Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: tokio patch version update to 1.18.4 #8309

Merged
merged 2 commits into from
Jan 9, 2023
Merged

chore: tokio patch version update to 1.18.4 #8309

merged 2 commits into from
Jan 9, 2023

Conversation

jakmeier
Copy link
Contributor

@jakmeier jakmeier commented Jan 9, 2023
edited
Loading

replaces #8304

dependabot made us aware of bugfixes and wanted to update to 1.20.3

Instead I propose we update only the patch version and keep major/minor.
1.18.x is a LTS version and it is what we are currently using.
1.18.4 contains the same fixes the bot wants.
Updating further should be done as a conscious decision.

version = "~1.18" means we want a fixed 1.18 minor version with
the newest patch version.

The old "1.16.1" is equivalent to ^1.16.1" but in the lock file it
was fixed to "1.18.2". Since we check in the lock file and only update
versions occasionally and consciously, I suggest we use ~ which is
less confusing.

@jakmeier
chore: tokio patch version update to 1.18.4
36a60fc 
replaces near#8304

dependabot made us aware of bugfixes and wanted to update to 1.20.3

Instead I propose we update only the patch version and keep major/minor.
1.18.x is a LTS version and it is what we are currently using.
Updating further should be done as a conscious decision.

`version = "~1.18"` means we want a fixed 1.18 minor version with
the newest patch version.

The old `"1.16.1"` is equivalent to `^1.16.1"` but in the lock file it
was fixed to `"1.18.2"`. Since we check in the lock file and only update
versions occasionally and consciously, I suggest we use `~` which is
less confusing.
@jakmeier jakmeier requested a review from a team as a code owner January 9, 2023 11:38
@jakmeier jakmeier requested a review from akhi3030 January 9, 2023 11:38
@jakmeier jakmeier added the C-dependencies Category: Pull requests that update a dependency file label Jan 9, 2023
akhi3030
akhi3030 approved these changes Jan 9, 2023
View reviewed changes
Copy link
Collaborator

@akhi3030 akhi3030 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@near-bulldozer near-bulldozer bot merged commit 2cec9c9 into near:master Jan 9, 2023
@jakmeier jakmeier deleted the tokio-1.18.4 branch January 9, 2023 15:54
@miraclx miraclx mentioned this pull request May 8, 2023
Merged
near-bulldozer bot pushed a commit that referenced this pull request May 8, 2023
@miraclx
chore: update tokio to 1.28 (#9023)
3a46933 
[Audits](https://github.com/near/near-sdk-rs/actions/runs/4690517670/jobs/8376852068?pr=1010) in `near-sdk` highlight a security vulnerability [RUSTSEC-2023-0001](https://rustsec.org/advisories/RUSTSEC-2023-0001) that affects the Windows platform.

As far as I could tell, we're not directly impacted by this, but the severity suggests we make an upstream dep update.

#8309 (comment) pinned `tokio` to `1.18` and suggested not updating the minor version unconsciously. Whereas #8472 required a bump to `1.19`, which has no versions that patch this vulnerability.

This PR seizes the opportunity to re-pin the minor version to the latest, after which subsequent updates can uphold the bump requirement outlined in #8309.
nikurt pushed a commit that referenced this pull request May 10, 2023
@miraclx @nikurt
chore: update tokio to 1.28 (#9023)
af92953 
[Audits](https://github.com/near/near-sdk-rs/actions/runs/4690517670/jobs/8376852068?pr=1010) in `near-sdk` highlight a security vulnerability [RUSTSEC-2023-0001](https://rustsec.org/advisories/RUSTSEC-2023-0001) that affects the Windows platform.

As far as I could tell, we're not directly impacted by this, but the severity suggests we make an upstream dep update.

#8309 (comment) pinned `tokio` to `1.18` and suggested not updating the minor version unconsciously. Whereas #8472 required a bump to `1.19`, which has no versions that patch this vulnerability.

This PR seizes the opportunity to re-pin the minor version to the latest, after which subsequent updates can uphold the bump requirement outlined in #8309.
@Ekleog-NEAR Ekleog-NEAR mentioned this pull request Sep 14, 2023
Closed
@frol
Copy link
Collaborator

frol commented Oct 12, 2023

The old "1.16.1" is equivalent to ^1.16.1" but in the lock file it
was fixed to "1.18.2". Since we check in the lock file and only update
versions occasionally and consciously, I suggest we use ~ which is
less confusing.

Given that parts of nearcore are released as crates and re-used in ecosystem, we should avoid pinning the dependencies unless there is a good reason for that. I vote for removing that ~.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@akhi3030 akhi3030 akhi3030 approved these changes

Assignees
No one assigned
Labels
C-dependencies Category: Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jakmeier @frol @akhi3030