Major Version Updates Test Results

Branch: test-major-updates
Date: March 7, 2026

Updates Tested

1. salvo 0.74.3 → 0.89.2

Status: ✅ COMPATIBLE (with 1 fix)

Breaking Change Found:

• TcpListener::new() now requires 'static bound on address parameter
• File: crates/terraphim_github_runner_server/src/main.rs:426
• Fix: Changed TcpListener::new(&addr) to TcpListener::new(addr) (pass owned String instead of reference)

Before:

let addr = format!("{}:{}", settings.host, settings.port);
let acceptor = TcpListener::new(&addr).bind().await;  // Error: doesn't live long enough

After:

let addr = format!("{}:{}", settings.host, settings.port);
let acceptor = TcpListener::new(addr).bind().await;   // OK: owned String

Security Fixes in salvo 0.89.2:

• CSRF timing attack prevention (constant-time comparison)
• Session secret key length validation (now requires 64 bytes)
• Path traversal protection in serve-static
• Upload ID validation in TUS

2. zip 2.4.2 → 7.2.0

Status: ✅ COMPATIBLE (no changes needed)

No breaking changes affecting this codebase.

Test Results

cargo check --workspace     ✅ Success
cargo test --workspace --lib ✅ 108 passed; 0 failed

Recommendation

SAFE TO MERGE both updates:

1. salvo update includes important security fixes
2. Only 1 line change required (already applied)
3. All tests pass
4. zip update is backward compatible

Action Required

Merge this branch to main to get:

• Security fixes from salvo 0.89.2
• Latest zip library improvements
• Updated dependencies in Cargo.lock