Replace cargo-deny skip-tree with explicit skips #1468
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
dmkozh
approved these changes
Sep 27, 2024
sisuresh
pushed a commit
to sisuresh/rs-soroban-env
that referenced
this pull request
Sep 30, 2024
Replace cargo-deny `skip-tree` with explicit `skip`s for each dependency we wish to allow duplicates. The `skip-tree` obfuscates the dependencies that we're allowing to be duplicated, and even seems to hide some dependencies being duplicated that don't seem to be part of the soroban-wasmi dependency graph that we depend. This may be due to a bug, or possibly the dep is in the dev dependencies of soroban-wasmi, or some feature that we don't use. I became aware of this issue because I noticed that in stellar#1456 the Cargo.lock file gained a duplicate dependency on the `syn` crate, having already a dependency on version `2.0.39` and gaining a dependency on version `1.0.109`. This is fine and not a problem in and of itself – we can't eradicate all duplicates – except that the `deny.toml` file gained no new entry, no statement to say that we were okay with this new duplicate. In my own testing locally it appears that when the `skip-tree` entry containing `soroban-wasmi` is present, the `syn` duplicate dependency is hidden/silenced, even though it was not a dependency prior to the change that did not involve the `soroban-wasmi` crate. The `skip-tree` config obfuscates the duplicate dependencies in a couple ways. Firstly due to the odd behaviour detailed above we appear to not get notified of new duplicate dependencies, even if they do not appear to be an active in use dependency in our existing graph. Secondly because the `skip-tree` communicates only partially about what is being allowed. In our case the `skip-tree` allows two versions of the `hashbrown` dep, but we actually need the two versions for reasons other than `soroban-wasmi`, so it doesn't tell the full story. Listing out the duplicate dependencies one-by-one is explicit, and it helps us at a glance know what our dupes are, and how many we have, as a signal to "how bad it is getting". N/A
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What
Replace cargo-deny
skip-treewith explicitskips for each dependency we wish to allow duplicates.Why
The
skip-treeobfuscates the dependencies that we're allowing to be duplicated, and even seems to hide some dependencies being duplicated that don't seem to be part of the soroban-wasmi dependency graph that we depend. This may be due to a bug, or possibly the dep is in the dev dependencies of soroban-wasmi, or some feature that we don't use.I became aware of this issue because I noticed that in #1456 the Cargo.lock file gained a duplicate dependency on the
syncrate, having already a dependency on version2.0.39and gaining a dependency on version1.0.109. This is fine and not a problem in and of itself – we can't eradicate all duplicates – except that thedeny.tomlfile gained no new entry, no statement to say that we were okay with this new duplicate.In my own testing locally it appears that when the
skip-treeentry containingsoroban-wasmiis present, thesynduplicate dependency is hidden/silenced, even though it was not a dependency prior to the change that did not involve thesoroban-wasmicrate.The
skip-treeconfig obfuscates the duplicate dependencies in a couple ways.Firstly due to the odd behaviour detailed above we appear to not get notified of new duplicate dependencies, even if they do not appear to be an active in use dependency in our existing graph.
Secondly because the
skip-treecommunicates only partially about what is being allowed. In our case theskip-treeallows two versions of thehashbrowndep, but we actually need the two versions for reasons other thansoroban-wasmi, so it doesn't tell the full story.Listing out the duplicate dependencies one-by-one is explicit, and it helps us at a glance know what our dupes are, and how many we have, as a signal to "how bad it is getting".
Known limitations
N/A