chore(deps): bump verifiable dependencies to latest stable (#224)#227
Open
kirich1409 wants to merge 7 commits into
Open
chore(deps): bump verifiable dependencies to latest stable (#224)#227kirich1409 wants to merge 7 commits into
kirich1409 wants to merge 7 commits into
Conversation
The Analyze Kotlin job failed with 'no source code seen during build' (exit code 32): assembleDebug compile tasks were served from cache / marked UP-TO-DATE, so CodeQL's tracer observed no Kotlin source. Add --no-build-cache --rerun-tasks to the CodeQL build step to force actual recompilation, giving the tracer source to analyze. Co-authored-by: Claude <noreply@anthropic.com>
- Bump VERSION_NAME to 1.0.0 - Add [1.0.0] CHANGELOG entry (Android-facing API as primary stable target) - Fix mkdocs: exclude cc-verification/specs, add Known Limitations to nav, move iOS guides to "iOS Preview" section, update site_description - Add "Stable in 1.0" admonition to Android guide - Add "Preview" admonitions to iOS guides - Fix CodeQL workflow: build-mode=manual + --no-build-cache --rerun-tasks
* test(shrinker): cover -keep defeating flag dead-code elimination A consumer -keep rule (often a broad wildcard or @keep) that covers a flag-guarded class defeats R8 tree-shaking: -assumevalues still folds the disabled branch (behaviour unchanged), but the class itself is pinned as an unconditional GC root and ships in the APK despite being unreachable — silently losing the size benefit of build-time flags. - Add writeBooleanRulesWithKeptDeadBranch() modelling the pitfall - Add a regression test asserting the dead-branch class survives the keep - Document the two-phase elimination model and keep-rule guidance in the R8 verification guide * test(shrinker): assert branch folding in keep regression; fix docs Address review feedback on the -keep regression test and guide: - The keep test now also asserts BifurcatedCaller no longer references IfBranchCode, proving R8 still folded the disabled branch (phase 1) rather than only keeping the class alive via the kept caller. Adds assertClassDoesNotReference() (ASM bytecode inspection). - Move -dontoptimize out of the 'not a problem' list in the R8 guide into a distinct hazard note — it suppresses elimination and must not be grouped with the harmless accessor-method keep. --------- Co-authored-by: Claude <noreply@anthropic.com>
Wide-net dependency upgrade toward the Dependabot vulnerability audit: - kotlin 2.3.10 -> 2.3.21 (cascades to KMP/JVM/serialization/compose-compiler) - kotlinx-coroutines 1.10.2 -> 1.11.0 - mockk 1.14.9 -> 1.14.11 - asm 9.7 -> 9.10.1 - spotless 8.4.0 -> 8.6.0 - composeHotReload 1.0.0 -> 1.1.1 - Gradle wrapper 9.4.1 -> 9.5.1 - setup-build-env action: setup-java v4 -> v5, setup-gradle v3 -> v6 Versions confirmed as latest stable from Maven Central / Gradle Plugin Portal / services.gradle.org. Google-Maven-hosted deps (AGP, androidx, firebase, r8, lint) are left untouched as they could not be verified in this environment; CI validates the build across Android/JVM/iOS. https://claude.ai/code/session_0116RWpER7w8gnANsC6Y1cTQ
Qodo reviews are paused for this user.Troubleshooting steps vary by plan Learn more → On a Teams plan? Using GitHub Enterprise Server, GitLab Self-Managed, or Bitbucket Data Center? |
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Wide-net dependency upgrade toward the Dependabot vulnerability audit in #224 (33 advisories: 13 high / 17 moderate / 3 low). Per the issue, this takes the "upgrade to latest stable" approach rather than per-advisory triage.
Every target below was confirmed as the latest stable (non RC/alpha/beta) release from Maven Central, the Gradle Plugin Portal, or
services.gradle.org.Version catalog (
gradle/libs.versions.toml)kotlinkotlinx-coroutinesmockkasmspotlesscomposeHotReloadThe
kotlinbump cascades (intentionally) to the shared Kotlin Multiplatform / JVM / serialization / Compose-compiler plugin versions andkotlin-test.Build tooling
.github/actions/setup-build-env:actions/setup-java@v4 → v5,gradle/actions/setup-gradle@v3 → v6(these composite-action pins lagged the rest of the workflows, which already use v5/v6).Scope / limitations
This change was prepared in an environment where Google's Maven repo (
maven.google.com), the OSV API, and the repo's Dependabot alert page were network-blocked, and no tooling exposed the live alert list. Consequences:androidx.*,material,firebase-bom,preference,r8,lint, and the hardcodedcom.android.tools.build:gradlein the plugin build. These resolve only from Google Maven;lintis pinned toAGP + 23.0.0and the hardcoded AGP must equal the catalogagp, so AGP was deliberately left in place rather than changed to an unverifiable guess.Risk
kotlin2.3.10 → 2.3.21 is patch-level but couples to SKIE 0.10.10 (iOS framework) and the Compose compiler. Normally SKIE-safe within a 2.3.x patch, but CI's iOS/KMP targets are the real check.Follow-up
The 33 advisories likely include transitive deps pulled through Firebase/ConfigCat/AGP that can only be enumerated with the live Dependabot list or an OSV scan. Once that data is available, a precise second pass can add version constraints / bumps for any remaining transitive advisories.
Verification
./gradlew testspotlessCheckCloses #224 (pending the transitive follow-up noted above)
https://claude.ai/code/session_0116RWpER7w8gnANsC6Y1cTQ
Generated by Claude Code