chore(deps): bump sqlx from 0.8.6 to 0.9.0#153
Merged
Conversation
sqlx 0.9 introduces SqlSafeStr to harden dynamic SQL. All query*() functions now accept only &'static str or AssertSqlSafe-wrapped owned strings. Migrate every dynamic format!()-built query through sqlx::AssertSqlSafe(sql) — the SQL fragments are internal templates (ORDER BY whitelists, placeholder lists), never user input. Also adapt Migration::sql (now SqlStr) and the ATTACH execute() call which lost its &str leniency to the new 'static + Execute bound. Replaces dependabot PR #151.
|
Caution Review failedThe pull request is closed. ℹ️ Recent review info⚙️ Run configurationConfiguration used: Path: .coderabbit.yaml Review profile: ASSERTIVE Plan: Pro Plus Run ID: 📒 Files selected for processing (10)
📝 WalkthroughWalkthroughUpgrade de Changessqlx 0.8 → 0.9 upgrade et adoption AssertSqlSafe
Estimated code review effort🎯 3 (Moderate) | ⏱️ ~20 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Comment |
InstaZDLL
added
scope: backend
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
src-tauri/Cargo.toml (1)
68-74:⚠️ Potential issue | 🟠 Major | ⚖️ Poor tradeoffVérifier la compatibilité de sqlx 0.9 (SqlSafeStr / AssertSqlSafe)
- En sqlx 0.9, les
query*()acceptent désormaisimpl SqlSafeStr: les littéraux&'static strfonctionnent, mais tout SQL construit dynamiquement à partir deString/&strnonstaticdoit être enveloppé avecsqlx::AssertSqlSafe(...)(sinon ça casse la compilation et contourne l’opt-in explicite de sécurité).- Auditer toutes les utilisations de
query*()(et variantes) pour s’assurer qu’aucune chaîne non littérale n’est passée sansAssertSqlSafe.- Vérifier aussi les autres breaking changes 0.9 pertinentes pour le codebase, notamment le comportement autour de
PgConnectOptions::options()(si utilisé) avec l’échappement automatique.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@src-tauri/Cargo.toml` around lines 68 - 74, Audit all usages of sqlx query builders (e.g., query(), query_as(), query_scalar(), query_unchecked(), and any call sites taking SQL strings) and ensure any non-literal SQL constructed from String/&str is wrapped with sqlx::AssertSqlSafe(...) because sqlx 0.9 requires impl SqlSafeStr; replace unsafe dynamic string arguments by either converting to parameterized queries or wrapping them with AssertSqlSafe where an explicit opt-in is intended, and run cargo build to catch remaining errors; additionally review any uses of PgConnectOptions::options() and other sqlx 0.9 breaking-change APIs and update call sites to the new behavior/signature as required.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Outside diff comments:
In `@src-tauri/Cargo.toml`:
- Around line 68-74: Audit all usages of sqlx query builders (e.g., query(),
query_as(), query_scalar(), query_unchecked(), and any call sites taking SQL
strings) and ensure any non-literal SQL constructed from String/&str is wrapped
with sqlx::AssertSqlSafe(...) because sqlx 0.9 requires impl SqlSafeStr; replace
unsafe dynamic string arguments by either converting to parameterized queries or
wrapping them with AssertSqlSafe where an explicit opt-in is intended, and run
cargo build to catch remaining errors; additionally review any uses of
PgConnectOptions::options() and other sqlx 0.9 breaking-change APIs and update
call sites to the new behavior/signature as required.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yaml
Review profile: ASSERTIVE
Plan: Pro Plus
Run ID: 7870a014-acc1-407e-9866-ed26b8d75bd1
⛔ Files ignored due to path filters (1)
src-tauri/Cargo.lockis excluded by!**/*.lock,!src-tauri/Cargo.lock
📒 Files selected for processing (10)
src-tauri/Cargo.tomlsrc-tauri/src/commands/browse.rssrc-tauri/src/commands/edit.rssrc-tauri/src/commands/radio.rssrc-tauri/src/commands/similar.rssrc-tauri/src/commands/track.rssrc-tauri/src/db/migration_heal.rssrc-tauri/src/db/profile_db.rssrc-tauri/src/smart_playlists/custom.rssrc-tauri/src/smart_playlists/generator.rs
InstaZDLL
added
scope: frontend
InstaZDLL
added a commit
that referenced
this pull request
May 25, 2026
Caught while reviewing the About panel — the SQLx tile still read 0.8 after #153 landed.
InstaZDLL
added a commit
that referenced
this pull request
May 25, 2026
… resvg (#155) * fix(smart-playlists): replace hand-drawn On Repeat cover with SVG via resvg The old `render_on_repeat_canvas` painted the indigo gradient and the two overlapping pink rings pixel-by-pixel without anti-aliasing, which left the cover visibly stair-stepped at the 640-px canvas size and worse when the Home tile scaled it down. Swap in a vector source ([on_repeat.svg]) rasterised through resvg + usvg + tiny-skia (default features disabled — the SVG is pure shape + gradient + filter, no fonts or embedded rasters, keeps the dep bloat to ~300 KB compiled). New design centres a bezier infinity loop on the canvas, strokes it with the rainbow gradient `#ff3377 → #9933ff → #33ccff` under a gaussian glow + a thin white inner rim. No `<text>` in the SVG so the locale-agnostic guarantee documented in CLAUDE.md stays intact — React keeps overlaying the eyebrow + title. `build_on_repeat_cover` already dedupes by blake3 hash, so existing installs pick up the new image on the next "Régénérer". * chore(about): bump SQLx version label to 0.9 Caught while reviewing the About panel — the SQLx tile still read 0.8 after #153 landed.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
sqlxfrom 0.8.6 → 0.9.0 insrc-tauri.sqlx::AssertSqlSafe(...)— sqlx 0.9 narrowedquery*()toimpl SqlSafeStr(only&'static strorAssertSqlSafe-wrapped owned strings) as a guard rail againstformat!()-built queries. All migrated sites build SQL from internal templates (whitelisted ORDER BY clauses,?,?,?placeholders), never from user input —bind()carries every dynamic value.Migration::sql(nowSqlStr) indb::migration_healand the per-connectionATTACH DATABASEindb::profile_dbwhich lost its&strleniency to the new'static + Execute<'q>bound.Replaces #151 (Dependabot PR that did the version bump only, leaving 14 compile errors).
Test plan
cargo check --manifest-path src-tauri/Cargo.toml --all-targetscargo test --manifest-path src-tauri/Cargo.toml→ 110 passedSummary by CodeRabbit
Chores
Documentation
Style