Bump borsh to 0.10.3

[kevinji]

Problem

borsh is on 0.9.3 right now.

Summary of Changes

Bumps all uses of borsh to 0.10.3. The only breaking change is to the interface of BorshDeserialize, which was updated in one spot, but otherwise the serialization remains the same.

transaction-status relies on SPL which still requires borsh 0.9, so until SPL also gets updated that package alone will use an older version of borsh.

Fixes #

[joncinque]

The changes look great, thanks for doing this! Just one tiny nit to address.

There's also currently an error in CI because the Cargo.lock changes haven't been propagated to the other lockfile in programs/sbf.

To update the other lockfile, you'll need to run ./scripts/cargo-for-all-lock-files.sh tree from the top-level of the repo and then commit your changes.

I ran clippy, fmt, and the tests against this locally, so it should pass after that. Ping me here once you've updated the branch so I can kick off CI!

[kevinji]

@joncinque Just pushed a commit addressing your comments.

[kevinji]

The build failures seem to be because of SPL compile issues which would be expected for now until SPL also switches over to borsh 0.10. Is there anything that should be done here?

[joncinque]

@kevinji we had a discussion about this internally. When we upgrade borsh, we need to disable the downstream CI jobs because of the new incompatibility, e.g. #18218 (comment) --

To fix that, you'll need to comment out the lines for spl and openbook-dex and reorder at https://github.com/solana-labs/solana/blob/master/.buildkite/scripts/build-downstream-projects.sh

Since we'll need to disable CI, we'd like to hold off merging this until we're about to branch 1.16.0. The timeline for that isn't clear unfortunately, so we may need to keep this open for some time.

[kevinji]

Makes sense; feel free to leave this PR alone until that happens.

[joncinque]

Thanks so much for taking care of this so quickly and for the great work!

[codecov]

Codecov Report

Merging #30975 (b444824) into master (a787831) will decrease coverage by 0.1%.
The diff coverage is 100.0%.

@@            Coverage Diff            @@
##           master   #30975     +/-   ##
=========================================
- Coverage    81.5%    81.4%   -0.1%     
=========================================
  Files         728      728             
  Lines      205895   205986     +91     
=========================================
+ Hits       167824   167841     +17     
- Misses      38071    38145     +74     

[joncinque]

It looks like 1.16 branch cut is imminent so we should rebase and land this asap -- do you have time to do that @kevinji ? If not, I can take care of it.

Any objections about that @CriesofCarrots ?

[kevinji]

I don’t currently have the bandwidth for this so if you could take care of the rebase that would be great!

[joncinque]

@willhickey this one

[joncinque]

@kevinji thanks for being so responsive! I went ahead and rebased. @CriesofCarrots can you take one more look?

[acheroncrypto]

This bump has caused massive amounts of dependency issues for all programs that depend on other versions of borsh.

Not only this has broken all older program dependencies, it has also broken publishing to crates.io when you have various dependencies with different borsh versions.

Even with the same Solana version(1.16.0) crates differ on which borsh version they use, e.g. solana-transaction-status is still on 0.9.3 when others are not.

[joncinque]

It might be worth creating a separate issue to discuss this -- do you have an example setup that shows the issue? solana-transaction-status uses both versions

solana/transaction-status/Cargo.toml

Lines 16 to 17 in 37f51e8

	# NOTE: Use the workspace version once spl-associated-token-account uses borsh 0.10.
	borsh0-9 = { package = "borsh", version = "0.9.3" }

to get around the issue for example.

It might be that certain projects can't upgrade to 1.16 until all of the other dependencies do too, or they might need to use 1.14 and 1.16 concurrently to get around dep issues.

We've had these bumps before, and it's certainly annoying and takes time (see #18218) but it's doable

[KirillLykov]

@joncinque this PR disabled the spl and opendex downstream builds, are we ready to re-enable them and if not, are you aware if we have an issue to track this (if not I will create one)?

[joncinque]

Correct, we can re-enable them, but we'll have to add a fix to maintain borsh's transitive dependency on hashbrown to 0.12.3, since cargo will automatically upgrade it during the downstream build, causing the program builds to fail.

[KirillLykov]

Correct, we can re-enable them, but we'll have to add a fix to maintain borsh's transitive dependency on hashbrown to 0.12.3, since cargo will automatically upgrade it during the downstream build, causing the program builds to fail.

I've created an issue to track this #32378