-
Notifications
You must be signed in to change notification settings - Fork 860
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chore(deps): Update Rust dependencies #1530
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for your contribution!
@@ -2,7 +2,7 @@ version: 2 | |||
|
|||
updates: | |||
- package-ecosystem: "docker" | |||
directory: "/" | |||
directory: "/.release" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This change is unrelated.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Unrelated? Did you ever wonder why there have been no updates in https://github.com/getsops/sops/commits/main/.release? 😉
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This has nothing to do with Rust. This PR is for updating Rust dependencies.
serde_json = "1.0.99" | ||
serde_yaml = "0.9.22" | ||
serde_json = "1.0" | ||
serde_yaml = "0.9" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why you are removing the patch versions for most of the dependencies? Did you verify that the tests also work fine with lower patch versions?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems best practice for Rust dependencies to require always the latest patch version in every build.
How does this affect your tests results?
I tested what I could, your project doesn't provide e2e test scripts for developers, so the 2 vault tests failed, therefore contributors have to rely on your CI pipelines.
Wouldn't it be much better for your users if you would care more for build security than allegedly incompatible patch versions of test dependencies? 🤔
https://blog.rust-lang.org/2023/08/03/cve-2023-38497.html
Why are you using an ancient rust 1.70.0 toolchain since 2 days?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems best practice for Rust dependencies to require always the latest patch version in every build.
Sounds good to me.
Wouldn't it be much better for your users if you would care more for build security than allegedly incompatible patch versions of test dependencies? 🤔
I'm not sure what you're trying to imply here. I asked a simple question here, I didn't say you have to revert to the previous state. I personally do care for build security, but I'm not that familiar with all the tools used in the SOPS build pipeline.
https://blog.rust-lang.org/2023/08/03/cve-2023-38497.html Why are you using an ancient rust 1.70.0 toolchain since 2 days?
How come you assume we're using it since 2 days? We have been using Rust 1.70.0 for a long time already, the only thing that changed is the place where 1.70.0 is configured. (Which makes it easier to update that version to something less ancient.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also in CI one often pins all dependencies, and uses things like Dependabot to update them. That prevents random CI failures due to updated dependencies that sneaked in without explicit approval.
Since you added a Dependabot config for Cargo in this PR, I don't really understand why you remove the patch versions here.
@reneleonhardt ping |
3a7284c
to
54f3d8d
Compare
Signed-off-by: Rene Leonhardt <65483435+reneleonhardt@users.noreply.github.com>
54f3d8d
to
1fee572
Compare
Features