Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Replace cargo-deny skip-tree with explicit skips #1468

Merged
merged 1 commit into from
Sep 27, 2024
Merged

Replace cargo-deny skip-tree with explicit skips #1468

merged 1 commit into from
Sep 27, 2024

Conversation

leighmcculloch
Copy link
Member

What

Replace cargo-deny skip-tree with explicit skips for each dependency we wish to allow duplicates.

Why

The skip-tree obfuscates the dependencies that we're allowing to be duplicated, and even seems to hide some dependencies being duplicated that don't seem to be part of the soroban-wasmi dependency graph that we depend. This may be due to a bug, or possibly the dep is in the dev dependencies of soroban-wasmi, or some feature that we don't use.

I became aware of this issue because I noticed that in #1456 the Cargo.lock file gained a duplicate dependency on the syn crate, having already a dependency on version 2.0.39 and gaining a dependency on version 1.0.109. This is fine and not a problem in and of itself – we can't eradicate all duplicates – except that the deny.toml file gained no new entry, no statement to say that we were okay with this new duplicate.

In my own testing locally it appears that when the skip-tree entry containing soroban-wasmi is present, the syn duplicate dependency is hidden/silenced, even though it was not a dependency prior to the change that did not involve the soroban-wasmi crate.

The skip-tree config obfuscates the duplicate dependencies in a couple ways.

Firstly due to the odd behaviour detailed above we appear to not get notified of new duplicate dependencies, even if they do not appear to be an active in use dependency in our existing graph.

Secondly because the skip-tree communicates only partially about what is being allowed. In our case the skip-tree allows two versions of the hashbrown dep, but we actually need the two versions for reasons other than soroban-wasmi, so it doesn't tell the full story.

Listing out the duplicate dependencies one-by-one is explicit, and it helps us at a glance know what our dupes are, and how many we have, as a signal to "how bad it is getting".

Known limitations

N/A

@leighmcculloch leighmcculloch requested a review from a team as a code owner September 27, 2024 01:48
@leighmcculloch leighmcculloch added this pull request to the merge queue Sep 27, 2024
Merged via the queue into main with commit ae3b50d Sep 27, 2024
12 checks passed
@leighmcculloch leighmcculloch deleted the deny branch September 27, 2024 19:01
sisuresh pushed a commit to sisuresh/rs-soroban-env that referenced this pull request Sep 30, 2024
Replace cargo-deny `skip-tree` with explicit `skip`s for each dependency
we wish to allow duplicates.

The `skip-tree` obfuscates the dependencies that we're allowing to be
duplicated, and even seems to hide some dependencies being duplicated
that don't seem to be part of the soroban-wasmi dependency graph that we
depend. This may be due to a bug, or possibly the dep is in the dev
dependencies of soroban-wasmi, or some feature that we don't use.

I became aware of this issue because I noticed that in stellar#1456 the
Cargo.lock file gained a duplicate dependency on the `syn` crate, having
already a dependency on version `2.0.39` and gaining a dependency on
version `1.0.109`. This is fine and not a problem in and of itself – we
can't eradicate all duplicates – except that the `deny.toml` file gained
no new entry, no statement to say that we were okay with this new
duplicate.

In my own testing locally it appears that when the `skip-tree` entry
containing `soroban-wasmi` is present, the `syn` duplicate dependency is
hidden/silenced, even though it was not a dependency prior to the change
that did not involve the `soroban-wasmi` crate.

The `skip-tree` config obfuscates the duplicate dependencies in a couple
ways.

Firstly due to the odd behaviour detailed above we appear to not get
notified of new duplicate dependencies, even if they do not appear to be
an active in use dependency in our existing graph.

Secondly because the `skip-tree` communicates only partially about what
is being allowed. In our case the `skip-tree` allows two versions of the
`hashbrown` dep, but we actually need the two versions for reasons other
than `soroban-wasmi`, so it doesn't tell the full story.

Listing out the duplicate dependencies one-by-one is explicit, and it
helps us at a glance know what our dupes are, and how many we have, as a
signal to "how bad it is getting".

N/A
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants