Upgrade dependencies across Rust and Node.js projects

[moose-code]

Summary

This PR updates dependencies across the codebase to their latest stable versions, improving security, performance, and compatibility.

Key Changes

• Rust dependencies (codegenerator/cli):

  • Updated core dependencies: clap (4.2.2 → 4.5), tokio (1.28.2 → 1.49), serde (1.0.159 → 1.0.228), serde_json (1.0.95 → 1.0.149)
  • Updated Alloy crates: alloy-primitives, alloy-json-abi, alloy-dyn-abi (1.0 → 1.5)
  • Updated utility crates: regex (1.5 → 1.12), anyhow (1.0.72 → 1.0.101), sha2 (0.10.7 → 0.10.8), open (5.0.0 → 5.3)
  • Updated async utilities: async-recursion (1.0.5 → 1.1), subenum (1.1.1 → 1.1.3)
  • Updated dev dependencies: tempdir, paste, tracing-subscriber, pretty_assertions, insta
  • Updated OpenSSL vendored dependency (0.10.63 → 0.10.75) for both aarch64 and x86_64 Linux targets
  • Pinned schemars to exact version (=1.0.0-alpha.2)

• Node.js dependencies (codegenerator/cli/npm/envio):

  • Updated key packages: @clickhouse/client (1.12.1 → 1.17.0), pino (10.1.0 → 10.3.1), viem (2.21.0 → 2.46.2)
  • Updated monitoring: prom-client (15.0.0 → 15.1.3)
  • Updated UI libraries: @rescript/react (0.14.0 → 0.14.1), ink (6.5.1 → 6.8.0)
  • Updated utility packages: bignumber.js (9.1.2 → 9.3.1), @elastic/ecs-pino-format (1.4.0 → 1.5.0)

• Template and test dependencies:

  • Updated package.json.tmpl with same Node.js dependency versions
  • Updated dynamic codegen template with viem and prom-client versions
  • Updated integration tests with tokio and anyhow versions
  • Updated test scenario dependencies with viem version

Notable Details

• All lockfiles have been regenerated to reflect the new dependency versions
• The changes maintain compatibility across all workspace packages
• OpenSSL vendored feature is consistently updated for Linux targets

https://claude.ai/code/session_01Jz7WG9kiURW412Gjn366vX

Summary by CodeRabbit

Release Notes

• Chores
  • Updated multiple dependencies to newer versions throughout the codebase, including client communication libraries, data serialization utilities, JSON processing tools, configuration parsing libraries, template engines, and command-line interface tooling for improved performance.
  • Upgraded development and testing utilities for enhanced stability.
  • Added new development dependency to extend project workflow capabilities.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 52d6695 and 541d975.

⛔ Files ignored due to path filters (1)

• Cargo.lock is excluded by !**/*.lock

📒 Files selected for processing (3)

• packages/cli/Cargo.toml
• packages/cli/templates/dynamic/codegen/package.json.hbs
• packages/envio/package.json

---

📝 Walkthrough

Walkthrough

Dependency updates across JavaScript and Rust packages. Key upgrades include viem (2.21.0 → 2.46.2), bignumber.js (9.1.2 → 9.3.1), prom-client (15.0.0 → 15.1.3), @clickhouse/client (1.12.1 → 1.17.0), and various Rust crates in Cargo.toml. A new npm dependency (tsx 4.21.0) added. No functional code changes.

Changes

Cohort / File(s)	Summary
JavaScript Package Dependencies scenarios/test_codegen/package.json, packages/cli/templates/dynamic/codegen/package.json.hbs, packages/envio/package.json	Version bumps for viem (2.21.0 → 2.46.2), bignumber.js (9.1.2 → 9.3.1), prom-client (15.0.0 → 15.1.3); additional updates to @clickhouse/client (1.12.1 → 1.17.0), @rescript/react, ink; new tsx dependency (4.21.0) added.
Rust Crate Dependencies packages/cli/Cargo.toml	Multiple version updates for clap, Alloy suite (primitives, JSON ABI, dyn ABI), tokio, serde, schemars (pinned to 1.0.0-alpha.2), and platform-specific OpenSSL dependencies (0.10.63 → 0.10.75).

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Suggested reviewers

• JonoPrest

Poem

🐰 Hops through versions with glee,
Dependencies dance, updated and free!
viem and bignumber leap to new heights,
Rust crates and npm, shining so bright,
Fresh tsx arrives—let the code run with cheer! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'Upgrade dependencies across Rust and Node.js projects' directly and accurately summarizes the main change—a comprehensive dependency update across the repository's Rust and Node.js codebases.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch claude/evaluate-package-upgrades-ZfyaD

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[moose-code]

@DZakh
Upgrade semver-compatible dependencies across npm and Rust

Many dependencies had fallen significantly behind their latest
semver-compatible releases. This catches up on minor/patch versions
to pick up bug fixes, performance improvements, and security patches
while avoiding any breaking API changes.

