Closed josecelano closed 1 year ago
We don't specify any upper bounds on version numbers, nor do we have a lock file. You'll get the newest version by cargo update
on your repository. I don't see why we would need to do anything. We could bump the minimum required version to enforce this but that can't be the proper reaction in the long run, it would cause stampede of version bumps if that were 'expected' to happen. Github's CVE warning is being somewhat annoying for Rust dependencies, it doesn't understand Cargo.lock
and its version resolution in terms of solution actions – in particular doesn't consider the full version specifier.
We don't specify any upper bounds on version numbers, nor do we have a lock file. You'll get the newest version by
cargo update
on your repository. I don't see why we would need to do anything. We could bump the minimum required version to enforce this but that can't be the proper reaction in the long run, it would cause stampede of version bumps if that were 'expected' to happen. Github's CVE warning is being somewhat annoying for Rust dependencies, it doesn't understandCargo.lock
and its version resolution in terms of solution actions – in particular doesn't consider the full version specifier.
It seems I did not understand the Cargo version resolution either. I thought you were specifying a concrete version in the cargo.toml since you do not use the "^" symbol and that led to always using that concrete version.
After reading the docs I've just learned that 1.5.1
equals ^1.5.1
.
Thanks and sorry.