Skip to content

fix: resolve Docker build and Dependency Scanning CI failures#273

Merged
Osuochasam merged 2 commits into
Open-audit-foundation:mainfrom
michaelvic123:fix/ci-vitest-cargo-deps
Jun 29, 2026
Merged

fix: resolve Docker build and Dependency Scanning CI failures#273
Osuochasam merged 2 commits into
Open-audit-foundation:mainfrom
michaelvic123:fix/ci-vitest-cargo-deps

Conversation

@michaelvic123

Copy link
Copy Markdown
Contributor

Root cause

Two unrelated dependency version mismatches were breaking CI on every PR.


1. Docker Build — ERESOLVE (linux/amd64 + linux/arm64)

npm error While resolving: @vitest/ui@4.1.9
npm error Found: vitest@3.2.6
npm error peer vitest@"4.1.9" from @vitest/ui@4.1.9

Fix: package.json — bump vitest from ^3.2.6^4.1.9 to satisfy the peer dep declared by @vitest/ui@^4.1.9. The two were added independently by different contributors and never aligned.


2. Dependency Scanning with Trivy — cargo generate-lockfile exit 101

error: failed to select a version for the requirement `stellar-xdr = "^0.0.18"`
candidate versions found which didn't match: 27.0.0, 26.0.1, 26.0.0, ...

Fix: native/soroban-xdr-decode/Cargo.toml — update stellar-xdr from "0.0.18""26.0.1". The 0.x line was yanked from crates.io; the crate was re-versioned at 26.x to match the Stellar protocol number.

The native/ directory was also missing from this fork entirely, so it's included here synced from upstream.


Verification

Both failures reproduce on main and on every open PR — not specific to any feature branch. These fixes are the minimal changes needed; no logic is touched.

michaelvic123 and others added 2 commits June 29, 2026 14:03
- package.json: bump vitest from ^3.2.6 to ^4.1.9 to match
  the peer dependency required by @vitest/ui@^4.1.9. The
  mismatched versions caused npm ci to fail with ERESOLVE
  inside the Docker build stage, breaking both linux/amd64
  and linux/arm64 image builds.

- native/soroban-xdr-decode/Cargo.toml: update stellar-xdr
  from 0.0.18 to 26.0.1. The old constraint no longer resolves
  on crates.io (available versions start at 26.0.0), which caused
  cargo generate-lockfile to exit 101 and broke the Dependency
  Scanning with Trivy job on every PR.

- native/: bring in the full native/ directory from upstream
  (soroban-xdr-decode and soroban-dsl) which was missing from
  this fork, causing the Cargo.toml fix to have no effect.
@Osuochasam Osuochasam merged commit e4090e0 into Open-audit-foundation:main Jun 29, 2026
5 of 8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants