Skip to content

deps: bump quickjs_runtime 0.15.7 → 0.17.x to close lru advisory #1 #536

Description

@suchapalaver

Advisory #1 (low: lru IterMut Stacked Borrows violation, fix in 0.16.3) is blocked by quickjs_runtime = "0.15.7", which pins lru 0.14.0. The current registry version is quickjs_runtime = "0.17.2".

Lowest-severity of the three remaining upstream-blocked advisories — filing for completeness so the security dashboard reaches zero open alerts when all three follow-ups land. The unsoundness is theoretical (relies on a custom logger that calls IterMut paths) and unlikely to actually trigger in this codebase.

Scope

quickjs_runtime is the QuickJS host used by baml-rt-quickjs — it executes all agent JavaScript. A minor-version bump (0.15 → 0.17) is two minors; check upstream changelog for:

  • Promise / event-loop API changes (the bridge logic in baml-rt-quickjs/src/ is sensitive to this)
  • Module resolution changes that affect how agents load BAML-generated .ts
  • Any default-feature changes (quickjs_runtime has several optional features)

Verification

After bump:

  • lru 0.14.0 should be gone from Cargo.lock (only lru 0.16.x should remain)
  • Full workspace build + clippy + tests
  • cargo test -p baml-rt --test contracts_test and the conversational E2E fixtures (task-lifecycle-demo, stream-baml-tool) should pass — those exercise the JS↔Rust bridge most thoroughly

Follow-up from #531.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions