Skip to content

chore(deps): bump alloy-json-rpc from 1.8.3 to 2.0.5#1459

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/alloy-json-rpc-2.0.5
Closed

chore(deps): bump alloy-json-rpc from 1.8.3 to 2.0.5#1459
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/cargo/alloy-json-rpc-2.0.5

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor

Bumps alloy-json-rpc from 1.8.3 to 2.0.5.

Release notes

Sourced from alloy-json-rpc's releases.

v2.0.5

What's Changed

New Contributors

Full Changelog: alloy-rs/alloy@v2.0.4...v2.0.5

v2.0.4

... (truncated)

Changelog

Sourced from alloy-json-rpc's changelog.

2.0.5 - 2026-05-18

Bug Fixes

  • [ci] Satisfy zepter secp256k1 propagation (#3993)
  • [network] Preserve transaction request extra fields
  • [consensus] Correct recovered transaction docs (#3984)
  • [signer-ledger] Reject invalid derivation paths (#3960)
  • [consensus-any] Saturate baseFeePerGas above u64::MAX on deser (#3741) (#3976)
  • [eips] Avoid panic in 7594 match_versioned_hashes (#3975)
  • [signer-trezor] Reject unsupported tx types (#3959)
  • [transport] Make retry queue count cancel-safe (#3956)
  • [signer-trezor] Dispatch EIP-1559 by tx type (#3958)
  • [rpc-types-trace] Default missing/null CallOutput.output to empty bytes (#3931)
  • [eip1559] Prevent divide-by-zero in next base fee calculation
  • [provider] Clean up failed impersonated sends (#3944)
  • Deduplicate AnyRpcTransaction conversion helpers (#3947)
  • [ci] Stabilize main red tests (#3942)

Dependencies

  • [deps] Bump github/codeql-action from 4.35.2 to 4.35.4 (#3990)
  • [deps] Bump taiki-e/install-action from 2.75.27 to 2.77.1
  • [deps] Bump crate-ci/typos from 1.45.0 to 1.46.0 (#3965)
  • [deps] Bump taiki-e/install-action from 2.75.20 to 2.75.27 (#3964)
  • [deps] Bump taiki-e/install-action from 2.75.15 to 2.75.20 (#3946)
  • [deps] Bump foundry-rs/foundry-toolchain from 1.7.0 to 1.8.0 (#3945)

Documentation

  • [rpc-types-eth] Correct sealed_header docs (#3995)
  • [node-bindings] Clarify Reth genesis behavior (#3994)
  • [eips] Document blob cell selection invariants (#3973)
  • [signer-tempo] Add changelog (#3962)

Features

  • [rpc-types-engine] Add payload attributes builders (#3985)
  • [rpc-types-beacon] Add builder validation request v6 (#3981)
  • [eips] Add EIP-7594 matching cell computation (#3974)
  • [rpc-types-engine] Add SSZ codecs for engine types (#3970)
  • [pubsub] Typed terminal-error channel (#3963)
  • [signer-tempo] Add Tempo wallet keystore reader (#3936)
  • [rpc-types-engine] Add sealed block execution data conversions (#3955)

Miscellaneous Tasks

  • Release 2.0.5
  • Release 2.0.5
  • Release 2.0.5

... (truncated)

Commits
  • 653989f chore: release 2.0.5
  • ee8c72f chore: release 2.0.5
  • a90ea92 chore: release 2.0.5
  • 51090d3 chore: release 2.0.5
  • 2d3a3fb docs(rpc-types-eth): correct sealed_header docs (#3995)
  • a019321 fix(ci): satisfy zepter secp256k1 propagation (#3993)
  • a51afc1 docs(node-bindings): clarify Reth genesis behavior (#3994)
  • 2aa6712 chore(deps): bump github/codeql-action from 4.35.2 to 4.35.4 (#3990)
  • f97b3cb fix(network): preserve transaction request extra fields
  • 51cb51d chore(deps): bump taiki-e/install-action from 2.75.27 to 2.77.1
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [alloy-json-rpc](https://github.com/alloy-rs/alloy) from 1.8.3 to 2.0.5.
- [Release notes](https://github.com/alloy-rs/alloy/releases)
- [Changelog](https://github.com/alloy-rs/alloy/blob/main/CHANGELOG.md)
- [Commits](alloy-rs/alloy@v1.8.3...v2.0.5)

---
updated-dependencies:
- dependency-name: alloy-json-rpc
  dependency-version: 2.0.5
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file rust Pull requests that update Rust code labels Jun 15, 2026

