[deps]: Update Rust crate dylint_linting to v5

[renovate]

This PR contains the following updates:

Package	Type	Update	Change
dylint_linting	workspace.dependencies	major	4.1.0 -> 5.0.0

---

Release Notes

trailofbits/dylint (dylint_linting)

v5.0.0

Compare Source

• Fix a bug causing dylint_testing to make repeated failed attempts to build a driver (#​1744)
• BREAKING: Remove cargo-lib feature and support for linking Cargo as a library (#​1741)
• Change "No paths matched" error to "No library packages found in" when a pattern is not used (#​1748)
• BREAKING: Remove ability to refer to libraries with --path (#​1754)
• Upgrade dependencies (#​1728), including:
  • cargo_metadata to version 0.23
  • cargo-util-schema to version 0.10
  • git2 to version 0.20

v4.1.2

Compare Source

• Hot fix for a failed cargo publish (#​1737)

v4.1.1

Compare Source

• Correct error messages associated with Cargo.toml and rust-toolchain backups (#​1606)—thanks @​suratkhan
• Fix typo in conditional compilation documentation (#​1627)—thanks @​markopiers
• Use anstyle instead of ansi_term (#​1630)
• Fix link in README.md (#​1642)
• Use tar-fs (#​1639)
• Correct instructions for using Rust Analyzer (#​1658)—thanks @​mondeja
• Ensure correct cargo is called when determining package metadata (#​1671)
• Fix typo in dylint-link description (#​1700)
• Upgrade dependencies (#​1728), including:
  • cargo_metadata to version 0.22
  • rewriter to version 0.2
  • toml to version 0.9
  • toml_edit to version 0.23

---

Configuration

📅 Schedule: Branch creation - "every 2nd week starting on the 2 week of the year before 4am on Monday" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

🔍 SDK Breaking Change Detection Results

SDK Version: renovate/dylint_linting-5.x (edbcf8c)
Completed: 2025-12-10 12:54:06 UTC
Total Time: 248s

Client	Status	Details
typescript	✅ No breaking changes detected	TypeScript compilation passed with new SDK version - View Details

---

Breaking change detection completed. View SDK workflow

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 78.61%. Comparing base (f0d4b0e) to head (edbcf8c).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #534   +/-   ##
=======================================
  Coverage   78.61%   78.61%           
=======================================
  Files         281      281           
  Lines       29131    29131           
=======================================
  Hits        22901    22901           
  Misses       6230     6230           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[claude]

Claude finished @renovate[bot]'s task —— View job

---

PR Review: dylint_linting v5.0.0 Upgrade

Tasks

• Analyze PR changes using bitwarden-code-reviewer
• Provide comprehensive review feedback

---

Overall Assessment: ✅ APPROVE

This is a well-executed major version upgrade of dylint_linting from 4.1.0 to 5.0.0. The changes correctly handle breaking changes, improve dependency management through renovate, and all CI checks pass successfully.

Key Findings

1. Breaking Changes Properly Handled ✅

The PR correctly addresses the breaking changes in dylint v5.0.0:

• Removed cargo-lib feature: Not used by this codebase
• Removed --path library references: Not used in the codebase
• Dependency upgrades (cargo_metadata 0.23, git2 0.20): All transitive updates in Cargo.lock appear correct

2. Security Assessment ✅

No security concerns identified:

• Dependency updates include security-related improvements
• No new attack surface introduced
• CI security scanning (Checkmarx) passed with no new vulnerabilities
• Removed dependencies (rust-embed, walkdir, sha2, etc.) reduce attack surface

3. Renovate Configuration Enhancement ✅

The addition of regexManagers in .github/renovate.json:19 is a significant improvement that enables automatic tracking of cargo-installed tools in workflows, ensuring consistency between installed binaries and library versions.

Note: The review comments suggest extracting cargo install steps to a reusable script for developers - this is a good follow-up idea tracked in PM-29567.

4. Dependency Cleanup ✅

The Cargo.lock shows healthy cleanup:

• 221 lines removed vs 80 added (net reduction)
• Removed unused dependencies: rust-embed, walkdir, ansi_term, sha2, globset, bstr
• Upgraded to modern alternatives: anstyle (replacing ansi_term), tar (replacing rust-embed)

5. Backward Compatibility ✅

The custom lints (error_enum and error_suffix) in support/lints/ continue to use standard dylint APIs without modification:

• dylint_linting::declare_late_lint! macro - unchanged
• dylint_testing::ui_test functions - unchanged
• No breaking changes affect lint implementations

6. CI Validation ✅

All checks passed:

• TypeScript compilation against clients repo - no breaking changes detected
• Code coverage maintained at 78.61%
• Checkmarx security scan - no new vulnerabilities
• All workflow steps execute successfully with v5.0.0

Recommendation

Approve and merge. This is a clean dependency upgrade with no issues identified. The renovate configuration improvements will benefit future maintenance.

[github-actions]

Checkmarx One – Scan Summary & Details – 3ddfd4fa-b5fc-41b4-b7a8-c4a0bdcff592

Great job! No new security vulnerabilities introduced in this pull request

[dani-garcia]

I wonder if we should be extracting these cargo install steps to a script that can be used by devs as well rather than doing it on the workflow. We've had a couple of devs accidentally commit extra changes because they were using a too new version of cargo-sort, would be nice if we could just point people to a script that installs the correct versions directly.

[coroiu]

Created a follow-up here: PM-29567 Move all binary cargo utilities into a separate shell file and add renovate to it