Skip to content

chore: update all crates to latest (incl. rmcp 1.x → 2.2.0, 3 security fixes)#11

Merged
AnderEnder merged 2 commits into
mainfrom
chore/update-all-dependencies
Jul 10, 2026
Merged

chore: update all crates to latest (incl. rmcp 1.x → 2.2.0, 3 security fixes)#11
AnderEnder merged 2 commits into
mainfrom
chore/update-all-dependencies

Conversation

@AnderEnder

Copy link
Copy Markdown
Owner

Summary

  • Update all Rust crates to their latest versions. cargo outdated --root-deps-only now reports "All dependencies are up to date" — every direct dependency is at its latest release, including the one major bump (rmcp).
  • Fix 3 security advisories (all resolved within existing semver ranges via cargo update).
  • Upgrade rmcp 1.x → 2.2.0 (major) — the MCP SDK, migrated to the MCP 2025-11-25 spec.

Security advisories resolved

Crate Advisory Severity Fix
quick-xml RUSTSEC-2026-0194 / RUSTSEC-2026-0195 high (7.5) 0.37.5 → 0.41.0 (via feed-rs 2.4.0)
quinn-proto RUSTSEC-2026-0185 high (7.5) 0.11.14 → 0.11.16 (via reqwest)
anyhow RUSTSEC-2026-0190 (unsound) 1.0.102 → 1.0.103

cargo audit is now clean (0 vulnerabilities, was 3).

Key package updates

Package From To Notes
rmcp 1.8.0 2.2.0 major — MCP SDK
feed-rs 2.3.1 2.4.0 pulls quick-xml 0.41.0 (security)
anyhow 1.0.102 1.0.103 unsoundness fix
clap_complete 4.6.5 4.6.7
quinn-proto 0.11.14 0.11.16 transitive (reqwest), security
quick-xml 0.37.5 0.41.0 transitive (feed-rs), security

Plus assorted transitive crate updates from cargo update (bytes, h2, http, regex, rustls, uuid, zerocopy, wasm-bindgen, …).

Breaking change resolved: rmcp 1.x → 2.2.0

rmcp 2.0 aligns its model types with the MCP 2025-11-25 spec. The only source change required was the ContentContentBlock rename (the unified content model replaces the old Annotated<T> wrapper). CallToolResult::success / ::error and the public structured_content field are unchanged, so the tool router, generated output schemas, tool annotations, and structured-content behavior all carried over untouched (invariants #7/#8 preserved).

Verified end-to-end against rss mcp:

  • initialize negotiates protocol 2025-11-25
  • tools/list advertises all four tools with their output schemas
  • a live fetch_feed tools/call returns structuredContent over the wire

Supersedes open Dependabot PRs

Test plan

  • cargo fmt --all --check
  • cargo clippy --all-targets -- -D warnings (clean)
  • cargo build + cargo test from a clean slate — 99 tests pass
  • cargo build --release (fat LTO + panic=abort — the CI-uncovered gate) passes
  • cargo audit — 0 vulnerabilities (was 3)
  • cargo outdated --root-deps-only — all up to date
  • MCP server driven end-to-end (initialize / tools/list / live fetch_feed)
  • CI pipeline passes

Resolves 3 security advisories via cargo update (all within existing
Cargo.toml ranges):

- quick-xml 0.37.5 -> 0.41.0 (via feed-rs 2.3.1 -> 2.4.0)
  fixes RUSTSEC-2026-0194 and RUSTSEC-2026-0195 (both high, 7.5)
- quinn-proto 0.11.14 -> 0.11.16 (via reqwest) fixes RUSTSEC-2026-0185 (high)
- anyhow 1.0.102 -> 1.0.103 fixes RUSTSEC-2026-0190 (unsound)

Also bumps clap_complete 4.6.5 -> 4.6.7 and assorted transitive crates.
cargo audit clean; build, test, clippy -D warnings all pass.
Major bump of the MCP SDK. rmcp 2.0 aligns model types with the MCP
2025-11-25 spec; the only source change needed was the Content ->
ContentBlock rename (unified content model, replacing the Annotated<T>
wrapper). CallToolResult::success/error and the structured_content field
are unchanged, so the tool router, output schemas, annotations, and
structured-content behavior all carry over untouched.

Verified end-to-end against `rss mcp`: initialize negotiates protocol
2025-11-25, tools/list advertises all four tools with output schemas, and
a live fetch_feed tools/call returns structuredContent over the wire.
build, test (99 tests), and clippy -D warnings all pass.

Supersedes Dependabot PR #9.
@AnderEnder AnderEnder changed the title build(deps): update all crates to latest (incl. rmcp 1.x → 2.2.0, 3 security fixes) chore: update all crates to latest (incl. rmcp 1.x → 2.2.0, 3 security fixes) Jul 10, 2026
@AnderEnder AnderEnder merged commit 0adb14a into main Jul 10, 2026
6 checks passed
AnderEnder added a commit that referenced this pull request Jul 10, 2026
First release since v0.1.0. Bundles the accumulated unreleased work:
per-host request gate (#10), all crate deps updated to latest, rmcp
1.x -> 2.2.0, and 3 security advisories resolved (#11).
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant