Skip to content

update dependencies#42

Open
joshrmcdaniel wants to merge 5 commits into
developfrom
deps/update
Open

update dependencies#42
joshrmcdaniel wants to merge 5 commits into
developfrom
deps/update

Conversation

@joshrmcdaniel

@joshrmcdaniel joshrmcdaniel commented Jun 14, 2026

Copy link
Copy Markdown
Owner
  • Dependency upgrade to latest versions (semver-aware; pre-releases such as
    argon2 0.6.0-rc and tera 2.0.0-alpha were intentionally not adopted).
    • Server HTTP/TLS stack: hyper 0.14 → 1, http 0.2 → 1 (now via
      hyper-util + http-body-util), rustls 0.21 → 0.23,
      tokio-rustls 0.24 → 0.26, hyper-rustls 0.24 → 0.27,
      reqwest 0.11 → 0.13, warp 0.3 → 0.4. The whole TLS stack is pinned to
      the ring crypto provider so the MIPS/musl cross builds keep working
      (aws-lc-rs needs a C toolchain). A ring CryptoProvider is installed
      once at startup, as rustls 0.23 requires.
    • warp 0.4 dropped its built-in TLS and graceful-shutdown server, so the web
      GUI is now served through hyper-util with optional tokio-rustls
      termination; WebSocket live feeds continue to work via connection upgrades.
    • Frontend: yew 0.19 → 0.23, yew-router 0.16 → 0.20, gloo-* bumped,
      web-sys/wasm-bindgen refreshed, and the deprecated reqwasm replaced
      with gloo-net.
    • Other majors: thiserror 1 → 2, toml 0.8 → 1, dirs 5 → 6.
    • Behavior is unchanged; a set of characterization tests was added first to
      lock the proxy's CSP/request-type/upgrade logic, the TOML config
      round-trip, and CA-signed cert/server-config assembly.

Done with Claude

claude added 2 commits June 14, 2026 10:00
@claude @joshrmcdaniel
test: add characterization tests before dependency upgrade
a509e29 
Lock current behavior of CSP augmentation, request-type detection, URL
normalization, opaque-upgrade detection, TOML config round-trip, and CA-signed
cert/server-config assembly so the dependency upgrade can be verified as
behavior-preserving.

build(deps): phase 1 — low-risk bumps (thiserror 2, toml 1, dirs 6)

- privaxy: toml 0.8->1, thiserror 1->2, dirs 5->6, serde_with 3.8->3.21,
  env_logger 0.11.3->0.11.10, uluru 3.0->3.1, async-compression 0.4.11->0.4.42,
  tera pin relaxed to 1.x (argon2 kept on 0.5, tera on 1.x: latest are
  pre-releases, excluded per semver).
- filterlists-api: thiserror 1->2, reqwest 0.12->0.13.
- web_frontend: thiserror 1->2.
- thiserror 2 dropped raw-identifier (r#type) support in #[error] format
  strings; updated FilterListAPIError accordingly.

Also retains the reqwest client tcp_keepalive removal in server/lib.rs.

Characterization tests remain green (cargo test -p privaxy --lib).

feat(deps): phase 2 — migrate server to hyper 1.0 / rustls 0.23 / warp 0.4

Upgrades the proxy/web-server HTTP+TLS stack to current majors:
- hyper 0.14 -> 1, http 0.2 -> 1, add hyper-util + http-body-util.
- rustls 0.21 -> 0.23, tokio-rustls 0.24 -> 0.26, hyper-rustls 0.24 -> 0.27,
  all pinned to the ring provider (default-features=false) so the tier-3
  MIPS/musl cross builds keep working (aws-lc-rs needs a C toolchain).
- reqwest 0.11 -> 0.13 (rustls-no-provider + ring, process-default provider).

Key code changes:
- Install the ring CryptoProvider once at startup (rustls 0.23 requires a
  process default before any TLS config is built).
- Replace hyper's removed Server/Client/Body: the proxy now hand-accepts
  connections and drives them with hyper-util's auto builder (HTTP/1+2 +
  upgrades), preserving header-case and tcp_keepalive(600s); the upgrade
  client uses hyper-util's legacy Client. Streaming response bodies use an
  mpsc + http_body_util::StreamBody channel (replacing hyper::body::Sender),
  wrapping upgraded streams in TokioIo.
- cert.rs: rustls 0.23 CertificateDer/PrivateKeyDer + builder safe-defaults.
- warp 0.3 -> 0.4 (built on hyper 1). warp 0.4 removed built-in TLS and the
  graceful-shutdown server, so the web GUI is now served via hyper-util with
  optional tokio-rustls termination (WebSocket live feeds still upgrade).
- argon2: enable std feature to restore OsRng after feature unification shift.

Characterization tests remain green (cargo test -p privaxy --lib).

feat(deps): phase 3 — migrate frontend to yew 0.23 / gloo-net

- yew 0.19 -> 0.23 (csr feature), yew-router 0.16 -> 0.20, gloo-utils 0.1
  -> 0.3, gloo-timers 0.2 -> 0.4, web-sys 0.3.69 -> 0.3.77, wasm-bindgen
  -> 0.2.125.
- Replace the deprecated reqwasm with gloo-net (http + websocket); gloo-net's
  RequestBuilder::body/json now return Result, so call sites unwrap and order
  header() before body().
- yew API migration: start_app -> Renderer::render; Component::changed gains
  the old_props parameter; <textarea> is now a void element (self-closing);
  Button's children prop made #[prop_or_default]; onsubmit handlers typed
  SubmitEvent instead of FocusEvent.
- yew-router 0.20: Switch render takes the function directly (Switch::render
  removed) and switch fns take the route by value.

Verified with: cargo build --target wasm32-unknown-unknown -p web_frontend.

build(deps): phase 4 — ring-only TLS, formatting, clippy cleanups

- Eliminate aws-lc-rs from the dependency tree: filterlists-api's reqwest was
  pulling default features (reqwest's aws-lc-rs-backed rustls), which unified
  the shared rustls crate onto aws-lc-rs and would break the MIPS/musl cross
  builds (aws-lc-sys needs cmake/C). Pin it to default-features=false +
  rustls-no-provider so the whole workspace uses ring only.
- Use std::io::Error::other(..) for the hyper body/upgrade error mapping.
- cargo fmt across the migrated files.

Verified: cargo test -p privaxy --lib (14 passed); frontend wasm build;
release musl cross-build (x86_64-unknown-linux-musl) succeeds with ring,
proving the tier-3 cross targets keep working.
@claude @joshrmcdaniel
docs: changelog entry for dependency upgrade
f5cdd3c
@joshrmcdaniel joshrmcdaniel self-assigned this Jun 14, 2026
@zeropath-ai

zeropath-ai Bot commented Jun 14, 2026
edited
Loading

Copy link
Copy Markdown

No security or compliance issues detected. Reviewed everything up to dadd69b.

Security Overview
Detected Code Changes

The diff is too large to display a summary of code changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@joshrmcdaniel joshrmcdaniel

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@joshrmcdaniel @claude