-
-
Notifications
You must be signed in to change notification settings - Fork 78
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for using lock files #991
Comments
Hi, thanks for opening this issue. I'd like to get a bit more context on the workflow you're using and the specific use case, to make sure I understand everything properly. Additionally, could you say more about this part?
I'm having trouble reconciling this with the fact that developers specify the ranges or exact versions they want in Separately, could you describe the possible security issue you are referring to? Note that |
Hi @obi1kenobi! Thanks for asking more questions. We use The
When Even if I update the dependency version specifier on the https://github.com/stellar/rs-soroban-sdk/actions/runs/11672542695/job/32501403700
We commit lock files so that our builds are consistent, and we're 100% in control of what dependencies, and what versions of dependencies, are in use in our CI environments (that may have access to credentials like a crates.io auth token), and in use on our workstations. We choose when we change dependencies in our development workflows. |
Ah hmm interesting. Tricky case for sure, thank you for bringing it to my attention. Thanks also for the additional context. In addition to worrying about rust-lang/cargo#13447, I need to figure out a couple more things here: When crates re-export foreign crates' types, ignoring the lockfile is usually the desirable behavior because it accurately reflects what would happen on a new We also cannot say "use the lockfile in the current project but if it's missing on crates.io just re-lock from there." That would lead to "back to the future" style bugs: say your library re-exports a 3rd party crate's type, then re-locking the crates.io version can produce a newer version of that dependency in the baseline than in the current version. API additions to that newer dependency version (in the baseline) are not present in the older dependency version (in your current lockfile) — it looks like your current package has deleted things from its public API! This has happened before e.g. in #167. A good solution to this issue shouldn't be "just a different kind of footgun" than we already have. I need to figure out how to make that happen, and whether rust-lang/cargo#13447 makes progress or not is also a key question here. Sorry I don't have a more immediately-useful answer here! Btw, if cargo-semver-checks has been useful to your project, I'd really appreciate if your org started sponsoring me on GitHub 💖 |
Similar tensions exist with the use of It may be desirable for some folks to run |
A specific concern is whether
This axis is something other cargo components don't have to worry about, so we don't have a good precedent to go on =/ |
Based on the options on the current command, I think it would be reasonable to have In either case if there's no lock file, then I think it's reasonable to fail. The tool doesn't need to solve problems that the developer can control. |
Describe your use case
When running
cargo semver-checks
no lock files appear to be used, either for the current / local version of the crate, or for versions of the crate downloaded from crates.io.This creates a reproducibility issue. When crates publish releases that do not follow semver exactly, semver may fail to compile if no lock files is used. It also creates a situation where one run of the semver-check and a subsequent run can have different inputs and outputs, meaning no reproducibility in CI.
This creates a security issue. Some times use lock files to ensure that the developer is exclusively in control of what versions of dependencies are installed and in use. This is to avoid the problem that just before running a command a crate is compromised and a malware version is uploaded for it. Today using semver-checks as it is appears to expose us to that possibility when other cargo commands provide the --locked option.
Describe the solution you'd like
The ability to pass
--locked
to the semver-checks command, and for the lock file to be used.Alternatives, if applicable
No response
Additional Context
No response
The text was updated successfully, but these errors were encountered: