rust-payjoin icon indicating copy to clipboard operation
rust-payjoin copied to clipboard

Published 20 hours ago verified publisher icon payjoin

Cargo-minimal.lock and Cargo-recent.lock have the same contents. Is this right?

Open DanGould opened this issue 10 months ago • 4 comments

sha256sum Cargo-minimal.lock Cargo-recent.lock cfc03189fb6e75ba99b0b74b0abf46e942c96c99ef2266538e99d7a7ec746ffb Cargo-minimal.lock cfc03189fb6e75ba99b0b74b0abf46e942c96c99ef2266538e99d7a7ec746ffb Cargo-recent.lock

I have been running ./contrib/update-lock-files.sh once to get CI to pass thinking it automatically handled locking MSRV dependencies. But I don't see that they're actually different.

  • [x] Check the commit log to see where they unified, if ever
    • The initial commit from #357 20208ec069e0808b1c22c8af73c8de56f28f3edb has them unified
  • [x] If not, describe how our CI passes MSRV tests without locking
    • Both lock files have sufficiently low dependencies that they pass MSRV, e.g. reqwest 0.12.4 (tested with `cargo +1.63 build --locked)
  • [ ] Fix the script to accommodate MSRV dependency requirements

s/o @nothingmuch for discovering this

DanGould avatar Jan 02 '25 20:01 DanGould

is the purpose of the minimal lockfile just to work with msrv or are there other reasons?

is the purpose of recent to always be as up to date as possible?

somewhat relatedly, cargo audit is unhappy with some of our deps, and machete suggests some dependencies for removal. i'm wrapping up the flake stuff where this came up, and will open separate issues & draft PRs for these, but resolving them depends on the answer to this question IMO

nothingmuch avatar Jan 02 '25 21:01 nothingmuch

is the purpose of recent to always be as up to date as possible?

and if so, then this probably merits a daily or weekly automated update PR in a github workflow, assuming we trust the end to end tests enough that they will reliably discover if anything breaks

nothingmuch avatar Jan 02 '25 21:01 nothingmuch

~~This is also the case in rust-bitcoin as far as I can tell, and I'm confused about it.~~

false alarm, only our lock files are incorrect, so we can learn how this works by studying rust-bitcoin. My cursory understanding is that the purpose of recent is to be as up to date as the last person who made a PR and minimal should be the minimum required deps, but in practice minimal may just be a local maximum that satisfies MSRV.

DanGould avatar Mar 11 '25 15:03 DanGould

Looks like Rust-bitcoin is actually only using the script to update Cargo-minimal.lock and Cargo-recent.lock actually requires manual intervention, evidenced by https://github.com/rust-bitcoin/rust-bitcoin/issues/2844 and https://github.com/rust-bitcoin/rust-bitcoin/issues/3311

DanGould avatar Mar 11 '25 17:03 DanGould