serde dependencies must be synchronized #7
Labels
No labels
bug
duplicate
enhancement
help wanted
invalid
question
wontfix
No milestone
No project
No assignees
1 participant
Notifications
Due date
No due date set.
Dependencies
No dependencies set.
Reference
mikedilger/textnonce#7
Loading…
Add table
Add a link
Reference in a new issue
No description provided.
Delete branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Unfortunately, the
^0introduced around13fa7c98f7is problematic. While SemVer requires a major version bump for breaking changes for versions>= 1.0.0, it allows breaking changes between minor version releases for versions< 1.0.0. "0.x and 0.x+1 are not considered compatible, but 1.x and 1.x+1 are." For this reason, specifying0or^0is an anti-pattern.Serde 0.7 is not backwards compatible with 0.6, so the Serde dependencies should be set to
0.7.What ended up happening to someone in IRC was that
serde_codegen 0.7was being used alongsideserde 0.6bytextnonce, because the version rules were relaxed enough for Cargo to decide that was OK. This resulted in this compile error.Similarly, Syntex's minor version should be specified in Cargo.toml.
I recommend
cargo yanking the affected versions (0.2.3and0.2.4, I believe) of textnonce and releasing0.2.5with the fixed dependencies.But
textnonceworks withserde 0.6.textnoncedoesn't really care, and that is what^0is saying, and I think rightly so.What I noticed sfackler did in rust-postgres was specify
version = ">= 0.6, < 0.8". This I am happy to do.I understand that some things which use
textnoncedepend onserde 0.7. But equally true (at least up until a few days ago, perhaps still), some things which usetextnoncestill depend onserde 0.6.If you go through
Cargo.lockto find where dependencies collide, I suspect you will find some dependency other thantextnoncethat is requiringserde 0.6. If not, it seems to suggest a bug in Cargo.Correct, this is the problem. If you do a fresh
cargo buildoftextnonce, the resultingCargo.lockspecifies the latest dependencies:serde 0.7andserde_codegen 0.7. If you manually change the latter toserde_codegen 0.6.14andcargo buildagain,textnoncecompilation fails with the aforementioned error.This can happen innocently depending to your Cargo workflow. Example:
iron = "0.2.6"cargo build→ success!params = "0.0.3"cargo build→textnonce v0.2.4fails the compilation.I linked the current
Cargo.tomlon irc.mozilla.org#cargo and sfackler had this to say:cargo updatecargo build→ success!I'm not sure if there's a case where
cargo updatewould not resolve this issue, but I still think it is worth addressing.version = ">= 0.6, < 0.8"would be better as it would prevent0.8from e.g. changing#[derive(Serialize)]to#[derive(SerdeSerialize)]and spontaneously breaking the crate, but it doesn't address the problem that we're facing withserdeandserde_codegenstrictly requiring their simultaneous usage to be locked at the same minor version.I'm sorry this is such a hassle, I didn't recognize that this problem would be so complicated. I'm learning a lot about Cargo... so not all is lost for me! 😛
The right solution requires changes to Cargo, and I've filed an issue (see above). Several well known community crates explicitly require
serde 0.6still (I dare say most do), while a few now explicitly requireserde 0.7, and even fewer still allow for either version of serde. Specifying one or the other excludes use with the other set of crates, so I'm really in a pickle here. There is no way to make this work for everybody at the moment. I even thinkcargo update -p serde; cargo update -p serde_codegenisn't sufficient; manual editing ofCargo.lockmay be required in some cases. Manual forking of some packages to tweak their dependencies may also be required. If you come up with something that works for everybody, I'm all ears.I like that resolution, thank you for filing an issue!
As a grubby
0.7consumer, my instinct is to force all0.6consumers to specifytextnonce 0.2.2until they can upgrade to0.7. I understand the trouble in this ruling (feature lock), so I don't know if it's standard practice by any other crate authors.Anyway, thanks for hashing this out with me!
I'll reopen to track the upstream issue
This is unlikely to still be an issue as serde has been stabilized for some time now.