-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Downgrade serde #1092
Downgrade serde #1092
Conversation
Serde v1.0.172 introduced precompiled serde derive macros, which in many use cases is an unacceptable risk. Until the situation is resolved, nats client will stick to the last serde version without the precompiled, nonreproducible blob build outside of visible and auditable processes. More info: serde-rs/serde#2538 Signed-off-by: Tomasz Pietrek <tomasz@nats.io>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
This does not actually downgrade serde, if you want to fix the serde version use the https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html
Alternatively as a library you should be providing a range of supported versions
I dont know what features you use, so i just specified |
I think there are a few things we can learn from this PR. a. Requiring an higher semver version than necessaryEvery now and then a PR like #1065 is made to this repository in order to bump the patch versions of dependencies in Pros
Cons
My preference, and what most projects seem to be kind of following, is requiring the widest semver range that gets the crate to compile, with the following exceptions:
I watch many repositories just out of curiosity. Sometimes external contributors send PRs to bump dependencies patch versions. Most of the time I saw this happening was because the submitter didn't understand how semver worked, or didn't know of the existence of In short, without the patch version bump part of #1065, this PR wouldn't need to exist. b. Capping the semver versionWhile I agree with downgrading This is because while cargo can handle duplicate dependency versions of the same crate, for example you can have a project that requires both This has already caused issues in the past with other crates. For example some Because of this, I feel like this move only ends up annoying users at the end. cargo would be a giant pain to use if this was done more often. |
time-rs/time#611 might be interesting too. |
My initial idea, as a first, least intrusive step, was for Then, as a possible follow-up PR (after seeing to what solution community gravitates to), use a range. That PR would add a CI check that runs EDIT: Those are excellent points @paolobarbolini :) |
closing in favor #1094 Thank you all for your insights and opinions. It helped us approach the situation without friction for |
Serde v1.0.172 introduced precompiled serde derive macros, which in many use cases, is an unacceptable risk.
Until the situation is resolved, nats client will stick to the last serde version without the precompiled, nonreproducible blob built outside of visible and auditable processes.
More info: serde-rs/serde#2538
Signed-off-by: Tomasz Pietrek tomasz@nats.io