cargo-auditable icon indicating copy to clipboard operation
cargo-auditable copied to clipboard
verified publisher icon rust-secure-code

Test failures (test_self_hosting, test_proc_macro)

Open RossSmyth opened this issue 3 months ago • 3 comments

Process:

I have a "bootstrap" process of cargo-auditable

  1. Build cargo-auditable
  2. Build cargo-auditable with cargo-auditable

It seems these tests fail in both stages. I assumed they may only fail on the first one, but even after build with itself it fails.

I build it with --locked and it may be the issue?

cargo-auditable> error: failed to select a version for the requirement `miniz_oxide = "^0.8.0"` (locked to 0.8.0)
cargo-auditable> candidate versions found which didn't match: 0.8.9
cargo-auditable> location searched: directory source `/build/cargo-auditable-0.7.2-vendor` (which is replacing registry `crates-io`)
cargo-auditable> required by package `auditable-info v0.10.0 (/build/source/auditable-info)`
cargo-auditable>     ... which satisfies path dependency `auditable-info` (locked to 0.10.0) of package `rust-audit-info v0.5.4 (/build/source/rust-audit-info)`
cargo-auditable> perhaps a crate was updated and forgotten to be re-vendored?
cargo-auditable> test test_self_hosting ... FAILED
cargo-auditable> error: failed to select a version for the requirement `serde = "^1.0.219"` (locked to 1.0.219)
cargo-auditable> candidate versions found which didn't match: 1.0.228
cargo-auditable> location searched: directory source `/build/cargo-auditable-0.7.2-vendor` (which is replacing registry `crates-io`)
cargo-auditable> required by package `proc-macro-dependency v0.1.0 (/build/source/cargo-auditable/tests/fixtures/proc-macro-dependency)`
cargo-auditable> perhaps a crate was updated and forgotten to be re-vendored?
cargo-auditable> test test_proc_macro ... FAILED

This happened when updating to 0.7.2 (previously was 0.6.5)

RossSmyth avatar Nov 24 '25 18:11 RossSmyth

cargo-auditable> perhaps a crate was updated and forgotten to be re-vendored?

You're using vendored crates. You need either to re-run cargo vendor or build it without --locked or both.

Shnatsel avatar Nov 24 '25 18:11 Shnatsel

Unfortunately that is not possible, I would call this a bug in the released artifact since the lockfile does not match the released tests.

This is done inside of a sandbox that only looks at the lockfile to know what to download, running --locked is not reproducible, so that is not an option. Re-running cargo-vendor is also not possible since it just looks at the lock file.

RossSmyth avatar Nov 24 '25 19:11 RossSmyth

I think your sandbox doesn't take into account rust-audit-info/Cargo.lock which is deliberately outside the workspace, so it is not covered by the toplevel Cargo.lock file, and so your sandbox that only looks at the toplevel Cargo.lock doesn't cover this case.

Shnatsel avatar Nov 24 '25 19:11 Shnatsel