cargo-msrv icon indicating copy to clipboard operation
cargo-msrv copied to clipboard

Published 20 hours ago • verified publisher icon foresterre

Be more flexible with regenerated lockfiles caused by providing --ignore-lockfile

Open foresterre opened this issue 2 years ago • 2 comments

By ignoring the lockfile, it will be regenerated for each run. The idea behind it is that we can have some compatibility for different lock file versions. However, even with a lockfile, a dependency version may be updated to a (hopefully semver compatible) version which falls within the semver requirements. If some dependency then introduces a change which breaks our MSRV, while Cargo pulls in a specified, newer, matching semantic version, we may still fail.

As an example: if we have an dependency A, with published versions 0.1 and 0.2, and our in-repo lockfile takes 0.1 while a newly generated lockfile may take 0.2 instead, and 0.2 has a higher MSRV than 0.1, then by removing the lockfile we our MSRV changes, which is a problem for MSRV verification.

Example failure run: https://github.com/foresterre/cargo-msrv/runs/3809534104#step:8:1

In this specific case, on Rust toolchain versions below 1.46 (our MSRV is 1.42), we get the following error:

error[E0658]: `while` is not allowed in a `const fn`
  --> /user/.cargo/registry/src/github.com-1ecc6299db9ec823/http-0.2.5/src/header/value.rs:85:9
   |
85 | /         while i < bytes.len() {
86 | |             if !is_visible_ascii(bytes[i]) {
87 | |                 ([] as [u8; 0])[0]; // Invalid header value
88 | |             }
89 | |             i += 1;
90 | |         }
   | |_________^
   |
   = note: for more information, see https://github.com/rust-lang/rust/issues/52000

For the --ignore-lockfile option itself, we'll need to figure out a strategy where we can convert between lockfile version, while keeping the versions in the Cargo.lock file the same. While in an ideal world, this error could have been prevented proper semver specifications, in the real world, such issues happen, and cargo-msrv should not overly rely on down-tree dependency specifications.

foresterre avatar Oct 06 '21 01:10 foresterre

Rust sec's cargo-lock package supports translating lock files:

https://github.com/rustsec/rustsec/tree/main/cargo-lock

Lock file v3 is not yet supported, but I can't find information on what changed with v3.

foresterre avatar Oct 18 '21 23:10 foresterre

Rust sec's cargo-lock package supports translating lock files:

rustsec/rustsec@main/cargo-lock

Lock file v3 is not yet supported, but I can't find information on what changed with v3.

v3 is actually supported, although that wasn't clear from the readme =).

foresterre avatar Oct 28 '21 21:10 foresterre