pgvector-rust icon indicating copy to clipboard operation
pgvector-rust copied to clipboard

Published 20 hours ago verified publisher icon pgvector

Update Cargo.toml

Open Dylan-DPC opened this issue 1 year ago • 2 comments

Bumps the dependency to at least 2.2.3 as per the advisory

Advisory

(even though this crate may not be using the function mentioned in the advisory, it is better to bump it to ensure that there is no chance of other dependencies pulling it)

Dylan-DPC avatar Oct 14 '24 15:10 Dylan-DPC

Hi @Dylan-DPC, thanks for the PR. From what I can tell (testing w/ rust_decimal, which incorporated this in 1.37.0):

  • If an earlier version of Diesel is installed, this will pull in an earlier version of pgvector
  • If a later version of Diesel is installed, there is no change in behavior
  • If Diesel is not already installed, Cargo will pull in the latest version (no change in behavior)

Based on the above, it seems like this has a drawback without any benefit (but let me know if I missed something).

ankane avatar May 20 '25 22:05 ankane

It looks like the benefit is dependent on how the dependency is specified in Cargo.toml.

rust_decimal = { version = "1", features = ["db-diesel2-postgres"] }

will pull in an earlier version of rust_decimal, while

rust_decimal = { version = "1.37", features = ["db-diesel2-postgres"] }

will upgrade diesel (or error if it can't be upgraded).

ankane avatar May 20 '25 22:05 ankane

Closing this as it's been a while and there might be newer versions so i feel this is better if we done fresh.

Dylan-DPC avatar Oct 23 '25 14:10 Dylan-DPC