Skip to content

Upgrade all dependencies#788

Merged
jviotti merged 1 commit into
mainfrom
new-deps-6
Jun 29, 2026
Merged

Upgrade all dependencies#788
jviotti merged 1 commit into
mainfrom
new-deps-6

Conversation

@jviotti

@jviotti jviotti commented Jun 29, 2026

Copy link
Copy Markdown
Member

Signed-off-by: Juan Cruz Viotti jv@jviotti.com

Review in cubic

Signed-off-by: Juan Cruz Viotti <jv@jviotti.com>

@cubic-dev-ai cubic-dev-ai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

No issues found across 63 files

Re-trigger cubic

@augmentcode

augmentcode Bot commented Jun 29, 2026

Copy link
Copy Markdown
🤖 Augment PR Summary

Summary: This PR updates the repository’s pinned dependency SHAs (core/jsonbinpack/blaze and the JSON Schema Test Suite) to newer upstream revisions.

Changes:

  • Bumps core, blaze, and jsonbinpack revisions in DEPENDENCIES (and corresponding vendor dependency files).
  • Pulls in upstream Blaze changes that adjust JSON Pointer concatenation usage (newer pointer API).
  • Updates Sourcemeta Core with new JSON Pointer convenience overloads and URI helpers (scheme + gen-delim checks, improved relativization).
  • Adds a JOSE JWKSProvider for cached JWKS retrieval + token verification with refresh/rotation handling.
  • Adds a new JSON-LD 1.1 processor module (expand/compact/flatten) and associated error type.
  • Extends Core’s JSON object internals with a hash-aware key equality helper for faster key comparisons.

Technical Notes: Several of the changes are in vendored dependencies and may alter public APIs/behavior (e.g., JSON Pointer concatenation and new JSON-LD/JOSE surface area).

🤖 Was this summary useful? React with 👍 or 👎

@augmentcode augmentcode Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review completed. 2 suggestions posted.

Fix All in Augment

Comment augment review to trigger a new review at any time.

const std::optional<std::string_view> expected_subject,
const std::optional<std::string_view> expected_type)
-> std::optional<JWTVerificationError> {
const auto now{this->clock_()};

@augmentcode augmentcode Bot Jun 29, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JWKSProvider::verify calls the injected clock_() without any exception guard, so a throwing test/consumer clock would escape verify() (unlike the fetcher which is explicitly contained). Consider whether verify() should treat a throwing clock as a failed verification path to keep its “never escape verification” resilience story consistent.

Severity: low

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.

-> JSON {
// Compaction operates on input already in expanded document form. Callers
// that hold a non-expanded document expand it first.
assert(jsonld_is_expanded(input));

@augmentcode augmentcode Bot Jun 29, 2026

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are exported entry points, but assert(jsonld_is_expanded(input)) means release builds will accept non-expanded input and continue with potentially nonsensical results instead of failing fast. Consider whether this should be a runtime check/error (or at least explicitly documented as undefined behavior) to avoid surprising production behavior.

Severity: medium

Other Locations
  • vendor/core/src/core/jsonld/jsonld.cc:141

Fix This in Augment

🤖 Was this useful? React with 👍 or 👎, or 🚀 if it prevented an incident/outage.

@jviotti jviotti merged commit bcec7ff into main Jun 29, 2026
15 checks passed
@jviotti jviotti deleted the new-deps-6 branch June 29, 2026 20:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant