Skip to content

20260413 update clvmr main 0 17 5#441

Open
prozacchiwawa wants to merge 18 commits into
mainfrom
20260413-update-clvmr-main-0-17-5
Open

20260413 update clvmr main 0 17 5#441
prozacchiwawa wants to merge 18 commits into
mainfrom
20260413-update-clvmr-main-0-17-5

Conversation

@prozacchiwawa

@prozacchiwawa prozacchiwawa commented Apr 14, 2026

Copy link
Copy Markdown
Contributor

Note

Medium Risk
Moderate risk because it upgrades core Rust/CLVM dependencies (clvmr, chia-bls, getrandom, rand*) and adjusts dialect flag handling, which could affect program execution semantics and build outputs across targets.

Overview
Pins CI and repo toolchains to Rust 1.94.1 (including wheel/crate builds and WASM/npm workflows) and updates the npm publish job to Node 24.x, adding explicit RUSTFLAGS for the wasm-pack build.

Updates core dependencies to match newer clvmr (0.17.x) and related crates (notably chia-bls downgrade to 0.38.2, getrandom to 0.3, and rand/rand_chacha to 0.10), with corresponding lockfile churn in both Cargo.lock and wasm/Cargo.lock.

Adapts classic CLVM execution/compile stages to the new clvmr dialect API by migrating from raw flag bitmasks to ClvmFlags, introducing choose_run_flags() and ensuring flags are set/restored around nested run_program calls. Test RNG usage is updated for the newer rand APIs, and a pinned support/chia-gaming-cargo.toml is added and wired into the chia-gaming workflow to keep integration tests building against the intended dependency set.

Reviewed by Cursor Bugbot for commit 5084771. Bugbot is set up for automated code reviews on this repo. Configure here.

@socket-security

socket-security Bot commented Apr 14, 2026

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatedcargo/​chia-bls@​0.42.0 ⏵ 0.38.210010093100100
Updatedcargo/​rand@​0.8.5 ⏵ 0.10.1100 +1100 +193100100
Updatedcargo/​rand_chacha@​0.3.1 ⏵ 0.10.010010093100100
Updatedcargo/​rand_core@​0.6.4 ⏵ 0.10.110010093100100
Updatedcargo/​clvmr@​0.16.2 ⏵ 0.17.797100100100100

View full report

@socket-security

socket-security Bot commented Apr 14, 2026

Copy link
Copy Markdown

All alerts resolved. Learn more about Socket for GitHub.

This PR previously contained dependency changes with security issues that have been resolved, removed, or ignored.

Ignoring alerts on:

  • cargo/anyhow@1.0.102
  • cargo/libm@0.2.16
  • cargo/malachite-nz@0.9.1
  • cargo/paste@1.0.15
  • cargo/prettyplease@0.2.36
  • cargo/prettyplease@0.2.34
  • cargo/wasmparser@0.244.0
  • cargo/wit-bindgen@0.51.0
  • cargo/wit-bindgen@0.57.1
  • cargo/wit-bindgen-rust@0.51.0
  • cargo/wit-bindgen-rust-macro@0.51.0
  • cargo/wit-component@0.244.0

View full report

@prozacchiwawa

Copy link
Copy Markdown
Contributor Author

@SocketSecurity ignore cargo/libm@0.2.16

@prozacchiwawa

Copy link
Copy Markdown
Contributor Author

@SocketSecurity ignore cargo/malachite-nz@0.9.1

@prozacchiwawa

Copy link
Copy Markdown
Contributor Author

@SocketSecurity ignore cargo/paste@1.0.15

Comment thread .github/workflows/build-crate.yml
Comment thread src/classic/clvm_tools/stages/stage_2/operators.rs Outdated
aqk
aqk previously approved these changes Apr 27, 2026
aqk
aqk previously approved these changes Apr 27, 2026
@prozacchiwawa

Copy link
Copy Markdown
Contributor Author

@SocketSecurity ignore cargo/anyhow@1.0.102

@aqk

aqk commented Apr 28, 2026

Copy link
Copy Markdown
Contributor

@SocketSecurity ignore cargo/prettyplease@0.2.34 cargo/wasmparser@0.244.0 cargo/wit-bindgen-rust-macro@0.51.0 cargo/wit-bindgen-rust@0.51.0 cargo/wit-bindgen@0.57.1

@aqk

aqk commented Apr 28, 2026

Copy link
Copy Markdown
Contributor

@SocketSecurity ignore cargo/prettyplease@0.2.34 cargo/wasmparser@0.244.0 cargo/wit-bindgen-rust-macro@0.51.0 cargo/wit-bindgen-rust@0.51.0 cargo/wit-bindgen@0.57.1 cargo/prettyplease@0.2.36 cargo/wit-bindgen@0.51.0

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit 5cc5d54. Configure here.

Comment thread Cargo.toml Outdated
@prozacchiwawa

Copy link
Copy Markdown
Contributor Author

@SocketSecurity ignore cargo/wit-component@0.244.0

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants