Skip to content

feat: vendor dependencies and aggressively reduce crate count#1361

Open
heapwolf wants to merge 4 commits into
mainfrom
maint/vendor
Open

feat: vendor dependencies and aggressively reduce crate count#1361
heapwolf wants to merge 4 commits into
mainfrom
maint/vendor

Conversation

@heapwolf
Copy link
Copy Markdown
Contributor

@heapwolf heapwolf commented May 12, 2026
edited by devin-ai-integration Bot
Loading

Summary

Aggressive dependency reduction to minimize supply-chain risk and enable fully air-gapped builds. Zero network fetches required at build time.

Results: 449 → 213 crates (53% reduction), vendor size 620MB → 469MB

What changed

Crates removed entirely (replaced with inline implementations or stdlib)

  • smol — consolidated on tokio (was redundant async runtime)
  • ureq — replaced with a minimal HTTP/1.1 client over native-tls + TcpStream
  • url — replaced with focused string parsing for the URL formats we actually handle
  • once_cell — replaced with std::sync::LazyLock (stable in Rust 1.80+)
  • dirs — replaced with inline $HOME/$USERPROFILE/XDG logic
  • indicatif — replaced with a simple ANSI spinner on stderr
  • rand (production) — replaced with getrandom for the two call sites that needed randomness
  • gix-index — replaced get_all_staged_file_blob_oids with git ls-files --stage -z
  • gix-config (+ 20 transitive gix-* crates) — replaced with git config CLI calls

Feature flags trimmed

  • clap: disabled default features, kept only derive, std, help, usage, error-context
  • chrono: disabled default features, enabled only serde, now, std
  • flate2: switched to zlib-rs backend only
  • zip: deflate-flate2 feature only

Architecture changes

  • src/http.rs — complete rewrite: minimal HTTP/1.1 client with TLS, chunked transfer-encoding, DNS resolution via ToSocketAddrs
  • src/utils.rs — added block_on, join_all, catch_unwind (smol replacements) + dirs module
  • src/git/repository.rs — config operations now use git config CLI instead of in-process parsing; remotes_with_urls() uses git remote -v
  • src/daemon/git_backend.rs — alias cache uses git config --get-regexp instead of gix-config file iteration
  • src/commands/git_hook_handlers.rs — hooks path read/write/unset via git config --file

Vendoring

  • All 213 remaining crates vendored in vendor/ with .cargo/config.toml source replacement
  • Verified: CARGO_NET_OFFLINE=true cargo build succeeds

Test plan

  • task build — compiles cleanly
  • task lint — no clippy warnings
  • task fmt — formatted
  • task test — all 1495 unit tests pass
  • task test — all 3037 integration tests pass
  • Offline build verified (CARGO_NET_OFFLINE=true)

🤖 Generated with Claude Code

Open in Devin Review

heapwolf and others added 4 commits May 12, 2026 20:29
@heapwolf @claude
feat: vendor all dependencies and eliminate unnecessary crates
f4b00d6 
Remove smol, futures, indicatif, once_cell, dirs, and rand from
production dependencies. Replace with tokio equivalents, std::sync::LazyLock,
inline implementations, and getrandom respectively. Vendor all remaining
dependencies for fully offline, air-gapped builds with zero network fetches.

Crate count reduced from 449 to 312. Vendor size 497MB.

Removed crates:
- smol (replaced by tokio which was already present)
- futures (replaced by tokio + small inline join_all/catch_unwind)
- indicatif (replaced by 30-line inline spinner)
- once_cell (replaced by std::sync::LazyLock)
- dirs (replaced by inline home_dir/config_dir using env vars)
- rand (replaced by getrandom for prod, kept as dev-dep for tests)
- ratatui (dead code, zero usage)
- crossterm (dead code, zero usage)

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@heapwolf @claude
chore: add vendored dependencies (312 crates)
5542d77 
All Rust dependencies are now vendored in vendor/ for fully offline
builds. No network access required at build time.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@heapwolf @claude
feat: remove ureq/url, trim feature flags, inline HTTP client
b3c53f4 
Replace ureq with a minimal HTTP/1.1 client using native-tls directly,
eliminating the entire url→idna→ICU dependency chain (27 crates).
Trim feature flags on clap, chrono, flate2, and zip for further savings.

Total crate count: 449 → 259 (190 crates eliminated, 42% reduction).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
@heapwolf @claude
feat: remove gix-index and gix-config, replace with git CLI calls
c309680 
Eliminates all 20+ gix-* crates by replacing gix-index binary index
parsing with `git ls-files --stage -z` and gix-config file parsing
with `git config` CLI calls. Reduces vendor from 249 to 213 crates.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems May 12, 2026
View reviewed changes
Copy link
Copy Markdown

@github-advanced-security github-advanced-security AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

CodeQL found more than 20 potential problems in the proposed changes. Check the Files changed tab for more details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@heapwolf @github-advanced-security