cargo-msrv
cargo-msrv copied to clipboard
Be more flexible with regenerated lockfiles caused by providing --ignore-lockfile
By ignoring the lockfile, it will be regenerated for each run. The idea behind it is that we can have some compatibility for different lock file versions. However, even with a lockfile, a dependency version may be updated to a (hopefully semver compatible) version which falls within the semver requirements. If some dependency then introduces a change which breaks our MSRV, while Cargo pulls in a specified, newer, matching semantic version, we may still fail.
As an example: if we have an dependency A, with published versions 0.1 and 0.2, and our in-repo lockfile takes 0.1 while a newly generated lockfile may take 0.2 instead, and 0.2 has a higher MSRV than 0.1, then by removing the lockfile we our MSRV changes, which is a problem for MSRV verification.
Example failure run: https://github.com/foresterre/cargo-msrv/runs/3809534104#step:8:1
In this specific case, on Rust toolchain versions below 1.46 (our MSRV is 1.42), we get the following error:
error[E0658]: `while` is not allowed in a `const fn`
--> /user/.cargo/registry/src/github.com-1ecc6299db9ec823/http-0.2.5/src/header/value.rs:85:9
|
85 | / while i < bytes.len() {
86 | | if !is_visible_ascii(bytes[i]) {
87 | | ([] as [u8; 0])[0]; // Invalid header value
88 | | }
89 | | i += 1;
90 | | }
| |_________^
|
= note: for more information, see https://github.com/rust-lang/rust/issues/52000
For the --ignore-lockfile
option itself, we'll need to figure out a strategy where we can convert between lockfile version, while keeping the versions in the Cargo.lock file the same. While in an ideal world, this error could have been prevented proper semver specifications, in the real world, such issues happen, and cargo-msrv should not overly rely on down-tree dependency specifications.
Rust sec's cargo-lock package supports translating lock files:
https://github.com/rustsec/rustsec/tree/main/cargo-lock
Lock file v3 is not yet supported, but I can't find information on what changed with v3.
Rust sec's cargo-lock package supports translating lock files:
rustsec/rustsec@
main
/cargo-lockLock file v3 is not yet supported, but I can't find information on what changed with v3.
v3 is actually supported, although that wasn't clear from the readme =).