chore: upgrade sqlx to 0.9 and bump MSRV to 1.94#156
Conversation
Co-authored-by: Cursor <cursoragent@cursor.com>
|
Warning Review limit reached
More reviews will be available in 53 minutes and 17 seconds. Learn how PR review limits work. Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file). ⌛ How to resolve this issue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits. 🚦 How do rate limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please see our Fair Usage Limits Policy for further information. WalkthroughThe PR updates the repository to Rust 1.94.0 across CI, the pinned toolchain, and README requirements, bumps the crate version, upgrades ChangesRust 1.94 toolchain and release metadata
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Suggested reviewers
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
🧹 Nitpick comments (2)
rust-toolchain.toml (1)
2-2: 📐 Maintainability & Code Quality | 🔵 Trivial | 💤 Low valueToolchain bump is justified; note the divergence from the documented 1.86.0 target.
1.94.0 is required by sqlx 0.9.0, so the pin is correct. The project's coding guideline still states the target is Rust 1.86.0 (2021 edition); consider updating that guideline so the documented target and the pinned toolchain stay in sync.
As per coding guidelines: "Target Rust 1.86.0 (2021 edition)".
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@rust-toolchain.toml` at line 2, The toolchain pin in rust-toolchain.toml is correct for sqlx 0.9.0, but it diverges from the documented Rust 1.86.0 target. Update the project’s coding guideline/docs that state the Rust target so they match the pinned 1.94.0 toolchain, and keep the wording in sync with the existing Rust target guidance.Source: Coding guidelines
.github/workflows/ci.yml (1)
58-61: 🔒 Security & Privacy | 🔵 Trivial | ⚖️ Poor tradeoffOptional: pin actions and disable credential persistence.
Static analysis flags the action refs as unpinned (
actions/checkout@v6,dtolnay/rust-toolchain@stable) and notes the checkout step persists credentials by default. If you follow a pin-to-hash policy, consider pinning to commit SHAs and settingpersist-credentials: falseon checkout.🔧 Example hardening
- uses: actions/checkout@v6 + with: + persist-credentials: false🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In @.github/workflows/ci.yml around lines 58 - 61, The CI workflow checkout and Rust toolchain steps are using floating action refs and the checkout step still persists credentials by default. Update the workflow in the GitHub Actions job to pin the actions references for actions/checkout and dtolnay/rust-toolchain to fixed commit SHAs, and set persist-credentials to false on the checkout step to harden the pipeline.Source: Linters/SAST tools
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In @.github/workflows/ci.yml:
- Around line 58-61: The CI workflow checkout and Rust toolchain steps are using
floating action refs and the checkout step still persists credentials by
default. Update the workflow in the GitHub Actions job to pin the actions
references for actions/checkout and dtolnay/rust-toolchain to fixed commit SHAs,
and set persist-credentials to false on the checkout step to harden the
pipeline.
In `@rust-toolchain.toml`:
- Line 2: The toolchain pin in rust-toolchain.toml is correct for sqlx 0.9.0,
but it diverges from the documented Rust 1.86.0 target. Update the project’s
coding guideline/docs that state the Rust target so they match the pinned 1.94.0
toolchain, and keep the wording in sync with the existing Rust target guidance.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 28263b4c-5f73-45e6-b930-9dec5736560d
📒 Files selected for processing (6)
.github/workflows/ci.ymlCargo.tomlREADME.mdrust-toolchain.tomlsrc/db/dispute.rssrc/db/order.rs
|
I did a strict pass on this PR and I do not currently see a blocker. What I specifically checked:
From what I can see, this is a clean mechanical upgrade. The sensitive part here was making sure the I also ran So from my side, this looks like a solid upgrade PR and I did not find a correctness blocker in the sqlx/MSRV transition. |
grunch
left a comment
There was a problem hiding this comment.
Strict review — APPROVE ✅
I reviewed this PR strictly: read the full diff, inspected the changed call sites, verified the upstream sqlx API change, and ran the full local check suite on the branch.
Correctness — verified
Separatedsignature change is exactly right.sqlx 0.9collapsed the two-lifetimeSeparated<'qb, 'args: 'qb, DB, Sep>(0.6) into a single-lifetimeSeparated<'qb, DB, Sep>. The diff correctly drops the explicit<'a>function parameter and the&'aon the args in bothdb/order.rsanddb/dispute.rs. No behavioral change — purely an API adaptation, and the&'static strseparator type is preserved.- MSRV 1.94.0 is justified, not arbitrary.
sqlx-core 0.9.0declaresrust-version = "1.94.0", so the bump is the minimum required. The toolchain version is consistently updated acrossrust-toolchain.toml,Cargo.tomlfeatures, the README badge/requirements, and the CI MSRV job. No stray1.90references remain anywhere in the repo. - Feature flags split correctly.
runtime-tokio-rustls→runtime-tokio+tls-rustls-ringmatches the 0.9 feature reorganization. - No wasm regression.
sqlxis an optional dependency gated behind thesqlxfeature (#[cfg(feature = "sqlx")] pub mod db;); the default feature iswasm, so wasm targets never pullsqlx/SQLite.
Local verification (branch chore/sqlx-0.9)
cargo build --all-features→ OK (sqlx 0.9.0 compiles)cargo clippy --all-targets --all-features -- -D warnings→ cleancargo test --all-features→ 87 passed, 0 failed; doc-tests 4 passed, 1 ignored
Minor (non-blocking)
- The PR description still lists "Bump crate version to 0.13.3 for release after merge", but commit
8543e39reverted that — the version stays0.13.2and will be set bycargo-release. The description is now slightly stale; worth editing for accuracy but no code impact. rust-toolchain.tomlhas no trailing newline (pre-existing, not introduced here).
Verdict
Clean, minimal, and well-scoped dependency upgrade. All correctness concerns check out and the full quality gate is green. Approving. The noted follow-up (upgrading mostro to sqlx 0.9 in a separate PR) is the right sequencing.
Summary
sqlxfrom0.6.2to0.9.0with split runtime/TLS features (runtime-tokio,tls-rustls-ring)rust-toolchain.toml, CI, and READMEQueryBuilder::Separatedsignatures indb/order.rsanddb/dispute.rsfor sqlx 0.9 API (single lifetime)Test plan
cargo fmt --allcargo clippy --all-targets --all-features -- -D warningscargo test --all-features(87 tests passed)Follow-up
After merge and publish of
mostro-core0.13.3, upgrademostroto sqlx 0.9 in a separate PR.Summary by CodeRabbit