Bump deps #82
Bump deps #82
Conversation
Codecov ReportAttention: Patch coverage is
Additional details and impacted files
|
Cargo.toml
Outdated
| binaries = ["dep:clap", "tokio/macros"] | ||
| ent = [] | ||
|
|
||
| [dependencies] | ||
| async-trait = "0.1.77" | ||
| clap = { version = "4.4.10", optional = true } | ||
| chrono = { version = "0.4", features = [ | ||
| chrono = { version = "0.4.20", features = [ |
There was a problem hiding this comment.
I think we were locked above this patch version, but still it's worth tightening due to potential vulnerability. Yay for deps.rs !
There was a problem hiding this comment.
In general, vulnerabilities shouldn't be patched in consumers through their Cargo.toml bounds — the lockfile is for this. The manifest (Cargo.toml) is just for declaring bounds on what's possible to build with. We don't want to restrict this to a newer version unnecessarily as it would mean consumers that are locked on an older version for some reason are stuck without a path forward.
There was a problem hiding this comment.
Hmm I agree that the bounds should be kept as low as possible, especially if the library is not relying on features added in minors and patches of its dependencies. However, a vulnerability fix may (should?) be considered a feature we are relying upon, so I am not sure this is an "unnecessary" bump. It somehow feels not right.
And also can they really get locked on an older version in this case? If they could build their app with 0.4.0 till 0.4.19, they should be able to build with 0.4.20.
There was a problem hiding this comment.
No, a vulnerability fix is not something we depend on :)
And yes, they can, such as if they use <= or = dependency specifiers.
There was a problem hiding this comment.
this is technically possible, but I mean logically why would they go with <=0.4.19 or =0.4.19 for example :)
rustworthy
force-pushed
the
chore/update-deps
branch
from
25aab85 to
2292e34
Compare
| tokio-rustls = { version = "0.26", optional = true } | ||
| rustls-platform-verifier = { version = "0.4", optional = true } |
There was a problem hiding this comment.
I've paged this out already (blame the holiday 😅), but do we have types from either of these in our public API (esp. in trait implementations)? If so, this change will require a major version bump for faktory as well.
There was a problem hiding this comment.
Our TlsStream derefs to tokio_rustls' stream.
Besides, TlsStream::with_client_config accepts a config struct from rustls. We are using rustls re-exported from tokio_rustls, and a major bump also took place there.
As for rustls-platform-verifier - it's not part of our API.
There was a problem hiding this comment.
So this probably - and unfortunately - should be a 0.14.0 release candidate.
There was a problem hiding this comment.
Ah, that's unfortunate. Yeah, I think let's maybe hold off then in case we see other breaking changes coming down the line 👍
This change is