cyclonedx-rust-cargo icon indicating copy to clipboard operation
cyclonedx-rust-cargo copied to clipboard

Published 20 hours ago verified publisher icon CycloneDX

chore: update dependencies to newer versions

Open ctron opened this issue 1 year ago • 8 comments

Mainly to update jsonschema -> reqwest -> hyper to a 1.x version.

ctron avatar Jul 09 '24 13:07 ctron

Sorry, but I have no idea what to do about that nix flake issue.

ctron avatar Jul 09 '24 14:07 ctron

I think a better idea is to just disable the resolve* features that pull in hyper. We really don't want to pull in the entirety of reqwest, hyper and tokio unconditionally from a serialization/deserialization crate.

Also that's definitely a no on the packageurl upgrade - that's certainly semver-breaking, and if we're breaking semver we should just switch to the purl crate which is much better all around.

Shnatsel avatar Jul 09 '24 15:07 Shnatsel

I think a better idea is to just disable the resolve* features that pull in hyper. We really don't want to pull in the entirety of reqwest, hyper and tokio unconditionally from a serialization/deserialization crate.

Also that's definitely a no on the packageurl upgrade - that's certainly semver-breaking, and if we're breaking semver we should just switch to the purl crate which is much better all around.

Ok, I'll try to update the PR tomorrow.

ctron avatar Jul 09 '24 15:07 ctron

The jsonschema crate pulls in a lot of dependencies and shouldn't be a runtime dependency at all. We should turn it into a dev-dependency. There is now an issue about it: https://github.com/CycloneDX/cyclonedx-rust-cargo/issues/741

Shnatsel avatar Jul 11 '24 02:07 Shnatsel

Ok, I changed it to the following:

  • packageurl is back to 0.3
  • the jsonschema is an optional dependency, enabled by default. As the validate method is a public method, that would break the API. This can be turned into off-by-default with the next breaking release.
  • Also, jsonschema has default-features=false, which is sufficient for this crate

ctron avatar Jul 11 '24 06:07 ctron

Turning jsonschema into an optional feature is a breaking change if someone was using the crate with default-features = false, but I don't think anyone has been doing that on account of the crate not having any features. So that sounds like a reasonable short-term fix.

The Nix flake CI is failing due to increased MSRV. It expects 1.70, while this PR bumps it to 1.74. 1.74 is very recent, and I think we would like to stick to 1.70 for now.

What is the motivation for the upgrades? We could consider bumping it if it's really worth it.

Shnatsel avatar Jul 11 '24 06:07 Shnatsel

Since this appears to have stalled, I started pruning the dependency tree myself. See #744 and #746

Shnatsel avatar Jul 16 '24 09:07 Shnatsel

Since this appears to have stalled, I started pruning the dependency tree myself. See #744 and #746

Sorry for that. Yes, that might be quicker.

ctron avatar Jul 16 '24 09:07 ctron

We've dropped reqwest entirely in #744 and #750, so I'm going to go ahead and close this.

Shnatsel avatar Aug 06 '24 10:08 Shnatsel