pixi/0.39.4 package update #38302

octo-sts · 2024-12-24T12:52:17Z

Signed-off-by: wolfi-bot <[email protected]>

octo-sts · 2024-12-24T12:54:44Z

Gen AI suggestions to solve the build error:

Let me analyze this build error and provide specific recommendations.

• Detected Error:

error: failed to select a version for `quinn-proto`.
    ... required by package `quinn v0.11.6`
    ... which satisfies dependency `reqwest = "^0.12.9"` (locked to 0.12.9) of package `pixi v0.39.4`

• Error Category: Dependency

• Failure Point: During the rust/cargobump step when trying to resolve dependencies

• Root Cause Analysis: There's a version conflict between quinn-proto and quinn packages. Specifically, quinn v0.11.6 requires quinn-proto with the rustls-ring feature, but the available version (0.11.7) doesn't have this feature.

• Suggested Fix:

Update the package.yaml to pin specific versions:

environment:
  contents:
    packages:
      - build-base
      - busybox
      - ca-certificates-bundle
      - cargo-auditable
      - openssl
      - openssl-dev
      - perl
      - rust>=1.83.0
      - wolfi-base

pipeline:
  - uses: git-checkout
    with:
      repository: https://github.com/prefix-dev/pixi
      expected-commit: a343eef1d6b6be5e620a9dc4f156bc3ad837d40a
      tag: v${{package.version}}

  - name: Pre-configure
    runs: |
      cargo update -p quinn-proto --precise 0.11.6
      cargo update -p quinn --precise 0.11.6

  - uses: rust/cargobump

  - name: Configure and build
    runs: |
      cargo auditable build --release
      mkdir -p ${{targets.destdir}}/usr/bin/
      mv target/release/pixi ${{targets.destdir}}/usr/bin/

• Explanation: The error occurs because newer versions of quinn-proto removed the rustls-ring feature. By explicitly pinning the versions of both quinn and quinn-proto to compatible versions, we ensure the build can proceed with matching feature sets.

• Additional Notes:

This is a common issue when dealing with Rust ecosystem updates where features get reorganized
The fix ensures compatibility while maintaining security by using recent stable versions
An alternative approach would be to upgrade quinn to a newer version that doesn't require the rustls-ring feature

• References:

Quinn Repository: https://github.com/quinn-rs/quinn
Related Issue: Replace fxhash with rustc_hash, its successor quinn-rs/quinn#1246
Cargo Documentation on Feature Resolution: https://doc.rust-lang.org/cargo/reference/features.html

Signed-off-by: Batuhan Apaydin <[email protected]>

debasishbsws

🤔 Cargobump automation should cleaning itself

pixi/0.39.4 package update

b12e526

Signed-off-by: wolfi-bot <[email protected]>

octo-sts bot added request-version-update request for a newer version of a package automated pr labels Dec 24, 2024

octo-sts bot mentioned this pull request Dec 24, 2024

pixi/0.39.3 package update #37639

Closed

fix build failure

ed196d5

Signed-off-by: Batuhan Apaydin <[email protected]>

octo-sts bot added the bincapz/pass bincapz/pass Bincapz (aka. malcontent) scan didn't detect any CRITICALs on the scanned packages. label Dec 25, 2024

debasishbsws approved these changes Dec 25, 2024

View reviewed changes

debasishbsws merged commit a35cd74 into main Dec 25, 2024
14 checks passed

debasishbsws deleted the wolfictl-3a18c891-d1f5-4fab-8cc8-47765840cb9e branch December 25, 2024 09:09

Dentrax mentioned this pull request Jan 5, 2025

pixi/0.39.0-r0: cve remediation #36233

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

pixi/0.39.4 package update #38302

pixi/0.39.4 package update #38302

octo-sts bot commented Dec 24, 2024

octo-sts bot commented Dec 24, 2024

debasishbsws left a comment

pixi/0.39.4 package update #38302

pixi/0.39.4 package update #38302

Conversation

octo-sts bot commented Dec 24, 2024

octo-sts bot commented Dec 24, 2024

debasishbsws left a comment

Choose a reason for hiding this comment