chore: update dependencies to newer versions

CycloneDX / cyclonedx-rust-cargo

Creates CycloneDX Software Bill of Materials (SBOM) from Rust (Cargo) projects

https://cyclonedx.org/

Apache License 2.0

106 stars 44 forks source link

chore: update dependencies to newer versions #740

Closed ctron closed 3 months ago

ctron commented 4 months ago

Mainly to update jsonschema -> reqwest -> hyper to a 1.x version.

ctron commented 4 months ago

Sorry, but I have no idea what to do about that nix flake issue.

Shnatsel commented 4 months ago

I think a better idea is to just disable the resolve* features that pull in hyper. We really don't want to pull in the entirety of reqwest, hyper and tokio unconditionally from a serialization/deserialization crate.

Also that's definitely a no on the packageurl upgrade - that's certainly semver-breaking, and if we're breaking semver we should just switch to the purl crate which is much better all around.

ctron commented 4 months ago

I think a better idea is to just disable the resolve* features that pull in hyper. We really don't want to pull in the entirety of reqwest, hyper and tokio unconditionally from a serialization/deserialization crate.

Also that's definitely a no on the packageurl upgrade - that's certainly semver-breaking, and if we're breaking semver we should just switch to the purl crate which is much better all around.

Ok, I'll try to update the PR tomorrow.

Shnatsel commented 4 months ago

The jsonschema crate pulls in a lot of dependencies and shouldn't be a runtime dependency at all. We should turn it into a dev-dependency. There is now an issue about it: https://github.com/CycloneDX/cyclonedx-rust-cargo/issues/741

ctron commented 4 months ago

Ok, I changed it to the following:

packageurl is back to 0.3
the jsonschema is an optional dependency, enabled by default. As the validate method is a public method, that would break the API. This can be turned into off-by-default with the next breaking release.
Also, jsonschema has default-features=false, which is sufficient for this crate

Shnatsel commented 4 months ago

Turning jsonschema into an optional feature is a breaking change if someone was using the crate with default-features = false, but I don't think anyone has been doing that on account of the crate not having any features. So that sounds like a reasonable short-term fix.

The Nix flake CI is failing due to increased MSRV. It expects 1.70, while this PR bumps it to 1.74. 1.74 is very recent, and I think we would like to stick to 1.70 for now.

What is the motivation for the upgrades? We could consider bumping it if it's really worth it.

Shnatsel commented 4 months ago

Since this appears to have stalled, I started pruning the dependency tree myself. See #744 and #746

ctron commented 4 months ago

Since this appears to have stalled, I started pruning the dependency tree myself. See #744 and #746

Sorry for that. Yes, that might be quicker.

Shnatsel commented 3 months ago

We've dropped reqwest entirely in #744 and #750, so I'm going to go ahead and close this.