Skip to content

fix(deps): regenerate Cargo.lock to dedupe wasmparser (unblocks #98 + every cargo CI run)#99

Closed
hyperpolymath wants to merge 1 commit into
mainfrom
fix/cargo-lockfile-wasmparser-dedupe
Closed

fix(deps): regenerate Cargo.lock to dedupe wasmparser (unblocks #98 + every cargo CI run)#99
hyperpolymath wants to merge 1 commit into
mainfrom
fix/cargo-lockfile-wasmparser-dedupe

Conversation

@hyperpolymath
Copy link
Copy Markdown
Owner

@hyperpolymath hyperpolymath commented May 30, 2026

Summary

  • Cargo.lock regenerated to remove a duplicate wasmparser 0.251.0 entry + a stale wasmparser 0.250.0 entry left behind by Dependabot PR chore(deps): bump wasmparser from 0.250.0 to 0.251.0 #91
  • cargo build --workspace --locked and cargo test --workspace --locked go green locally
  • Single-purpose lockfile-only change — no Cargo.toml edits, no code, no docs

Why

Since PR #91 (bump wasmparser from 0.250.0 to 0.251.0, merged 2026-05-30 08:23Z) every CI run on main and every open PR has been failing Cargo build + test (typed-wasm-verify) with:

error: failed to parse lock file at: /.../Cargo.lock

Caused by:
  package `wasmparser` is specified twice in the lockfile

Local reproduction:

$ cargo update --workspace --locked
error: failed to parse lock file at: /home/.../Cargo.lock
Caused by:
  package `wasmparser` is specified twice in the lockfile

The lockfile had three wasmparser entries:

Entry Version deps
1 0.250.0 bitflags, indexmap, semver
2 0.251.0 bitflags, hashbrown, indexmap, semver, serde
3 0.251.0 bitflags, indexmap, semver

crates/typed-wasm-verify/Cargo.toml requires wasmparser = "=0.251.0", so the 0.250.0 entry is unreferenced (left behind during the bump) and the second 0.251.0 entry is a degenerate duplicate.

Fix: rm Cargo.lock && cargo generate-lockfile produces a single wasmparser 0.251.0 entry (with hashbrown + serde, matching what cargo fetch actually resolves today).

Impact

Directly unblocks:

Contributes to Phase 0 #48's "every commit on main exits CI green" gate (currently broken for cargo).

What this PR does NOT do

  • Does NOT change any Cargo.toml pin (the =0.251.0 exact-pin policy is preserved per the comment in crates/typed-wasm-verify/Cargo.toml lines 22-26)
  • Does NOT touch any source code, docs, or proofs
  • Does NOT address the orthogonal Smoke test red (claim-envelope finds 1 stale doc-path nextgen-languages/docs/disambiguation/ephapax-vs-affinescript.md in README.adoc:36 — separate fix worth filing)

Test plan

  • cargo build --workspace --locked -> ok
  • cargo test --workspace --locked -> all green (39+ tests across unit + cross-compat + property + 5 fixture tests)
  • Single wasmparser entry in regenerated Cargo.lock (grep -c '^name = "wasmparser"' Cargo.lock -> 1)
  • CI Cargo build + test green on this PR (the merge oracle)

Refs

  • typed-wasm#48 (Phase 0: Stabilize the foundation — "every commit on main exits CI green" gate)
  • typed-wasm#91 (the Dependabot bump that introduced the dupe)
  • typed-wasm#98 (downstream consumer — currently red on this same check)

@hyperpolymath
fix(deps): regenerate Cargo.lock to dedupe wasmparser entries
e7da96e 
Cargo.lock had three wasmparser entries — a stale 0.250.0 (no longer
referenced; Cargo.toml requires `=0.251.0`) plus two competing 0.251.0
copies differing in dependency set (one with `hashbrown` + `serde`,
one without). This caused `cargo build --workspace --locked` to fail
with "package `wasmparser` is specified twice in the lockfile" on
every commit since Dependabot PR #91 landed.

Regenerated via `rm Cargo.lock && cargo generate-lockfile`. Single
`wasmparser 0.251.0` entry now resolved.

Why this matters: blocks PR #98 ([draft] -> [review] promotion for
proposals 0001 + 0002) and every other PR's `Cargo build + test`
check. Phase 0 #48 explicitly requires green CI on main.

Validation:
- `cargo build --workspace --locked` -> ok
- `cargo test --workspace --locked` -> all green (incl. cross-compat
  + property + 5 fixture tests)

Refs #48
@hyperpolymath hyperpolymath enabled auto-merge (squash) May 30, 2026 12:59
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 30, 2026

🔍 Hypatia Security Scan

Findings: 96 issues detected

Severity Count
🔴 Critical 8
🟠 High 19
🟡 Medium 69

⚠️ Action Required: Critical security issues found!

View findings 
[
  {
    "reason": "Action perpolymath/standards/.github/workflows/governance-reusable.yml@main\n needs attention",
    "type": "unpinned_action",
    "file": "governance.yml",
    "action": "pin_sha",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in boj-build.yml",
    "type": "unknown",
    "file": "boj-build.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in c5-regenerate.yml",
    "type": "unknown",
    "file": "c5-regenerate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in cargo-audit.yml",
    "type": "unknown",
    "file": "cargo-audit.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in codeql.yml",
    "type": "unknown",
    "file": "codeql.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  },
  {
    "reason": "Issue in dogfood-gate.yml",
    "type": "unknown",
    "file": "dogfood-gate.yml",
    "action": "flag",
    "rule_module": "workflow_audit",
    "severity": "medium"
  }
]

Powered by Hypatia Neurosymbolic CI/CD Intelligence

@hyperpolymath hyperpolymath mentioned this pull request May 30, 2026
Closed
hyperpolymath added a commit that referenced this pull request May 30, 2026
@hyperpolymath
fix(readme): claim-envelope check #8 — disambiguate cross-repo link v…
0611d2f 
…isible text

The asciidoc link macro's visible text matched the local-path-resolution
heuristic of `Aspect (claim envelope)` test #8 (`Path references in docs
resolve to real files`), which interpreted the bracketed display string
`nextgen-languages/docs/disambiguation/ephapax-vs-affinescript.md` as a
path inside *this* repo and reported it stale (file does live under
hyperpolymath/nextgen-languages — the URL target is correct; only the
visible text triggered the false positive).

Change visible text to a prose label that doesn't look like a relative
path. URL target unchanged.

Unblocks PR #99 and every other typed-wasm cargo CI run currently
failing on Smoke test for the same envelope-check violation.

Refs #99
@hyperpolymath
Copy link
Copy Markdown
Owner Author

hyperpolymath commented May 30, 2026

Closing — same Cargo.lock dedup already shipped via #105 (merged 2026-05-30 13:31Z). Parallel-session duplicate; this branch's content is now redundant.

auto-merge was automatically disabled May 30, 2026 13:41

Pull request was closed

@hyperpolymath hyperpolymath deleted the fix/cargo-lockfile-wasmparser-dedupe branch May 30, 2026 13:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@hyperpolymath