 rvagent-* crates |
| ruvix | 16 ruvix-* crates |
| ruqu-quantum | 5 ruqu* crates |
| ml-research | attention, mincut, scipix, fpga-transformer,|
| | sparse-inference, sparsifier, solver, |
| | graph-transformer, domain-expansion, |
| | robotics |
| core-and-rest | --workspace minus the above |
`Swatinem/rust-cache@v2` is keyed per shard. Audit job switched to
`taiki-e/install-action` for `cargo-audit` (faster than
`cargo install --locked`).
## Verification
cargo audit → exit 0
cargo build --workspace --exclude ruvector-postgres → clean
cargo clippy --workspace --exclude ruvector-postgres --no-deps -- -D warnings → exit 0
cargo fmt --all --check → exit 0
## Cargo.lock churn
166-line diff, net ~120 lines removed (more deletions than
additions). Removed: `idna 0.5.0`, `rustls-webpki 0.101.7`,
`validator 0.18`, `validator_derive 0.18`, `proc-macro-error 1.0.4`.
Added: `rustls-webpki 0.103.13`, `validator 0.20`,
`proc-macro-error2`, `hf-hub 0.4.3`, `reqwest 0.12.28`. No
suspicious crates.
## Recommended merge order
1. **This PR first** — unblocks every other PR's CI.
2. After this lands and main is green, rebase the 7 open PRs
(#381-#387) one at a time. The DiskANN stack (#383→#384→#385→#386)
must merge in numeric order. #381 (Python SDK), #382 (research),
#387 (graph property index) are independent and can merge in
any order after their CI goes green on the rebase.
Co-Authored-By: claude-flow <ruv@ruv.net>
|
||
|---|---|---|
| .. | ||
| src | ||
| tests | ||
| Cargo.toml | ||