[deps]: Update rust Docker tag to v1.90

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
rust	stage	minor	1.89-alpine -> 1.90-alpine

---

Configuration

📅 Schedule: Branch creation - "every 2nd week starting on the 2 week of the year before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[bitwarden-bot]

Internal tracking:

• ID: PM-27442
• Link: https://bitwarden.atlassian.net/browse/PM-27442

[claude]

Claude finished @renovate[bot]'s task —— View job

---

Review: Update Rust Docker tag to v1.90

Summary of Changes

This PR updates the Rust Docker base image in crates/memory-testing/Dockerfile from rust:1.89-alpine to rust:1.90-alpine. This is a minor version update for the Docker build environment used specifically for memory leak testing.

Changed file: crates/memory-testing/Dockerfile:4

---

Critical Issues

🔴 Version Inconsistency with Project Requirements

The project has explicit Rust version constraints that are inconsistent with this Docker image update:

1. rust-toolchain.toml (line 2): Pins to channel = "1.87.0"
2. Cargo.toml (line 13): Specifies rust-version = "1.85" (MSRV)
3. Dockerfile: Now uses rust:1.90-alpine

This creates a significant version mismatch. The Dockerfile includes COPY rust-toolchain.toml /app/ and runs rustup show (lines 8-9), which means the Docker build will actually use Rust 1.87.0 (from the toolchain file), not 1.90. The base image version becomes effectively irrelevant once the toolchain file overrides it.

Impact: While this won't break the build (rustup will install the correct version), it's wasteful and misleading:

• Larger base image download (1.90 vs 1.87)
• Two Rust toolchains present in the image
• Confusing for maintainers who expect the Dockerfile version to match actual usage

---

Suggested Improvements

1. Coordinate Rust Version Updates Across the Project

Rather than updating the Docker image in isolation, Rust version updates should be coordinated across:

• rust-toolchain.toml (the source of truth for toolchain version)
• Cargo.toml workspace rust-version (MSRV)
• Docker base images

Consider one of these approaches:

Option A: Keep Docker image aligned with rust-toolchain.toml

Update the Dockerfile to match the pinned toolchain version:

FROM rust:1.87-alpine AS base

This ensures consistency and avoids downloading an unnecessary Rust version.

Option B: Update all Rust versions together

If the goal is to move to Rust 1.90, update all three files in a single coordinated PR:

1. Update rust-toolchain.toml to 1.90.0
2. Update Cargo.toml rust-version (if appropriate for MSRV)
3. Update Dockerfile to rust:1.90-alpine

This would require testing the entire codebase for compatibility with Rust 1.90.

Option C: Use 'stable' instead of pinned versions

If you want the Docker builds to automatically track stable Rust:

FROM rust:alpine AS base

However, note that the rust-toolchain.toml file will still override this during the build process.

2. Consider Removing Redundant Base Image Version

Since rust-toolchain.toml is the authoritative source for the Rust version (copied early in the Dockerfile), you could simplify by using:

FROM rust:alpine AS base

This makes it clear that the toolchain file controls the actual Rust version used, not the base image.

---

Good Practices Observed

• Multi-stage Docker build for smaller final image
• Uses cargo-chef for dependency caching
• Pinned version for gdb dependency (gdb=15.2-r0)
• Uses Alpine for minimal image size

---

Action Items for Author

1. Decide on versioning strategy: Choose between keeping the Docker image aligned with rust-toolchain.toml (Option A) or coordinating a project-wide Rust version update (Option B)

2. If keeping this PR: Document why the Docker base image version differs from the toolchain version, or update the Dockerfile to match rust-toolchain.toml (1.87)

3. If proceeding with 1.90: Create a comprehensive PR that updates rust-toolchain.toml, tests the entire codebase with Rust 1.90, and updates all Docker images together

4. Consider automation: Update Renovate configuration to coordinate Rust version updates across all relevant files simultaneously

---

Recommendation

I recommend closing this PR and either:

• Creating a coordinated update that changes rust-toolchain.toml, Cargo.toml MSRV, and all Dockerfiles together (with full testing), OR
• Updating the Dockerfile to match the current rust-toolchain.toml version (1.87) for consistency

The current change is harmless but provides no benefit and creates unnecessary confusion about which Rust version is actually being used.

[github-actions]

Checkmarx One – Scan Summary & Details – dc9331b2-afdb-4586-bb51-7b124f4b109b

Great job! No new security vulnerabilities introduced in this pull request

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.