chore: update rust deps

[tac0turtle]

Overview

closes #2912

[gemini-code-assist]

Summary of Changes

Hello @tac0turtle, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request performs a comprehensive update of the project's Rust dependencies. The primary goal is to ensure the codebase benefits from the latest bug fixes, performance enhancements, and new features available in the Rust ecosystem. This routine maintenance helps keep the project secure, efficient, and compatible with modern development practices.

Highlights

• Core Dependency Upgrades: Key libraries such as tonic (from 0.10 to 0.11), tokio (from 1.45.1 to 1.48.0), rustls (from 0.21.12 to 0.22.4), and serde (from 1.0.219 to 1.0.228) have been updated to their latest stable versions, bringing a host of improvements and bug fixes across the application's core functionalities.
• Platform-Specific and WebAssembly Updates: Significant updates to windows-sys, windows-targets, and the transition from wasi to wasip2 along with wit-bindgen reflect enhancements in platform-specific support for Windows and improved WebAssembly System Interface capabilities.
• Dependency Streamlining: Several older or transitive dependencies, including addr2line, backtrace, gimli, miniz_oxide, object, rustc-demangle, sct, and wit-bindgen-rt, have been removed. This is likely due to consolidation or changes in the dependency tree of the updated packages, contributing to a leaner dependency graph.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[github-actions]

The latest Buf updates on your PR. Results from workflow CI / buf-check (pull_request).

Build	Format	Lint	Breaking	Updated (UTC)
✅ passed	⏩ skipped	✅ passed	✅ passed	Dec 10, 2025, 11:51 AM

[claude]

Claude finished @tac0turtle's task in 2m 30s —— View job

---

Code Review Complete

Tasks

• Read changed Cargo.toml files to understand dependency updates
• Review build.rs changes
• Examine generated protobuf code changes
• Assess security and compatibility implications
• Provide comprehensive review feedback

---

Summary

This PR performs a comprehensive update of Rust dependencies, with several major version bumps that require careful attention. The changes are primarily in the gRPC/protobuf toolchain and supporting libraries. All tests pass, but there are important considerations around breaking changes and compatibility.

---

Dependency Updates Analysis

Critical Major Version Updates

1. tonic: 0.10 → 0.14 (client/crates/client/Cargo.toml, Cargo.toml)

• Breaking Changes: This is a 4 major version jump representing significant API evolution
• The tonic 0.11+ series moved to hyper v1 and http v1, which is a fundamental architectural change
• Action Required: The generated protobuf code has been updated, but runtime behavior should be thoroughly tested:
  • All gRPC client connections and error handling
  • Streaming RPC functionality if used
  • TLS configuration (note the change from tls to tls-native-roots feature)
• Positive: The generated code in evnode.v1.services.rs appears syntactically correct with the new API

2. prost: 0.12 → 0.14 (Cargo.toml)

• Migration: tonic-prost ecosystem adoption (new dependencies added)
• The build system has been updated from tonic-build to tonic-prost-build
• Impact: This changes how protobuf code generation works, moving to a more modular approach

3. thiserror: 1.0 → 2.0 (client/crates/client/Cargo.toml)

• Breaking Change: Major version bump with potential error handling changes
• Check if any custom error types use thiserror macros that may have changed behavior

4. tower: 0.4 → 0.5 (client/crates/client/Cargo.toml)

• Breaking: Middleware and service trait changes
• Review any custom tower layers or middleware implementations

Moderate Updates

5. tokio: 1.45 → 1.48 (client/crates/client/Cargo.toml)

• Safe: Patch updates within v1.x are backwards compatible
• Includes performance improvements and bug fixes

---

Build System Changes (client/crates/types/build.rs)

Migration from tonic-build to tonic-prost-build (lines 67-71)

- tonic_build::configure()
+ tonic_prost_build::configure()
-     .compile(&proto_files, &[proto_root.as_path()])?;
+     .compile_protos(&proto_files, std::slice::from_ref(&proto_root))?;

Review Notes:

• ✅ Correct: API change properly handled (.compile() → .compile_protos())
• ✅ Correct: Slice conversion updated to use std::slice::from_ref
• ⚠️ Minor: The method signature change is a sign of the prost ecosystem refactoring

---

Generated Code Review (client/crates/types/src/proto/)

The generated protobuf files show the following patterns:

Messages (evnode.v1.messages.rs):

• ✅ Clean prost-generated message types with proper derives
• ✅ Uses ::prost::alloc::vec::Vec for bytes (correct for no-std compatibility)
• ✅ Proper Hash derives added to all message types

Services (evnode.v1.services.rs):

• ✅ Updated to tonic 0.14 client/server generation patterns
• ✅ Proper async/await patterns maintained
• ✅ Uses new tonic::codegen::http::Uri import (tonic 0.14 pattern)
• ⚠️ The new codegen is more verbose (~89 more lines), which is expected with tonic 0.14's expanded trait bounds

---

Security Considerations

1. TLS Configuration Change

- tonic = { workspace = true, features = ["transport", "tls"] }
+ tonic = { workspace = true, features = ["transport", "tls-native-roots"] }

• Impact: Switches from default TLS backend to native roots
• Security: Uses system certificate store (generally more secure and easier to manage)
• ✅ Recommended: This is a good change for production systems

2. Dependency Tree Cleanup
The Cargo.lock shows removal of several transitive dependencies:

• addr2line, backtrace, gimli, miniz_oxide, object, rustc-demangle
• ✅ Positive: Smaller dependency tree = reduced attack surface

3. Dependency Versions

• All dependencies are recent stable releases
• No known CVEs in the updated versions (as of review date)
• ✅ Recommended: Run cargo audit to verify

---

Testing Requirements

Given the scope of breaking changes, the following testing is critical:

1. gRPC Client/Server Communication

   • Test all RPC methods defined in proto files
   • Verify error handling and timeout behavior
   • Test TLS connectivity with the new tls-native-roots feature

2. Protobuf Serialization

   • Verify wire compatibility (messages should serialize/deserialize identically)
   • Test with existing persisted data if applicable

3. Integration Tests

   • Run full integration test suite
   • Test under concurrent load to verify tokio/tower changes

4. Build Reproducibility

   • Verify EV_TYPES_FORCE_PROTO_GEN=1 regenerates identical code
   • Test build on clean checkout

---

Recommendations

Required Before Merge

1. ✅ CI Passing: All checks passed (buf-check, codecov)
2. ⚠️ Runtime Testing: Run integration tests with real gRPC traffic
3. ⚠️ Security Audit: Execute cargo audit to check for vulnerabilities
4. ⚠️ Compatibility Testing: Test backward compatibility with existing clients/servers

Optional Improvements

1. Documentation: Consider documenting the TLS feature change in release notes
2. Changelog: Note the major dependency bumps for downstream users
3. Version Pinning: Consider if any dependencies need stricter version constraints

---

Conclusion

This is a well-executed dependency update with proper code generation changes. The major version bumps are significant but necessary for keeping the codebase modern and secure. The main concern is ensuring runtime compatibility, particularly with the tonic 0.10 → 0.14 upgrade.

Recommendation: ✅ Approve after runtime testing

The code changes are correct, but given the scope of breaking changes in the ecosystem (tonic, tower, thiserror), thorough integration testing is essential before merging to production.

---

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 65.80%. Comparing base (0fa3370) to head (2ba728f).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2917      +/-   ##
==========================================
- Coverage   65.94%   65.80%   -0.14%     
==========================================
  Files          87       87              
  Lines        7990     7990              
==========================================
- Hits         5269     5258      -11     
- Misses       2147     2158      +11     
  Partials      574      574              

Flag	Coverage Δ
combined	65.80% <ø> (-0.14%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[gemini-code-assist]

Code Review

This pull request updates Rust dependencies, most notably tonic from version 0.10 to 0.11. This is a significant update with potential breaking changes, as tonic v0.11 introduces a new API based on hyper v1 and http v1. While the code seems to have been updated to be compatible, it's crucial to ensure that all parts of the application using tonic are thoroughly tested to catch any runtime issues. No other issues were found in this dependency update.

[damiannolan]

LGTM... e2e docker test looks unrelated.

[randygrok]

utAck, interesting how the new prost adds new derives