-
-
Notifications
You must be signed in to change notification settings - Fork 75
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
False-positives caused by newer versions of path dependencies of the scanned crate #902
Comments
The invocation of
|
cc @Darksonn on the off chance you notice this while working on Scanning on new If you have opinions the |
Interesting. Our CI job doesn't get any lock file as input, so I don't think we will hit this. It sounds like the proper solution would be for tokio-util to use the local Tokio in both builds being compared? |
I agree, I don't think you'll hit it either. Just wanted to preemptively warn you just in case, so you don't end up debugging a phantom breaking change. Yes, we'll have to figure out a way to use the same version of |
Thanks for the heads up. I guess it could potentially affect our branches used for making backports to LTS releases. |
Steps to reproduce the bug with the above code
When specifying a package by path dependency,
cargo
is only willing to use that package's own declared path dependencies and ignores newer SemVer-compatible dependency versions. It refuses to update to newer versions even if explicitly asked withcargo update
or evencargo update --precise
.This causes false positives. For example:
tokio v1.40
made some types newly becomeUnwindSafe
.tokio-stream
's types newly becomeUnwindSafe
across a variety oftokio-stream
versions when used withtokio v1.40
.tokio-stream
now results in false positives:tokio-stream
, for whichcargo
resolves thetokio
dependency to1.40
. That means the baseline's types areUnwindSafe
.tokio-stream
is a path dependency, for whichcargo
chooses the path dependencytokio
version. Thattokio
is older than 1.40, so its types aren'tUnwindSafe
. As a result, thetokio-stream
types aren'tUnwindSafe
either.tokio-stream
had``UnwindSafe` types, and the newer one did not, this is reported as a breaking change!cargo update
in path dependency workspaces. #901 I was under the impression thatcargo update
inside the placeholder project we generate when creating rustdoc JSON fortokio-stream
(where we have a path dependency to it) would result in newertokio
. This is not the case, due to the issue described at the top.Repro:
Actual Behaviour
Two items:
(1) There should be a way to run
cargo update
inside a project with a path dependency to force it to use latest SemVer-compatible versions of dependencies.(2)
cargo update --precise 1.40.0 tokio
should either upgradetokio
to 1.40.0 as requested, or should exit with an error. It should not completely ignore the 1.40.0 argument and exit cleanly.Expected Behaviour
(1)
cargo update
silently does not update versions of path dependencies of a path dependency. Instead, it pins the path dependencies and their path dependencies exactly. There does not appear to be a way to override this.The first
cargo update
run after the setup above may update some non-path-related dependencies. Subsequentcargo update
runs will look like this, and will not upgradetokio
to 1.40.0 nor mention it in any way.(2)
cargo update --precise 1.40.0 tokio
completely ignores the--precise 1.40.0
requirement, and exits cleanly as a no-op.Generated System Information
Software version
cargo-semver-checks 0.34.0
Operating system
Linux 5.15.153.1-microsoft-standard-WSL2
Command-line
cargo version
Compile time information
Build Configuration
No response
Additional Context
No response
The text was updated successfully, but these errors were encountered: