feat(vite_task): gate fspy behind cfg for non-supported OSes#352
Merged
branchseer merged 4 commits intomainfrom Apr 24, 2026
Merged
feat(vite_task): gate fspy behind cfg for non-supported OSes#352branchseer merged 4 commits intomainfrom
branchseer merged 4 commits intomainfrom
Conversation
branchseer
force-pushed
the
vite-task-fspy-cfg
branch
from
4cf452f to
5799489
Compare
Introduces a custom cfg(fspy) (set by vite_task's build.rs when target_os is windows/macos/linux) and moves the fspy dep into a matching target block. Tasks still run on any target (e.g. android, freebsd); auto-inferred caching is refused with a new CacheNotUpdatedReason::FspyUnsupported that prints "Configure `input` manually to enable caching." in the summary. - spawn() always builds tokio::process::Command directly; fspy::Command is only constructed inside spawn_fspy (cfg(fspy) only) - fspy::Command::into_tokio_command is now pub(crate) - PathRead moves from tracked_accesses.rs (fspy-gated) to fingerprint.rs - Off-path verification: `mise check-android` clippy-checks the full codebase against aarch64-linux-android Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Consolidates the two nix versions in the dep graph (0.30.1 and 0.31.1) onto 0.31.2, matching the version already pulled in transitively by dispatch2. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
branchseer
force-pushed
the
vite-task-fspy-cfg
branch
from
5799489 to
8625813
Compare
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
branchseer
added a commit
that referenced
this pull request
Apr 24, 2026
## Motivation The Security Analysis job (which runs `cargo deny check` whenever `Cargo.lock` changes) fails on every PR that touches `Cargo.lock` because `serde_yml v0.0.12` trips [RUSTSEC-2025-0068](https://rustsec.org/advisories/RUSTSEC-2025-0068): the crate is unsound (`Serializer.emitter` can segfault), the upstream project has been archived, and the advisory explicitly states "No safe upgrade is available". The only fix is to move off `serde_yml`. Example failure: [run 24874266956 on #352](https://github.com/voidzero-dev/vite-task/actions/runs/24874266956/job/72827299235?pr=352). ## Summary - Replace `serde_yml = "0.0.12"` with `serde_norway = "0.9.42"` in the workspace `Cargo.toml` and in `crates/vite_workspace/Cargo.toml`. - Update `vite_workspace::load_package_graph` to call `serde_norway::from_slice` for `pnpm-workspace.yaml`. - Rename the error variant `Error::SerdeYml { serde_yml_error: serde_yml::Error }` → `Error::SerdeYaml { serde_yaml_error: serde_norway::Error }` so the type stays generic over the backing crate. - Regenerate `Cargo.lock` (adds `serde_norway`, `unsafe-libyaml-norway`; drops `serde_yml`, `libyaml-safer`, and their exclusive transitive deps). ## Why `serde_norway` over the other forks `serde_yml`'s RUSTSEC advisory lists four alternatives; both maintained `serde_yaml` forks (`serde_norway` and `serde_yaml_ng`) are drop-in compatible. `serde_norway` is more actively maintained (last release Dec 2024 vs May 2024), dual-licensed MIT/Apache-2.0, and ships its own `unsafe-libyaml-norway` fork of the C bindings so future advisories against libyaml can be patched without waiting on upstream. ## Test plan - [x] `cargo deny check --config <oxc security-action deny.toml>` → `advisories ok, bans ok, licenses ok, sources ok` (was `unsound: RUSTSEC-2025-0068` before) - [x] `cargo test -p vite_workspace` → 79 passed - [x] `cargo clippy -p vite_workspace --all-targets -- -D warnings` → clean --------- Co-authored-by: Claude <noreply@anthropic.com>
Member
Author
Merge activity
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Motivation
vite_taskwas hard-wired to thefspy(file-access tracing) crate, which only builds on Windows, macOS, and Linux. That made the whole task-runner crate uncompilable on other targets (Android, FreeBSD, etc.) — a blocker for anyone embeddingvite_taskelsewhere, and for cross-compilation sanity checks. This PR letsvite_taskcompile on any target: fspy is present on the three supported OSes as before, and absent on others. On the latter, tasks still execute; onlyinputauto-inference is unavailable, and the summary tells the user how to re-enable caching explicitly.Summary
cfg(fspy)set byvite_task'sbuild.rswhentarget_osis windows/macos/linux, with a matching[target.'cfg(any(...))'.dependencies]block for thefspydep (target cfgs and build-script cfgs must stay in sync — documented inbuild.rs).cfg(not(fspy)):spawn(cmd, fspy: true, ...)silently takes the tokio path;ChildOutcome.path_accessesand the wholetracked_accessesmodule are cfg-gated out.spawn()now always buildstokio::process::Commanddirectly;fspy::Commandis only constructed insidespawn_fspy.fspy::Command::into_tokio_commandbecamepub(crate).CacheNotUpdatedReason::FspyUnsupportedsurfaced in the summary as:→ Not cached: \input` auto-inference isn't supported on this OS. Configure `input` manually to enable caching.` Cache lookups and post-run fingerprint validation of existing entries still work on unsupported OSes — only cache creation requiring auto-inferred inputs is refused.PathReadmoves from the fspy-gatedtracked_accesses.rstofingerprint.rs(usable on both builds).Test plan
cargo test -p vite_task,cargo test -p vite_task_bin --test e2e_snapshots,cargo test -p vite_task_plan --test plan_snapshotsjust lint-linux,just lint-windowsmise check-android(cross-compilesvite_tasktoaarch64-linux-android, clippy-checks with--all-targets --all-features -- -D warnings)cargo ndk -t arm64-v8a tree -p vite_task | grep fspyreturns nothingjust lint,cargo fmt --check🤖 Generated with Claude Code