Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upgrade packages flagged in Dependabot alerts #388

Closed
rhigman opened this issue Jun 7, 2022 · 3 comments · Fixed by #406 or #509
Closed

Upgrade packages flagged in Dependabot alerts #388

rhigman opened this issue Jun 7, 2022 · 3 comments · Fixed by #406 or #509

Comments

@rhigman
Copy link
Member

rhigman commented Jun 7, 2022

No description provided.

@rhigman rhigman mentioned this issue Jul 6, 2022
Merged
@rhigman
Copy link
Member Author

rhigman commented Jul 6, 2022
edited
Loading

  • Alerts 21 and 5 are blocked on release of failure >0.1.8.
  • Alert 23 is blocked on release of chrono >0.4.19.
  • Alert 1 requires a full upgrade to yew 0.19.3, which removes anymap dependency. This will partly be fixed by Upgrade yew to v0.19.3 (including yew-router upgrade to v0.16.0) #397, but yewtil 0.4.0 (the latest version) retains the yew 0.18.0 (and therefore anymap) dependency. This is therefore blocked on release of either yewtil >0.4.0 or anymap >0.12.1.
  • Alerts 24, 15 and 14 are blocked by wasm-pack's use of reqwest 0.9 which uses hyper 0.12 (still the case in the latest wasm-pack, 0.10.3).
  • Alert 7 is also blocked by the above, as hyper 0.12 uses tokio 0.1.
  • Alert 4 is also blocked by the above, as reqwest 0.9 uses tokio-threadpool 0.1 which uses crossbeam-utils 0.7.
  • Alerts 8, 9, 10, 11 and 12 are also blocked by the above, as wasm-pack 0.9 and 0.10 use parking_lot 0.6 which uses lock_api 0.1. They are additionally blocked by diesel's use of r2d2 0.8 which uses parking_lot 0.10 which uses lock_api 0.3 (a release candidate for diesel 2.0 is available but this has the same dependency chain).

@rhigman rhigman self-assigned this Jul 6, 2022
@rhigman rhigman mentioned this issue Jul 21, 2022
Merged
@rhigman rhigman linked a pull request Jul 21, 2022 that will close this issue
Upgrade packages flagged in Dependabot alerts (#388) #406
Merged
ja573 added a commit that referenced this issue Jul 22, 2022
@ja573
Merge pull request #406 from thoth-pub/feature/388_dependabot
4f700cf 
Upgrade packages flagged in Dependabot alerts (#388)
@rhigman rhigman removed their assignment Jul 27, 2022
@rhigman rhigman mentioned this issue Nov 29, 2022
Closed
@rhigman
Copy link
Member Author

rhigman commented Nov 29, 2022
edited by ja573
Loading

Alert 23 has been withdrawn.
Alert 31 is blocked on release of owning_ref >0.4.1. The package is only used by lock_api 0.1.5, so this is another issue which is blocked by wasm-pack dependencies, as above.
Alerts 27, 28, 29, 30 require upgrading to juniper 0.15.10. We are currently on 0.14.2 and there will be some breaking changes. Tracked at #457.

@ja573 ja573 mentioned this issue Jan 27, 2023
Merged
@ja573
Copy link
Member

ja573 commented Sep 6, 2023

Most have now been closed with #509

Ignoring yew/wasm alerts as they will be dropped with the GUI redesign, the only alert left is related to chrono's dependency on time, which will be dropped in the next version

@ja573 ja573 closed this as completed Sep 6, 2023
@ja573 ja573 linked a pull request Sep 6, 2023 that will close this issue
Feature/upgrade actix #509
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
2 participants
@ja573 @rhigman