Skip to content

Revert "chore(deps): bump digest from 0.10.7 to 0.11.0"#44

Closed
lookbusy1344 wants to merge 1 commit intomainfrom
revert-42-dependabot/cargo/digest-0.11.0
Closed

Revert "chore(deps): bump digest from 0.10.7 to 0.11.0"#44
lookbusy1344 wants to merge 1 commit intomainfrom
revert-42-dependabot/cargo/digest-0.11.0

Conversation

@lookbusy1344
Copy link
Owner

@lookbusy1344 lookbusy1344 commented Feb 17, 2026

Reverts #42

@claude
Copy link
Contributor

claude bot commented Feb 17, 2026

PR Review: Revert digest 0.10.7 → 0.11.0

Summary

This PR reverts the Dependabot-merged bump of the digest crate from 0.10.7 to 0.11.0 (PR #42), pinning the project back to 0.10. The diff is clean and mechanical — it is purely a version rollback with no logic changes.

Rationale Assessment

This revert is justified. The digest 0.11.0 release is a semver-breaking update that the downstream crypto crates (md-5, sha1, sha2, sha3, whirlpool, blake2) have not yet adopted. Merging #42 introduced an incompatible dual-version dependency graph (both digest 0.10.7 and 0.11.0 coexisted in Cargo.lock), which caused Cargo to pull in two parallel copies of the trait.

The consequence is that calling hash_file_encoded::<D>() in digest_impl.rs with a concrete D type from (say) sha2 would use sha2's digest 0.10 Digest impl, not the digest 0.11 Digest that the crate's own code imported — a classic trait coherence gap that produces compile errors the moment any generic site tries to unify the two versions.

Code Quality

  • The rollback is surgically correct: only Cargo.toml and Cargo.lock are modified.
  • Removing hybrid-array 0.4.7 and crypto-common 0.2.0 from the dependency graph is a net positive — fewer transitive dependencies, smaller supply-chain surface area.
  • No source files needed changes, which confirms the revert is the right fix (the 0.11 API was unused).

Potential Concerns

  1. Dependabot will re-open this. Unless digest 0.11 is ignored in .github/dependabot.yml, Dependabot will attempt the same bump again. Consider adding an ignore rule until all downstream crypto crates (sha2, sha3, etc.) have released versions that depend on digest 0.11:

    # .github/dependabot.yml
ignore:
  - dependency-name: "digest"
    versions: ["0.11.x"]

  2. No pinned upper bound in Cargo.toml. version = "0.10" currently resolves to >=0.10.0, <0.11.0 for digest, which is correct SemVer behaviour for Cargo — but it is worth confirming this is intentional (it is, since 0.11 is a breaking change for the ecosystem).

  3. generic-array dependency. Cargo.toml lists generic-array = "1.3" as a direct dependency. digest 0.10 uses generic-array 0.14. If generic-array 1.x is only needed for digest 0.11 compatibility, it can be removed now that 0.11 is reverted. Worth auditing whether anything else in the project uses it directly.

Performance / Security

No runtime behaviour changes. The hash algorithms in use are identical. No security implications from this version pin.

Test Coverage

The existing unit tests and integration tests cover hash output correctness and will catch any regression if the revert is incorrect. No new tests are needed for a pure dependency version change.

Verdict

Approve. The revert is correct, minimal, and necessary until the RustCrypto ecosystem (sha2, sha3, blake2, etc.) ships digest 0.11-compatible releases. The only follow-up action recommended is suppressing the Dependabot re-trigger and auditing the direct generic-array dependency.

@lookbusy1344 lookbusy1344 deleted the revert-42-dependabot/cargo/digest-0.11.0 branch February 17, 2026 09:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@lookbusy1344