-
Notifications
You must be signed in to change notification settings - Fork 880
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): Update Rust dependencies #1530
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your contribution!
.github/dependabot.yaml
Outdated
@@ -2,7 +2,7 @@ version: 2 | |||
|
|||
updates: | |||
- package-ecosystem: "docker" | |||
directory: "/" | |||
directory: "/.release" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change is unrelated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unrelated? Did you ever wonder why there have been no updates in https://github.com/getsops/sops/commits/main/.release? 😉
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has nothing to do with Rust. This PR is for updating Rust dependencies.
functional-tests/Cargo.toml
Outdated
serde_json = "1.0.99" | ||
serde_yaml = "0.9.22" | ||
serde_json = "1.0" | ||
serde_yaml = "0.9" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why you are removing the patch versions for most of the dependencies? Did you verify that the tests also work fine with lower patch versions?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems best practice for Rust dependencies to require always the latest patch version in every build.
How does this affect your tests results?
I tested what I could, your project doesn't provide e2e test scripts for developers, so the 2 vault tests failed, therefore contributors have to rely on your CI pipelines.
Wouldn't it be much better for your users if you would care more for build security than allegedly incompatible patch versions of test dependencies? 🤔
https://blog.rust-lang.org/2023/08/03/cve-2023-38497.html
Why are you using an ancient rust 1.70.0 toolchain since 2 days?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems best practice for Rust dependencies to require always the latest patch version in every build.
Sounds good to me.
Wouldn't it be much better for your users if you would care more for build security than allegedly incompatible patch versions of test dependencies? 🤔
I'm not sure what you're trying to imply here. I asked a simple question here, I didn't say you have to revert to the previous state. I personally do care for build security, but I'm not that familiar with all the tools used in the SOPS build pipeline.
https://blog.rust-lang.org/2023/08/03/cve-2023-38497.html Why are you using an ancient rust 1.70.0 toolchain since 2 days?
How come you assume we're using it since 2 days? We have been using Rust 1.70.0 for a long time already, the only thing that changed is the place where 1.70.0 is configured. (Which makes it easier to update that version to something less ancient.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also in CI one often pins all dependencies, and uses things like Dependabot to update them. That prevents random CI failures due to updated dependencies that sneaked in without explicit approval.
Since you added a Dependabot config for Cargo in this PR, I don't really understand why you remove the patch versions here.
@reneleonhardt ping |
54f3d8d
to
1fee572
Compare
Can you please either remove the Dependabot config for Rust, or re-add the full version numbers in |
1fee572
to
9887803
Compare
Why did you remove the Dependabot config for Rust/Cargo? |
(Also note that with commit messages like that, the chance that I will merge this are pretty much zero. Maybe someone else will merge it, but I definitely will not.) |
You required me to remove the Dependabot config for Rust, even if it makes no sense for an |
Signed-off-by: Rene Leonhardt <[email protected]>
… documentation because they are too short. This means that by disabling Dependabot new updates will not be build and tested automatically, and that the opposite will be true for all other dependencies not updated here (serde and serde_derive are allowed to be short). Signed-off-by: Rene Leonhardt <[email protected]>
9887803
to
657d04e
Compare
I hope you're not actively trying to misinterpret what I wrote:
There is an EITHER-OR condition. That means, either do the first, or the second. I also explicitly wrote that I would prefer the second, not the first. You decided to do both, which is not what I asked you to do, and what we both agree is not a good idea.
I did not copy your contribution, I simply recreated parts of it since a) it was no longer part of this PR, and b) it was something I would have liked to merge already in June. Also if you compare the Cargo part of your commit (11ebfc2) with my commit (576f809), you can see that I did not copy your contribution, but based it on the existing entry for GH Actions. |
Also, according to the official Cargo documentation (https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#specifying-dependencies-from-cratesio), |
Features