anza-xyz / agave

Web-Scale Blockchain for fast, secure, scalable, decentralized apps and marketplaces.
https://www.anza.xyz/
Apache License 2.0
395 stars 194 forks source link

solana-zk-token-sdk still has a dependency on zeroize 1.3 #3337

Open 808putnam opened 2 days ago

808putnam commented 2 days ago

Problem

The workspace Cargo.toml has a reference to zeroize set to 1.7: zeroize = { version = "1.7", default-features = false }

And the solana-zk-token-sdk's Cargo.toml uses a workspace reference to pull in the zeroize dependency: zeroize = { workspace = true, features = ["zeroize_derive"] }

However, the solana-zk-token-sdk that is published still has the dependency on zeroize set to 1.3 which causes version conflicts when attempting to integrate solana crates into projects with more recent versions of many popular crates.

Reference https://crates.io/crates/solana-zk-token-sdk/2.0.14/dependencies

Proposed Solution

Publish solana-zk-token-sdk with the zeroize dependency set to the workspace designation (currently 1.7).

joncinque commented 2 days ago

This will be done when v2.1 is published, which should be within the next few days. The updated dependency won't be backported to v2.0, per the backport guidelines.