Notable upgrades:

• viem 2.21→2.46: 25 minor releases of new EVM chain support and fixes
• clap 4.2→4.5, tokio 1.28→1.49: large semver-safe gaps closed
• alloy-* 1.0→1.5: newer ABI/primitives support for EVM tooling
• openssl 0.10.63→0.10.75: security patches
• @clickhouse/client 1.12→1.17: query performance improvements
• serde 1.0.159→1.0.228, serde_json 1.0.95→1.0.149: accumulated fixes
• regex 1.5→1.12, handlebars 6.0→6.4, insta 1.34→1.46

Also pin schemars to =1.0.0-alpha.2 to prevent cargo update from
resolving to the stable 1.2.1 release, which removes the
always_inline_schema trait method used in human_config.rs.
That migration is deferred as a separate breaking change.

Intentionally deferred (breaking/high-risk):

• schemars alpha→stable, thiserror 1→2, colored 2→3 (major)
• reqwest 0.11→0.13, sqlx 0.7→0.8, strum 0.26→0.27 (0.x breaking)
• express 4→5, rescript 11→12, yargs 17→18 (npm major)
• serde_yaml deprecated (needs format migration)
• @envio-dev/hypersync-client 0.7→1.0 (major)

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

codegenerator/cli/npm/envio/package.json (1)

49-49: ⚠️ Potential issue | 🟠 Major

Move tsx from dependencies to devDependencies

tsx (4.21.0) is currently in production dependencies but is not used at runtime by the envio package. In scenarios/test_codegen/package.json, tsx is correctly placed in devDependencies and is only used in the test scripts via NODE_OPTIONS='--import tsx'. Moving it to devDependencies here will reduce unnecessary bloat for end users.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@codegenerator/cli/npm/envio/package.json` at line 49, Remove the "tsx":
"4.21.0" entry from the dependencies block in package.json and add the same
"tsx": "4.21.0" entry under devDependencies; ensure no runtime code imports rely
on tsx and update package.json so all build/test scripts that need tsx still
work but it is not shipped as a production dependency.

🧹 Nitpick comments (3)

codegenerator/integration_tests/Cargo.toml (1)

14-21: "full" subsumes all other listed tokio features

"full" is tokio's all-inclusive meta-feature that enables every sub-crate. Listing "macros", "process", "rt-multi-thread", "time", and "test-util" alongside it is redundant. Either drop "full" and keep only the features you actually need, or drop all individual features and keep just "full".

♻️ Suggested simplification (keep only what's needed)

-tokio = { version = "1.49", features = [
-  "macros",
-  "process",
-  "rt-multi-thread",
-  "time",
-  "full",
-  "test-util",
-] }
+tokio = { version = "1.49", features = [
+  "macros",
+  "process",
+  "rt-multi-thread",
+  "time",
+  "test-util",
+] }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@codegenerator/integration_tests/Cargo.toml` around lines 14 - 21, The tokio
dependency in Cargo.toml currently lists both the "full" meta-feature and
individual features ("macros", "process", "rt-multi-thread", "time",
"test-util"), which is redundant; update the tokio = { version = "1.49",
features = [...] } entry to either remove "full" and keep only the specific
features you need, or remove all individual features and keep only "full" so
that the features list is not duplicated (edit the features array for the tokio
dependency accordingly).

codegenerator/cli/Cargo.toml (2)

47-47: schemars pinned to an alpha prerelease — document as intentional technical debt

=1.0.0-alpha.2 uses an exact-version constraint which prevents any automatic upgrade. Alpha releases carry no stability guarantee, and this pin will require a manual migration when the team is ready to adopt the stable schemars 1.x API. Adding a # TODO comment here preserves the rationale for future contributors.

📝 Suggested comment

-schemars = { version = "=1.0.0-alpha.2", features = ["preserve_order"] }
+# Pinned to alpha to avoid breaking API changes introduced in schemars 1.0 stable.
+# TODO: migrate to stable schemars 1.x once the breaking changes are addressed.
+schemars = { version = "=1.0.0-alpha.2", features = ["preserve_order"] }

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@codegenerator/cli/Cargo.toml` at line 47, The schemars dependency is pinned
to an exact alpha prerelease (=1.0.0-alpha.2) which blocks automatic upgrades;
add a concise TODO comment next to the schemars = { version = "=1.0.0-alpha.2",
features = ["preserve_order"] } line in Cargo.toml documenting that this exact
pin is intentional technical debt, why the alpha was chosen (e.g., required
feature/behavior), and that it must be revisited/migrated when schemars 1.x
stabilizes so future contributors understand the rationale.

---

52-52: Replace tempdir with tempfile for consistency and to use a maintained crate

The tempdir crate was archived in August 2021 and is no longer maintained. The tempfile crate is the official replacement (RustSec advisory RUSTSEC-2018-0017) and is already in use in codegenerator/integration_tests/Cargo.toml (v3.2.0). The tempdir::TempDir API is fully compatible with tempfile::TempDir.

