chore(deps): update Tier 1 + Tier 2 dependencies (backend & frontend) (#177)

* chore(deps): update Tier 1 + Tier 2 dependencies (backend & frontend)

Tier 1 — safe patch/lockfile bumps:
- cargo update (lockfile refresh)
- serde-saphyr 0.0.21 → 0.0.22
- bun update in ui/, docs/, e2e/

Tier 2 — 0.x minor bumps with code fixes:
- bzip2 0.5 → 0.6 (now uses pure-Rust libbz2-rs-sys)
- getrandom 0.3 → 0.4
- tokio-tungstenite 0.28 → 0.29
- rand 0.9 → 0.10 (Rng → RngExt trait migration)
- Added cargo-deny exception for libbz2-rs-sys bzip2-1.0.6 license

Signed-off-by: Devin AI <devin@streamkit.dev>
Signed-off-by: StreamKit Devin <devin@streamkit.dev>
Co-Authored-By: Claudio Costa <cstcld91@gmail.com>

* fix(ui): use Getter<T> instead of Signal<T> in waitForSignalValue

Widens the parameter type from the concrete Signal class to the Getter
interface. This avoids TypeScript #private field incompatibility when
@moq/signals instances are duplicated across nested @moq/* packages.

Also restores ^0.1.3 semver range for @moq/signals.

Signed-off-by: Devin AI <devin@streamkit.dev>
Signed-off-by: StreamKit Devin <devin@streamkit.dev>
Co-Authored-By: Claudio Costa <cstcld91@gmail.com>

* fix(ui): regenerate bun lockfiles to deduplicate @codemirror/state

The previous bun.lock had stale resolutions that caused 11 separate
copies of @codemirror/state to be installed (one at 6.6.0, ten nested
at 6.5.2). This broke CodeMirror's instanceof checks at runtime,
crashing the PipelineEditor component.

Regenerating all three lockfiles from scratch resolves to a single
copy of each @codemirror/* package.

Signed-off-by: StreamKit Devin <devin@streamkit.dev>
Co-Authored-By: Claudio Costa <cstcld91@gmail.com>

* speed up

* dedup

* fix: wrong ui mirroring

* lint fix

* fix lint

---------

Signed-off-by: Devin AI <devin@streamkit.dev>
Signed-off-by: StreamKit Devin <devin@streamkit.dev>
Co-authored-by: StreamKit Devin <devin@streamkit.dev>
Co-authored-by: Claudio Costa <cstcld91@gmail.com>

Author: 3 people

Cargo.lock

@@ -39,7 +39,7 @@ bytes = "1.11.0"
 futures = "0.3.31"
 
 serde = { version = "1.0.228", features = ["derive", "rc"] }
-serde-saphyr = "0.0.21"
+serde-saphyr = "0.0.22"
 serde_json = "1.0"
 indexmap = { version = "2.13", features = ["serde"] }
 

Cargo.toml

@@ -24,7 +24,7 @@ clap = { version = "4.6", features = ["derive"] }
 # For HTTP client functionality
 reqwest = { version = "0.13", features = ["multipart", "stream", "json"] }
 # For WebSocket client
-tokio-tungstenite = { version = "0.28.0", features = ["native-tls"] }
+tokio-tungstenite = { version = "0.29", features = ["native-tls"] }
 url = "2.5.8"
 
 # For async runtime
@@ -49,7 +49,7 @@ uuid = { version = "1.22", features = ["v4"] }
 
 # For load testing
 toml = "1.0"
-rand = "0.9"
+rand = "0.10"
 tokio-util = "0.7.18"
 anyhow = "1.0"
 serde = { workspace = true }

apps/skit-cli/Cargo.toml

@@ -2,7 +2,7 @@
 //
 // SPDX-License-Identifier: MPL-2.0
 
-use rand::Rng;
+use rand::RngExt;
 use serde::Serialize;
 use std::collections::HashMap;
 use std::sync::Arc;

apps/skit-cli/src/load_test/metrics.rs

@@ -3,7 +3,7 @@
 // SPDX-License-Identifier: MPL-2.0
 
 use anyhow::Result;
-use rand::{distr::Alphanumeric, Rng};
+use rand::{distr::Alphanumeric, RngExt};
 use std::sync::Arc;
 use tokio::sync::{mpsc, Mutex};
 use tokio::time::{sleep, Duration};

apps/skit-cli/src/load_test/scenarios.rs

@@ -2,7 +2,7 @@
 //
 // SPDX-License-Identifier: MPL-2.0
 
-use rand::{distr::Alphanumeric, Rng};
+use rand::{distr::Alphanumeric, RngExt};
 use std::time::Instant;
 use tokio::sync::mpsc;
 use tracing::{debug, warn};

apps/skit-cli/src/load_test/workers.rs

@@ -66,7 +66,7 @@ multer = "3.1"
 tar = "0.4"
 zstd = "0.13"
 flate2 = "1.1"
-bzip2 = "0.5"
+bzip2 = "0.6"
 
 # For embedding static files
 rust-embed = "8.11"
@@ -126,7 +126,7 @@ jsonwebtoken = { version = "10.2.0", default-features = false, features = ["aws_
 sha2 = "0.10"
 hex = "0.4"
 thiserror = "2.0"
-getrandom = "0.3"
+getrandom = "0.4"
 aws-lc-rs = "1"
 
 # For MoQ auth path matching (optional, with moq feature)
@@ -146,7 +146,7 @@ compositor = ["streamkit-nodes/compositor", "streamkit-engine/compositor"]
 
 [dev-dependencies]
 tokio-test = "0.4.5"
-tokio-tungstenite = "0.28"
+tokio-tungstenite = "0.29"
 futures-util = "0.3"
 ogg = "0.9.2"
 opus = "0.3.1"

apps/skit/Cargo.toml

@@ -16,7 +16,7 @@ readme = "README.md"
 streamkit-core = { version = "0.2.0", path = "../core" }
 serde = { version = "1.0.228", features = ["derive", "rc"] }
 serde_json = "1.0"
-serde-saphyr = "0.0.21"
+serde-saphyr = "0.0.22"
 ts-rs = { version = "12.0.1" }
 indexmap = { version = "2.12", features = ["serde"] }
 

crates/api/Cargo.toml

@@ -70,11 +70,6 @@ feature-depth = 1
 # A list of advisory IDs to ignore. Note that ignored advisories will still
 # output a note when they are encountered.
 ignore = [
-  # paste is unmaintained but still functional. It's a transitive dependency from
-  # moq-transport and mp4-atom (via hang). No security vulnerability, just maintenance
-  # status. Will be resolved when upstream moq ecosystem migrates to pastey.
-  { id = "RUSTSEC-2024-0436", reason = "transitive dep from moq ecosystem, no security issue" },
-
   # rustls-pemfile is unmaintained. We upgraded axum-server to 0.8 which removed it,
   # but moq-native still depends on it. Will be resolved when moq-native updates.
   { id = "RUSTSEC-2025-0134", reason = "transitive dep from moq-native, no security issue" },
@@ -119,6 +114,10 @@ exceptions = [
   # Each entry is the crate and version constraint, and its specific allow
   # list
   #{ allow = ["Zlib"], crate = "adler32" },
+
+  # libbz2-rs-sys is a pure-Rust reimplementation of bzip2. It uses the original
+  # bzip2 license (BSD-style permissive) which isn't a standard SPDX identifier.
+  { allow = ["bzip2-1.0.6"], crate = "libbz2-rs-sys" },
 ]
 
 # Some crates don't have (easily) machine readable licensing information,