[crypto-mac] dependency `subtle` is too strict

[PureWhiteWu]

Seems that crypto-mac crate specifies subtle = "=2.4" in Cargo.toml, which is a little strict, and this will lead to compile fail if users are using reqwest.

The dependency graph is as follows:

error: failed to select a version for `subtle`.
    ... required by package `rustls v0.22.2`
    ... which satisfies dependency `rustls = "^0.22.2"` of package `reqwest v0.12.0`
    ... which satisfies dependency `reqwest = "^0.12"`
versions that meet the requirements `^2.5.0` are: 2.6.1, 2.5.0

all possible versions conflict with previously selected packages.

  previously selected package `subtle v2.4.0`
    ... which satisfies dependency `subtle = "=2.4"` of package `crypto-mac v0.10.1`
    ... which satisfies dependency `crypto-mac = "^0.10"` (locked to 0.10.1) of package `hmac v0.10.1`
    ... which satisfies dependency `hmac = "^0.10.0"` (locked to 0.10.1) of package `cookie v0.14.4`
    ... which satisfies dependency `cookie = "^0.14.0"` (locked to 0.14.4) of package `http-types v2.12.0`
    ... which satisfies dependency `http-types = "^2.5.0"` (locked to 2.12.0) of package `surf v2.3.2`
    ... which satisfies dependency `surf = "^2.3.2"`

Is it possible to just specify subtle = "^2.4"?

[newpavlov]

Originally, we did it to satisfy the crate's MSRV, but because of problems like this we decided against such approach. crypto-mac is an old (and unmaintained) dependency which was replaced by digest. A proper solution for this issue is to update the outdated cookie dependency like you did in the linked PR.

[PureWhiteWu]

Thanks for the reply, I found that this is unmaintained after opening this issue.

I'm patching http-types to solve this issue now, and waiting for http-types maintainer to upgrade the version of cookie.