Add MSRV Cargo-minimal.lock and Cargo-recent.lock files#150
Add MSRV Cargo-minimal.lock and Cargo-recent.lock files#150alexanderwiederin wants to merge 1 commit intosedited:masterfrom
Conversation
alexanderwiederin
force-pushed
the
cargo-lock
branch
2 times, most recently
from
e0b6d70 to
1bfecb9
Compare
alexanderwiederin
force-pushed
the
cargo-lock
branch
from
1bfecb9 to
da606fa
Compare
|
ACK da606fa |
| [build-dependencies] | ||
| cc = "1.2" | ||
| bindgen = "0.72" | ||
| rustc-hash = "=2.1.1" |
There was a problem hiding this comment.
Won't this mean that if you do not need the MSRV, for exmple if you can run stable, then this will preven rustc-hash from using the latest version when it could? If you need this version to work for the MSRV, then why not just defer to the lockfile?
There was a problem hiding this comment.
That is a good point.
The reason I pinned it is that a user running rust v1.71.0 that calls cargo update will have a broken build unless we have this pin in Cargo.toml or ensure that they use the committed lock files.
But thinking about it again, maybe a disclaimer for 1.71.0 users to add --locked might be the lesser evil. What do you think?
There was a problem hiding this comment.
In fact it's not just v1.71.0 users that are affected but all users on rustc older than 1.77.0
There was a problem hiding this comment.
Opened an issue for rustc-hash: rust-lang/rustc-hash#68
There was a problem hiding this comment.
We could also consider lifting the MSRV. If I remember correctly we set it to 1.71.0 for Floresta, but they seem to have bumped to 1.81.0 getfloresta/Floresta#687
There was a problem hiding this comment.
fair. I think it would be a good idea to remove tempdir than before publishing the next release on crates.
There was a problem hiding this comment.
Oh, tempdir is a dev dependency, so it doesn't matter so much.
There was a problem hiding this comment.
Thanks! If you feel comfortable, could leave an ACK? That will make @sedited`s life easier when he gets back.
There was a problem hiding this comment.
Sure, I left a minor nit. Am happy to ACK the current commit or an updated one.
alexanderwiederin
force-pushed
the
cargo-lock
branch
from
da606fa to
1a12399
Compare
Without commited lock files, CI dependency resolution can pull in transitive dependencies that require a newer compiler than the project's MSRV. The triggering issue was that bindgen v0.72 depends on rustc-hash v2.x, and the recent release of rustc-hash v2.1.2 introduced a rustc 1.77.0 requirement, breaking the MSRV build against rustc 1.71.0. Cargo-minimal.lock pins dependencies to their oldest MSRV-compatible versions. Cargo-recent.lock pins to the latest patch versions compatible with the MSRV compiler. The CI msrv-check job now runs twice as a matrix, once with each lock file, similar to the approach used by rust-bitcoin. Both lockfiles pin rustc-hash below 2.1.2 to avoid the incompatible release, to 2.1.0 in the minimal lockfile and 2.1.1 in the recent lockfile. tempdir is bumped to >=0.3.6 in dev-dependencies to prevent it from resolving to an older version that depends on an incompatible rand release under minimal-versions. See also: sedited#147
alexanderwiederin
force-pushed
the
cargo-lock
branch
from
1a12399 to
cd69fe2
Compare
|
utACK cd69fe2 |
|
FIY: |
Interesting! Will look into it. Thanks for the pointer. |
4 participants
Fixes #147
Summary
Without commited lock files, CI dependency resolution can pull in transitive dependencies that require a newer compiler than the project's MSRV. The triggering issue was that bindgen v0.72 depends on rustc-hash v2.x, and the recent release of rustc-hash v2.1.2 introduced a rustc 1.77.0 requirement, breaking the MSRV build against rustc 1.71.0.
CI Changes
Cargo-minimal.lock pins dependencies to their oldest MSRV-compatible versions. Cargo-recent.lock pins to the latest patch versions compatible with the MSRV compiler. The CI msrv-check job now runs twice as a matrix, once with each lock file, similar to the approach used by rust-bitcoin.
Cargo Dependency Changes
libbitcoinkernel-sys
rustc-hash is pinned to below 2.1.1 to prevent bindgen from resolving to incompatible release. 2.1.0 in the minimal lockfile and 2.1.1 in the recent lockfile.
dev-dependencies
tempdir is pinned to >=0.3.6 to prevent it from resolving to an older version that depends on an incompatible rand release under minimal-versions.
As a follow-up, I would suggest we remove tempdir as a dependency (#151)