chore(deps): Update Rust dependencies #1530
Conversation
| @@ -2,7 +2,7 @@ version: 2 | |||
|
|
|||
| updates: | |||
| - package-ecosystem: "docker" | |||
| directory: "/" | |||
| directory: "/.release" | |||
There was a problem hiding this comment.
This change is unrelated.
There was a problem hiding this comment.
Unrelated? Did you ever wonder why there have been no updates in https://github.com/getsops/sops/commits/main/.release? 😉
There was a problem hiding this comment.
This has nothing to do with Rust. This PR is for updating Rust dependencies.
| serde_json = "1.0.99" | ||
| serde_yaml = "0.9.22" | ||
| serde_json = "1.0" | ||
| serde_yaml = "0.9" |
There was a problem hiding this comment.
Why you are removing the patch versions for most of the dependencies? Did you verify that the tests also work fine with lower patch versions?
There was a problem hiding this comment.
It seems best practice for Rust dependencies to require always the latest patch version in every build.
How does this affect your tests results?
I tested what I could, your project doesn't provide e2e test scripts for developers, so the 2 vault tests failed, therefore contributors have to rely on your CI pipelines.
Wouldn't it be much better for your users if you would care more for build security than allegedly incompatible patch versions of test dependencies? 🤔
https://blog.rust-lang.org/2023/08/03/cve-2023-38497.html
Why are you using an ancient rust 1.70.0 toolchain since 2 days?
There was a problem hiding this comment.
It seems best practice for Rust dependencies to require always the latest patch version in every build.
Sounds good to me.
Wouldn't it be much better for your users if you would care more for build security than allegedly incompatible patch versions of test dependencies? 🤔
I'm not sure what you're trying to imply here. I asked a simple question here, I didn't say you have to revert to the previous state. I personally do care for build security, but I'm not that familiar with all the tools used in the SOPS build pipeline.
https://blog.rust-lang.org/2023/08/03/cve-2023-38497.html Why are you using an ancient rust 1.70.0 toolchain since 2 days?
How come you assume we're using it since 2 days? We have been using Rust 1.70.0 for a long time already, the only thing that changed is the place where 1.70.0 is configured. (Which makes it easier to update that version to something less ancient.)
There was a problem hiding this comment.
Also in CI one often pins all dependencies, and uses things like Dependabot to update them. That prevents random CI failures due to updated dependencies that sneaked in without explicit approval.
Since you added a Dependabot config for Cargo in this PR, I don't really understand why you remove the patch versions here.
|
@reneleonhardt ping |
reneleonhardt
force-pushed
the
updates-rust
branch
from
3a7284c
to
54f3d8d
Compare
Signed-off-by: Rene Leonhardt <65483435+reneleonhardt@users.noreply.github.com>
reneleonhardt
force-pushed
the
updates-rust
branch
from
54f3d8d
to
1fee572
Compare
Features