♻️ Suggested replacement

-tempdir = "0.3.7"
+tempfile = "3.2.0"

Usages of tempdir::TempDir in template_dirs.rs and config_parsing/graph_migration/mod.rs can remain unchanged, as the APIs are identical.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@codegenerator/cli/Cargo.toml` at line 52, Replace the deprecated crate entry
tempdir = "0.3.7" with tempfile = "3.2.0" in Cargo.toml and update any crate
import paths from tempdir::TempDir to tempfile::TempDir if present; keep usages
in template_dirs.rs and config_parsing/graph_migration/mod.rs unchanged
functionally since tempfile's TempDir API is compatible, but ensure Cargo.toml
dependency name matches and run cargo update/build to verify resolution.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@codegenerator/cli/npm/envio/package.json`:
- Line 49: Remove the "tsx": "4.21.0" entry from the dependencies block in
package.json and add the same "tsx": "4.21.0" entry under devDependencies;
ensure no runtime code imports rely on tsx and update package.json so all
build/test scripts that need tsx still work but it is not shipped as a
production dependency.

---

Duplicate comments:
In `@codegenerator/cli/npm/envio/package.json.tmpl`:
- Line 60: The template file's dependencies list places the "tsx" entry in
dependencies (the line with "tsx": "4.21.0") which duplicates the same placement
problem noted in codegenerator/cli/npm/envio/package.json; if "tsx" is a
build/dev-only tool, move that "tsx" entry from dependencies to devDependencies
in this template (package.json.tmpl) so both the template and the actual
package.json consistently declare "tsx" under devDependencies.

---

Nitpick comments:
In `@codegenerator/cli/Cargo.toml`:
- Line 47: The schemars dependency is pinned to an exact alpha prerelease
(=1.0.0-alpha.2) which blocks automatic upgrades; add a concise TODO comment
next to the schemars = { version = "=1.0.0-alpha.2", features =
["preserve_order"] } line in Cargo.toml documenting that this exact pin is
intentional technical debt, why the alpha was chosen (e.g., required
feature/behavior), and that it must be revisited/migrated when schemars 1.x
stabilizes so future contributors understand the rationale.
- Line 52: Replace the deprecated crate entry tempdir = "0.3.7" with tempfile =
"3.2.0" in Cargo.toml and update any crate import paths from tempdir::TempDir to
tempfile::TempDir if present; keep usages in template_dirs.rs and
config_parsing/graph_migration/mod.rs unchanged functionally since tempfile's
TempDir API is compatible, but ensure Cargo.toml dependency name matches and run
cargo update/build to verify resolution.

In `@codegenerator/integration_tests/Cargo.toml`:
- Around line 14-21: The tokio dependency in Cargo.toml currently lists both the
"full" meta-feature and individual features ("macros", "process",
"rt-multi-thread", "time", "test-util"), which is redundant; update the tokio =
{ version = "1.49", features = [...] } entry to either remove "full" and keep
only the specific features you need, or remove all individual features and keep
only "full" so that the features list is not duplicated (edit the features array
for the tokio dependency accordingly).

[DZakh]

Need to downgrade it to 1.4.0 to keep the old logs format

[DZakh]

I left one comment. I hope it doesn't break more unexpected things 😵‍💫

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

codegenerator/cli/npm/envio/package.json.tmpl (1)

60-60: ⚠️ Potential issue | 🟡 Minor

Move tsx from dependencies to devDependencies or remove it entirely.

tsx is a TypeScript execution tool used only in test/scenario packages for running mocha tests (via NODE_OPTIONS='--import tsx'). The envio CLI's entry point (local-bin.mjs) does not invoke tsx at runtime, and no source code imports or spawns it. Including tsx in production dependencies unnecessarily bloats the published package for all npm users. If this template is used for local development, move it to devDependencies; otherwise, remove it.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@codegenerator/cli/npm/envio/package.json.tmpl` at line 60, The package.json
template currently lists "tsx" in dependencies which is unnecessary for runtime;
move the "tsx": "4.21.0" entry out of the "dependencies" object into
"devDependencies" (or remove it entirely) so it is not shipped as a production
dependency—verify that no runtime files (e.g., local-bin.mjs) import or spawn
tsx before removing, and update the package.json's dependency objects
accordingly.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@codegenerator/cli/npm/envio/package.json.tmpl`:
- Line 60: The package.json template currently lists "tsx" in dependencies which
is unnecessary for runtime; move the "tsx": "4.21.0" entry out of the
"dependencies" object into "devDependencies" (or remove it entirely) so it is
not shipped as a production dependency—verify that no runtime files (e.g.,
local-bin.mjs) import or spawn tsx before removing, and update the
package.json's dependency objects accordingly.

[DZakh]

Nice. Could you update the branch to resolve conflicts