It appears that somewhat recently cargo metadata changed the format of the package_id field in its JSON output (presumably https://github.com/rust-lang/cargo/pull/12914). Significantly, this changed the way that packages are sorted in internal data structures, such that while previously crate 1.1.1 and crate 1.1.1@git:XXX would have sorted adjacent to one-another, they now sort further apart.
The new format for this field is a PackageIdSpec, which is supposedly going to be a more stable format going forwards. This format change also will have broken one case where we did inspect the internal format of the PackageId (despite it being documented as opaque).
The file URI in this case now looks more like path+file:///path/to/example#0.1.0 rather than example 0.1.0 (path+file:///path/to/example), so will no longer match the contains check.
In order to keep tests passing with both older and newer versions of rustc, we'll likely need to tweak how we sort packages to avoid using package_id for sorting when possible. In addition, there are some commands where the output contains the package id, specifically the dump-graph test, which will likely need to be updated in some way - likely by removing the unstable PackageId check, and instead never serializing package IDs.
It appears that somewhat recently
cargo metadatachanged the format of thepackage_idfield in its JSON output (presumably https://github.com/rust-lang/cargo/pull/12914). Significantly, this changed the way that packages are sorted in internal data structures, such that while previouslycrate 1.1.1andcrate 1.1.1@git:XXXwould have sorted adjacent to one-another, they now sort further apart.https://github.com/mozilla/cargo-vet/blob/abb7411fbb669577e6d6c8d289c3a903f0ad2109/src/resolver.rs#L452-L454
The new format for this field is a
PackageIdSpec, which is supposedly going to be a more stable format going forwards. This format change also will have broken one case where we did inspect the internal format of thePackageId(despite it being documented as opaque).https://github.com/mozilla/cargo-vet/blob/abb7411fbb669577e6d6c8d289c3a903f0ad2109/src/resolver.rs#L214-L217
The file URI in this case now looks more like
path+file:///path/to/example#0.1.0rather thanexample 0.1.0 (path+file:///path/to/example), so will no longer match thecontainscheck.In order to keep tests passing with both older and newer versions of rustc, we'll likely need to tweak how we sort packages to avoid using
package_idfor sorting when possible. In addition, there are some commands where the output contains the package id, specifically the dump-graph test, which will likely need to be updated in some way - likely by removing the unstable PackageId check, and instead never serializing package IDs.