jonhoo / inferno

A Rust port of FlameGraph
Other
1.71k stars 125 forks source link

Dependencies versions too loose #314

Closed markkimsal closed 9 months ago

markkimsal commented 9 months ago

any dependency starting with major version zero (0) is not bound by any semver rules. Each of those dependencies should specify an exact version. For example, ahash 0.8.8 was released a few days ago and it requires a new MSRV, which breaks downstream projects unexpectedly.

There's no way for me with cargo to specify a version of ahash that is used by inferno.

Pinning ahash in Cargo.toml to 0.8.6 would match what this project already uses via the Cargo.lock.

jonhoo commented 9 months ago

That is not true. As per the Cargo docs, the only thing that is special about 0.x versions is that the x is treated as a major version specifier rather than a minor version specifier. In other words, it is not legal (according to Cargo's interpretation of semver) to do a breaking change between 0.x.1 and 0.x.2. You are, however, allowed to make a breaking change between 0.x and 0.x+1. Note that MSRV bumps are not considered breaking changes in the Rust ecosystem.

In this case, inferno is doing the right thing: we specify the minimum version of ahash that we support, and consumers (and builders) are free to build with whichever version that is at least as new as that within the same major version. The fact that a newer ahash requires a newer version of Rust is unfortunate, but not an error on inferno's part.

To work around this on your end, you can either pin ahash = "0.8, <= 0.8.6" in your Cargo.toml if you're building inferno as a library dependency, or you can run cargo update --precise 0.8.6 -p ahash before running cargo build (or cargo install --path .) if you're building the binaries.