Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add cargo-deny check to CI #661

Merged
merged 1 commit into from
Sep 30, 2023
Merged

Conversation

emilk
Copy link
Contributor

@emilk emilk commented Sep 30, 2023

cargo-deny is an amazing tool that protects from:

  • duplicated crates (code bloat)
  • copy-left licenses in the dependency tree
  • RUSTSEC advisories

Try it:

cargo install cargo-deny
cargo deny --all-features --log-level error check

Note that this requires the Cargo.lock file to be checked in.

[cargo-deny](https://github.com/EmbarkStudios/cargo-deny) is an amazing tool that protects from:

* duplicated crates (code bloat)
* copy-left licenses in the dependency tree
* RUSTSEC advisories

Try it:
```sh
cargo install cargo-deny
cargo deny --all-features --log-level error check
```
@algesten
Copy link
Owner

Oh wow. This is very nice!

I guess I should hold off on that 2.8.0 release and see if we can get this in.

@algesten algesten merged commit a4cf7ef into algesten:main Sep 30, 2023
41 checks passed
@algesten
Copy link
Owner

Great! Thanks!

@algesten
Copy link
Owner

Hej @emilk

This is new to me. So when we now have a problem with duplicates: https://github.com/algesten/ureq/actions/runs/6361674777/job/17276257519

What do we do?

  • Wait for it to sort itself out (when upstreams dep fix it)?
  • Lock down our deps?

@emilk
Copy link
Contributor Author

emilk commented Sep 30, 2023

cargo tree -i is an invaluable tool to find the causes of duplicate dependencies.

Often you can solve it by strategically downgrading or upgrading some crates using cargo update -p $crate --precise $version.

Sometimes you need to make a PR to an upstream package, or poke their maintainer to release a new version.

For small duplicate dependencies you can add an exception in deny.toml


In this case I believe you can solve it with cargo update -p url --precise 2.3.1

This will update the versions in Cargo.lock, proving to cargo-deny that it is possible to build ureq without duplicate dependencies. Note that this does NOT prevent users of ureq from upgrading url to 2.4.1 again, and reintroducing that duplicate dependency (that is out of your hands, as it should be)

@algesten
Copy link
Owner

Perfect! Thanks for the explanation. I didn't know the cargo update commands for this, but I believe I did the same, manually in Cargo.toml.

Thanks!

@emilk
Copy link
Contributor Author

emilk commented Sep 30, 2023

You did this::

url = "=2.3.1"

which is NOT the same. This forces url 2.3.1 on all downstream users of ureq, meaning they cannot update url, even if 2.3.1 is shown to have some vulnerability fixed by e.g. 2.4

It is almost never the right choice to use = in a Cargo.toml version string - better to update just the Cargo.lock using cargo update -p url --precise 2.3.1

@algesten
Copy link
Owner

Right. So what you're saying is that we are only going to make the lock file have 2.3.1, which satisfies url = "2", but we're not going to help any consumer of ureq to avoid the double dep by locking down the version in toml?

@emilk
Copy link
Contributor Author

emilk commented Sep 30, 2023

Exactly - consumers will have to do a similar cargo update -p url --precise 2.3.1 if they also wanna avoid duplicate dependencies

timothyfroehlich added a commit to google/automotive-design-compose that referenced this pull request Oct 4, 2023
Inspired by ureq [doing the same](algesten/ureq#661)

This will help us keep track of our dependencies and make sure we aren't using ones with the wrong licenses.
timothyfroehlich added a commit to google/automotive-design-compose that referenced this pull request Oct 4, 2023
Inspired by ureq [doing the same](algesten/ureq#661)

This will help us keep track of our dependencies and make sure we aren't using ones with the wrong licenses.
github-merge-queue bot pushed a commit to google/automotive-design-compose that referenced this pull request Oct 4, 2023
Inspired by ureq [doing the
same](algesten/ureq#661)

This will help us keep track of our dependencies and make sure we aren't
using ones with the wrong licenses.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Use cargo-deny to prevent duplicate dependencies
2 participants