Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore(deps): update Cargo.lock #5755

Merged
merged 9 commits into from
Dec 27, 2024
Merged

chore(deps): update Cargo.lock #5755

merged 9 commits into from
Dec 27, 2024

Conversation

hanabi1224
Copy link
Contributor

@hanabi1224 hanabi1224 commented Dec 20, 2024
edited
Loading

Description

  • run cargo update
  • lock webrtc-ice = "=0.10.0" to not break webrtc smoke tests
  • fix cargo clippy warnings
  • update deny.toml accordingly

Notes & open questions

Change checklist

  • I have performed a self-review of my own code
  • I have made corresponding changes to the documentation
  • I have added tests that prove my fix is effective or that my feature works
  • A changelog entry has been made in the appropriate crates

@hanabi1224 hanabi1224 marked this pull request as ready for review December 20, 2024 18:46
@drHuangMHT
Copy link
Contributor

Dependencies are managed by bots automatically, I don't think it is a good idea to just run cargo update and then done. cc @jxs

@hanabi1224
Copy link
Contributor Author

hanabi1224 commented Dec 24, 2024
edited
Loading

@drHuangMHT As I understand, dependabot manages only direct dependencies, while cargo update bumps all indirect dependencies as well. Also, since libp2p works as libraries, having Cargo.lock in source control could give some false sense of security, it's important to regularly update all indirect dependencies. e.g. libp2p-webrtc smote test scenario does not work without locking webrtc-ice = "=0.10.0", or exclude Cargo.lock from source control.

However, this determinism can give a false sense of security because Cargo.lock does not affect the consumers of your package, only Cargo.toml does that.

jxs
jxs reviewed Dec 26, 2024
View reviewed changes
Copy link
Member

@jxs jxs left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this @hanabi1224!

@drHuangMHT As I understand, dependabot manages only direct dependencies, while cargo update bumps all indirect dependencies as well. Also, since libp2p works as libraries, having Cargo.lock in source control could give some false sense of security, it's important to regularly update all indirect dependencies. e.g. libp2p-webrtc smote test scenario does not work without locking webrtc-ice = "=0.10.0", or exclude Cargo.lock from source control.

However, this determinism can give a false sense of security because Cargo.lock does not affect the consumers of your package, only Cargo.toml does that.

yeah this PR is helpful due to also the freeze in the webrc-ice freeze, can you just address the comment?
Thanks!

deny.toml Outdated Show resolved Hide resolved
@jxs jxs added the send-it label Dec 27, 2024
@mergify mergify bot merged commit 1ab4658 into libp2p:master Dec 27, 2024
70 of 71 checks passed
@hanabi1224 hanabi1224 deleted the cargo-update branch December 28, 2024 09:14
jxs pushed a commit to jxs/rust-libp2p that referenced this pull request Jan 6, 2025
@hanabi1224 @jxs
chore(deps): update Cargo.lock
73b2a76 
- run `cargo update`
- lock `webrtc-ice = "=0.10.0"` to not break webrtc smoke tests
- fix `cargo clippy` warnings
- update `deny.toml` accordingly

Pull-Request: libp2p#5755.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jxs jxs jxs approved these changes

Assignees
No one assigned
Labels
send-it
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@hanabi1224 @drHuangMHT @jxs