traits icon indicating copy to clipboard operation
traits copied to clipboard
verified publisher icon RustCrypto

generic-array 0.x deprecation warnings

Open Turbo87 opened this issue 3 months ago • 13 comments

The crypto-common crate depends on [email protected] which was deprecated a couple of hours ago (see https://github.com/fizyk20/generic-array/commit/d859e59b29412c8434563716e418884c6a9266b2).

Should the dependency be updated to generic-array@1?

I noticed in some other places we migrated from generic-array to hybrid-array instead. Would that be a better direction?

In any case, I supposed this will require a breaking change release for the crypto-common crate and probably all crates depending on it too, since generic-array is used in the public API of the crypto-common crate.

/cc @tarcieri

Turbo87 avatar Oct 13 '25 09:10 Turbo87

We can not do anything on our side apart from releasing new crate versions which use hybrid-array. Also, see the generic-array issue: https://github.com/fizyk20/generic-array/issues/158

newpavlov avatar Oct 13 '25 09:10 newpavlov

We can not do anything on our side apart from releasing new crate versions which use hybrid-array.

yeah, that was my suggestion. is there a reason why we shouldn't do that?

Turbo87 avatar Oct 13 '25 09:10 Turbo87

There are some minor blockers which I would like to resolve before cutting new releases. Hopefully, it will be done before the year's end.

I believe that the best near-term solution would be to remove the deprecation warning from generic-array v0.14.

newpavlov avatar Oct 13 '25 09:10 newpavlov

I see, thanks

Turbo87 avatar Oct 13 '25 09:10 Turbo87

@newpavlov seems like we're going to get a lot of these. It would probably be good to wrap things up sooner than later

tarcieri avatar Oct 13 '25 18:10 tarcieri

Reopened as suggested on #2041

tarcieri avatar Oct 15 '25 00:10 tarcieri

When can we expect the version that fixes this, and what will be its MSRV? This is currently breaking https://github.com/zip-rs/zip2, and I'm not prepared to make all other dependencies harder to update by removing Cargo.lock from .gitignore (which isn't recommended for libraries anyway).

Pr0methean avatar Oct 26 '25 21:10 Pr0methean

We plan to release new versions before the year's end. MSRV will be equal to 1.85.

The easiest solution in the near term is to pin generic-array to v0.14.7 either by committing Cargo.lock (it works fine for libraries as you can see in our repos) or by adding generic-array = "=0.14.7" to your Cargo.toml. I know that the latter can be brittle and generally is not recommended, but it should work fine in this particular case.

newpavlov avatar Oct 26 '25 22:10 newpavlov

Could a patch release of digest add the generic-array = "=0.14.7" pin to its Cargo.toml, so this doesn't need to be worked around (and then eventually un-worked-around) in every downstream crate?

oconnor663 avatar Nov 11 '25 15:11 oconnor663

Sounds plausible, possibly in crypto-common so it works for both cipher and digest

tarcieri avatar Nov 11 '25 16:11 tarcieri

@oconnor663 Good idea! I should've considered it sooner.

newpavlov avatar Nov 12 '25 11:11 newpavlov

crypto-common v0.1.7 with pinned generic-array is released! Downstream users should be able to remove the pinning in their crates after cargo update.

newpavlov avatar Nov 12 '25 14:11 newpavlov

Confirmed! Thanks a million.

oconnor663 avatar Nov 12 '25 16:11 oconnor663