@tangletools tangletools left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

✅ Auto-approved PR — 849e416f

Blanket team auto-approval is enabled for this reviewer service.
The full PR reviewer audit still runs separately and will publish findings if it detects issues.

tangletools · auto-approval · reason: blanket_auto_approve · 2026-06-15T12:08:26Z

@tangletools tangletools left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔴 Value Audit — redundant-or-flawed

Verdict redundant-or-flawed
Concerns 2 (1 strong-concern, 1 weak-concern)
Heuristic 0.0s
Duplication 0.0s
Interrogation 338.0s (2 bridge agents)
Total 338.0s

💰 Value — sound-with-nits

Bumps the workspace direct dep alloy-json-rpc from 1.8 to 2.0, aligning it with alloy-rpc-client, alloy-eips, and alloy-transport-http which are already on 2.x in the workspace; a coherent incremental follow-up to the team's established partial-alloy-upgrade pattern.

  • What it does: Changes Cargo.toml:412 to require alloy-json-rpc 2.0 instead of 1.8, which resolves blueprint-client-evm to alloy-json-rpc 2.0.5 in Cargo.lock:3124. The only workspace crate that consumes the workspace alloy-json-rpc alias is crates/clients/evm, whose instrumented_client.rs directly imports RpcRecv/RpcSend/RpcError at lines 5 and 50.
  • Goals it achieves: Keeps the JSON-RPC layer current and consistent with the 2.x alloy crates already declared in the workspace (alloy-rpc-client 2.0 at Cargo.toml:416, alloy-eips 2.0 at Cargo.toml:426, alloy-transport-http 2.0 at Cargo.toml:428). It also follows the precedent set by commit 7061c5b (git log -- Cargo.toml), which bumped those three crates to 2.0 while leaving alloy-json-rpc at 1.8 and reported 'no API
  • Assessment: Good on its merits. The change is minimal and targeted, touching only the workspace alias and the resulting lockfile entry for the single direct consumer. No source-code changes are included, consistent with the prior partial bump (7061c5b) that reported no broken workspace API surface, indicating the used traits/error types are stable enough for this bump.
  • Better / existing approach: A coordinated bump of every alloy crate to 2.x would leave the workspace in a cleaner, single-version state. However, the codebase already practices incremental alloy upgrades (7061c5b upgraded alloy-rpc-client/alloy-eips/alloy-transport-http to 2.0 while leaving alloy-json-rpc and most other alloy crates at 1.8), and no existing automation or reusable component manages alloy versions. Within that

🎯 Usefulness — redundant-or-flawed

Bumping alloy-json-rpc to 2.0 while alloy-provider/alloy-network/alloy-transport remain at 1.8 introduces a major-version type mismatch in blueprint-client-evm that breaks compilation.

  • Integration: Does not wire correctly. blueprint-client-evm imports RpcSend/RpcRecv/RpcError from alloy-json-rpc 2.0 (Cargo.toml:412, crates/clients/evm/Cargo.toml:31, crates/clients/evm/src/instrumented_client.rs:5,50), but its Provider impl calls alloy-provider 1.8's raw_request, which expects RpcSend/RpcRecv from alloy-json-rpc 1.8. Cargo.lock now contains both alloy-json-rpc 1.8.3 (used by alloy-provider 1.
  • Fit with existing patterns: Fights the codebase's grain. The workspace pins the alloy ecosystem to a common major line: alloy-provider 1.8, alloy-network 1.8, alloy-transport 1.8, alloy-consensus 1.8, etc. (Cargo.toml:409-428). Bumping one foundational type crate without its dependents is inconsistent with that pattern and forces duplicate major versions of the same crate into the dependency graph.
  • Real-world viability: Will not hold up; the crate will not compile. Even if it compiled, carrying two major versions of alloy-json-rpc in the same crate is a maintenance hazard: error conversions, trait impls, and downstream type expectations will diverge at runtime use sites.

🎯 Usefulness Audit

🔴 Major-version mismatch breaks blueprint-client-evm compilation [integration] ``

blueprint-client-evm is the only direct consumer of alloy-json-rpc (crates/clients/evm/Cargo.toml:31). It uses RpcSend/RpcRecv (instrumented_client.rs:5,809-816) with Provider::raw_request from alloy-provider 1.8, but the workspace now resolves alloy-json-rpc to 2.0 (Cargo.toml:412). Cargo.lock shows alloy-provider 1.8.3 depends on alloy-json-rpc 1.8.3 (Cargo.lock:548), while blueprint-client-evm depends on alloy-json-rpc 2.0.5 (Cargo.lock:3124). Because Rust treats different major versions as d

💰 Value Audit

🟡 Workspace still carries a split alloy ecosystem [maintenance] ``

Cargo.toml:409-428 shows most alloy crates (alloy, alloy-provider, alloy-network, alloy-consensus, etc.) remain at 1.8 while alloy-json-rpc, alloy-rpc-client, alloy-eips, and alloy-transport-http are at 2.0. As a result, Cargo.lock still contains both alloy-json-rpc 1.8.3 and 2.0.5. This is acceptable given the precedent in commit 7061c5b, but future maintenance should aim for a coordinated alloy 2.x migration to eliminate the dual-version lockfile.


What this audit checks

It judges the change on its merits — not whether it was tasked out in an issue. Unticketed, fast-moving work is fine; the question is whether the change is good and whether a better or existing approach should be used instead.

Pass What it asks
Heuristic Vague title? Whitespace-only or cruft-bearing diff? (content signals only)
Duplication Do added function/class names already exist elsewhere in the repo?
Value Audit What does it do? What goal does it achieve? Is it good? Better architecture or already-exists?
Usefulness Audit Does it integrate and fit? Will it hold up in real use and actually get used?

Findings are concerns, not blocks — the human reviewer decides what to do with them.

value-audit · 20260615T121553Z

@tangletools

Copy link
Copy Markdown
Contributor

❌ Needs Work — 849e416f

Readiness 57/100 · Confidence 70/100 · 2 findings (1 critical, 1 low)

glm: Correctness 57 · Security 57 · Testing 57 · Architecture 57

Full multi-shot audit completed 2/2 planned shots over 2 changed files. Global verifier still owns final merge decision.

Blocking

🟣 CRITICAL alloy-json-rpc 2.0 bump breaks compilation of blueprint-client-evm due to version mismatch with alloy-provider 1.8.3 — Cargo.toml

Cargo.toml:412 changes alloy-json-rpc from "1.8" to "2.0", but alloy-provider (line 419) remains at "1.8". alloy-provider 1.8.3 depends on alloy-json-rpc 1.8.3 internally. The sole direct consumer, crates/clients/evm/Cargo.toml:31 (alloy-json-rpc = {workspace=true}), now pulls 2.0.5. The code in instrumented_client.rs:50 declares Rpc(#[from] alloy_json_rpc::RpcError<alloy_transport::TransportErrorKind>) using the 2.0.5 RpcError, but instrumented_client.rs:169 ProviderBuilder::new().connect_ws(...).await? returns alloy_transport::RpcError which re-exports alloy_json_rpc 1.8.3's RpcError. Confirmed compile error: cargo check -p blueprint-client-evm → E0277: `From<alloy_transport

Other

🟡 LOW blueprint-client-evm mixes alloy 1.x and 2.x major versions in same dependency tree — Cargo.lock

blueprint-client-evm 0.2.0-alpha.6 (line 3119) now directly depends on alloy-json-rpc 2.0.5 (line 3124) while still depending on alloy-network 1.8.3 (line 3125), alloy-consensus 1.8.3 (line 3123), and alloy-rpc-types-eth 1.8.3 (line 3131). Since allo


tangletools · 2026-06-15T12:18:52Z · trace

@tangletools tangletools left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

❌ 1 Blocking Finding — 849e416f

Full multi-shot audit completed 2/2 planned shots over 2 changed files. Global verifier still owns final merge decision.

Full immutable report for this review: trace

Summary comment for this run: full summary


tangletools · 2026-06-15T12:18:52Z · immutable trace

@drewstone

Copy link
Copy Markdown
Contributor

Closing: alloy 1.x -> 2.0 is a breaking major-version migration, not a safe auto-bump. The workspace pins alloy 1.8 and consumes tnt-core-bindings 0.19 which is built against alloy 1.0 — moving one alloy crate to 2.0 breaks the version-unified workspace and the blueprint-manager's getLogs/ABI-decode paths (the tnt-core 0.19 upgrade + live Tempo operators). alloy 2.0 needs a coordinated migration (tnt-core-bindings regenerated on alloy 2 first, then the whole workspace) — tracked separately, not via Dependabot.

@drewstone drewstone closed this Jul 8, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/cargo/alloy-json-rpc-2.0.5 branch July 8, 2026 21:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file rust Pull requests that update Rust code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants