Closed repi closed 1 year ago
@repi Thanks for the report, would be good to get that fixed.
Is it perhaps the case that (1) you have both parking_lot 0.11.2
and parking_lot X.Y.Z
in the tree, and (2) you have a delta audit for parking_lot X.Y.Z -> 0.11.2
? That might plausibly cause this behavior (since each of the suggestions corresponds to a different node in your crate graph, but the suggested action happens to be the same).
If not, is there a way you could provide a minimized testcase?
we have 2 parking_lot
crates used in this workspace and the lockfile, 0.11.2 and 0.12.1, the memoffset
and bitflags
crates we also have multiple versions of so that is probably the source of confusion here.
wrt to parking_lot
we have a single audit imported for it:
[[audits.zcash.audits.parking_lot]]
who = "Jack Grigg <jack@z.cash>"
criteria = "safe-to-deploy"
delta = "0.11.2 -> 0.12.1"
notes = "Most `unsafe {}` changes were to reduce the scope of the unsafe blocks. I didn't closely review the migration to the asm! macro but it looks reasonable."
aggregated-from = "https://raw.githubusercontent.com/zcash/zcash/master/qa/supply-chain/audits.toml"
and also a single exemption (generated by cargo vet generate exemptions
):
[[exemptions.parking_lot]]
version = "0.11.2"
criteria = "safe-to-deploy"
so this combination is probably what is causing it somehow.
The patches in #483 should fix this duplication issue. I believe it is caused by that imported delta audit and generated exemption entry as you expected.
thanks!
For a few unaudited crates in our project running
cargo vet suggest
lists them multiple times even though they are the same version. Not a major issue though but just a bit odd so thought I should report it.example:
it also in some cases duplicates the same crate in the "used by", such has in
used by ndk, nix, nix, nix, png, ron, and 45 others
in the above, would have expected it to listnix
just once there.