PolyMeilex
commented
1 year ago Sorry for the delay, I kinda forgot about this one. Not a huge fan of commiting Cargo.lock but the compromise sounds resonable so LGTM Thanks!
Closed emilk closed 1 year ago
PolyMeilex
commented
1 year ago Sorry for the delay, I kinda forgot about this one. Not a huge fan of commiting Cargo.lock but the compromise sounds resonable so LGTM Thanks!
cargo denyprotects against:cargo-denyrequires aCargo.lockfile. It doesn't have to be checked in, but by checking it in we explicitly say "there is a combination of crate version we can use that produces no duplicate dependencies, no copy-left licenses, and no security advisories". With an implicitCargo.lock(not checked in) we would get the latest version of all crates at the time that the CI is run, which mean the CI can fail spuriously if a dependency is updated to a new version that, for instance, pulls in a duplicated dependency.This PR does add some maintenance burden, and I understand if that isn't exactly appealing. However, the use of
cargo-denyis a promise to users that this crate is a nice citizen in the rust eco-system, that cares about avoiding duplicate dependencies etc.