chore(deps): only update Cargo.lock, not Cargo.toml requirements

Dependabot raised the lower-bound version requirements in Cargo.toml (arrow, tokio, aws-sdk-*, etc.) to match the new lockfile versions. That forces our library's consumers onto newer minimum versions and broke the MSRV check, which downgrades aws-sdk-* crates to verify they still build on Rust 1.91 — the downgrades could no longer satisfy the bumped constraints. Revert all Cargo.toml changes and regenerate Cargo.lock within the existing requirement ranges. The point of this dependabot job is to keep the lockfile (and the binaries we ship) current on security fixes, not to bump our public minimum versions. Also set `versioning-strategy: lockfile-only` so future dependabot PRs only touch Cargo.lock. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-15 11:00:41 +00:00 · 2026-05-14 15:43:51 -07:00
parent fb95c4c671
commit a12b28cae6
6 changed files with 529 additions and 465 deletions
--- a/nodejs/Cargo.toml
+++ b/nodejs/Cargo.toml
@@ -23,21 +23,21 @@ env_logger.workspace = true
 futures.workspace = true
 lancedb = { path = "../rust/lancedb", default-features = false }
 lance-namespace.workspace = true
-napi = { version = "3.8.6", default-features = false, features = [
+napi = { version = "3.8.3", default-features = false, features = [
    "napi9",
    "async"
 ] }
-napi-derive = "3.5.6"
+napi-derive = "3.5.2"
 # Prevent dynamic linking of lzma, which comes from datafusion
 lzma-sys = { version = "0.1", features = ["static"] }
 log.workspace = true

 # Pin to resolve build failures; update periodically for security patches.
 aws-lc-sys = "=0.40.0"
-aws-lc-rs = "=1.17.0"
+aws-lc-rs = "=1.16.3"

 [build-dependencies]
-napi-build = "2.3.2"
+napi-build = "2.3.1"

 [features]
 default = ["remote", "lancedb/aws", "lancedb/gcs", "lancedb/azure", "lancedb/dynamodb", "lancedb/oss", "lancedb/huggingface"]