mongodb
Deps: bump various dependencies
Hello there! I noticed that one of my projects had multiple duplicate dependencies due to mongodb. This PR bumps up the crate versions. Most of the bumps were patch-level. The notable bumps are noted below:
| Crate | Old | New | Notes |
|---|---|---|---|
rustls-pemfile |
0.3 |
1.0 |
The changelog declares no API changes. This is a safe major version bump. |
pbkdf2 |
0.10 |
0.11 |
Now uses the 2021 edition with MSRV 1.57. |
Sadly, the time crate appears to be an unremovable duplicate crate (for now) since chrono requires the time crate at version 0.1 while bson requires it at version 0.3. The current maintainers did mention that the time dependency will be dropped "in the next semver-compatible release". Let's make sure to upgrade to it so we can finally put the CVE-2020-26235 warnings to rest. 😅
There is one issue with the pbkdf2 upgrade, though. I realized in hindsight that mongodb officially supports an MSRV of 1.56, not 1.57—just one minor release behind! With that said, I would like to propose bumping up the MSRV (by one version) in the next release.
If this is not possible yet, I wouldn't mind removing the pbkdf2 upgrade for now. It would be great to resolve this as early as possible, though, so that there would be less dependency duplication.
Thanks! 🎉
Hi! Thanks for sending this. Since we haven't yet rolled out the release with the MSRV bump to 1.56, there's no problem with doing another bump to 1.57. I've authorized an Evergreen run and as long as that comes back green (modulo the MSRV check and known-flaky tests) I'll merge it. Again, thanks!
Hello there! Some CI errors seem to have been triggered. Should there be any action done on my part, or are the failures unrelated to this PR?