🤖 Kimi Code Review

The PR only changes dependency sources for the spawned-* crates from a Git tag to the published crates.io version 0.5.0. The lock file confirms the checksums match the registry entries, so the code being compiled is identical.

No correctness, security, or performance issues introduced. The change improves supply-chain hygiene by using the stable registry release instead of a release candidate from Git.

Automated review by Kimi (Moonshot AI) · custom prompt

🤖 Claude Code Review

PR 224 Review: Upgrade spawned-concurrency and spawned-rt to 0.5.0 from crates.io

Summary: Simple dependency migration from a git tag (v0.5.0-rc2) to the published crates.io 0.5.0 release. No logic changes.

Changes

Cargo.toml — both spawned-concurrency and spawned-rt are switched from git + tag to plain version specifiers. Clean and correct.

Cargo.lock — all three affected packages (spawned-concurrency, spawned-macros, spawned-rt) now resolve from the crates.io registry with checksums. The lock file correctly captures spawned-macros as a transitive dependency pulled along with the others.

Observations

• The checksums in Cargo.lock are present and well-formed, which is the key safety property for registry dependencies.
• spawned-macros 0.5.0 is also migrated implicitly — it was a transitive git dependency and is now resolved from crates.io as expected.
• The version specifier "0.5.0" (exact) is appropriate here given this is an internal LambdaClass crate with known semantics. Using a bare version string allows patch updates (0.5.x) via cargo update, which is fine for a stable release.
• No API-breaking changes between v0.5.0-rc2 and 0.5.0 per the PR description, and the test suite passing confirms this.

Verdict

This is a straightforward, low-risk housekeeping change. The diff is minimal and correct. No issues found.

Automated review by Claude (Anthropic) · custom prompt

🤖 Codex Code Review

1. Medium: dependency is not strictly pinned for reproducible consensus builds
   In Cargo.toml:49 and Cargo.toml:50, using "0.5.0" allows 0.5.x upgrades when Cargo.lock is refreshed. For a consensus client, accidental runtime behavior drift from transitive updates is a real risk.
   Suggested change: use exact pins ("=0.5.0") or enforce lockfile + dependency update policy in CI.

2. Low: extra runtime version remains in lockfile (attack surface/bloat check)
   Cargo.lock:7111 and Cargo.lock:7125 show both spawned-rt 0.4.5 and 0.5.0. This may be pre-existing, but it is worth checking whether 0.4.5 can be eliminated to reduce duplicate code and audit surface.

No correctness issues were found in fork choice, attestation handling, finalization, state transition, XMSS, or SSZ logic, because this PR does not touch those paths; it is dependency-source migration only.

I could not run cargo check in this environment due rustup temp-file permission restrictions, so build validation is still pending.

Automated review by OpenAI Codex · custom prompt

Greptile Summary

This PR migrates spawned-concurrency and spawned-rt from a git tag dependency (v0.5.0-rc2) to the stable 0.5.0 release published on crates.io, improving dependency resolution stability and reproducibility.

• Cargo.toml: two git = …, tag = "v0.5.0-rc2" entries replaced with simple "0.5.0" version constraints.
• Cargo.lock: sources updated to registry+…, SHA-256 checksums added for spawned-concurrency, spawned-rt, and the newly-split spawned-macros proc-macro crate.
• The 0.4.5 entries for both crates remain in Cargo.lock as transitive dependencies of ethrex-p2p (a separate external git dependency) — this is expected Cargo behaviour and unrelated to this PR.
• The addition of spawned-macros as a transitive dependency of spawned-concurrency 0.5.0 is expected: the stable release extracted the #[actor] proc-macro into its own crate, which the codebase already relies on (use spawned_concurrency::actor).
• No source-code changes are required, consistent with the claim that the RC2 → stable transition is non-breaking.

Confidence Score: 5/5

• This PR is safe to merge — it is a minimal, non-breaking dependency source migration with no logic changes.
• The change is limited to two lines in Cargo.toml and the corresponding lock-file regeneration. The crates.io checksums are well-formed, the API is backwards-compatible (no code changes needed), transitive dependencies are consistent, and the PR author verified fmt/lint/test all pass.
• No files require special attention.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    subgraph Before["Before (RC2 git tag)"]
        A1[Cargo.toml] -->|git tag v0.5.0-rc2| B1[spawned-concurrency]
        A1 -->|git tag v0.5.0-rc2| C1[spawned-rt]
        B1 --> C1
    end

    subgraph After["After (crates.io stable)"]
        A2[Cargo.toml] -->|0.5.0 crates.io| B2[spawned-concurrency]
        A2 -->|0.5.0 crates.io| C2[spawned-rt]
        B2 --> C2
        B2 --> D2[spawned-macros]
    end

    Before -->|PR #224| After

_{Last reviewed commit: 261a00a}