As noticed in https://phabricator.services.mozilla.com/D208390#inline-1157256, if there are multiple audits for a crate from a given source which have the same version range and criteria, cargo-vet can get confused and pick the wrong audit as identical to an existing audit when performing imports. This is because other fields, like "who", are explicitly ignored by the same_audit_as check:
As noticed in https://phabricator.services.mozilla.com/D208390#inline-1157256, if there are multiple audits for a crate from a given source which have the same version range and criteria, cargo-vet can get confused and pick the wrong audit as identical to an existing audit when performing imports. This is because other fields, like "who", are explicitly ignored by the
same_audit_as
check:https://github.com/mozilla/cargo-vet/blob/9f8f8430e8348729a0a02537ce7f3d6ab7954b8c/src/format.rs#L302-L304
While we likely want to keep that behaviour, it might be worthwhile to improve the check to pick the "best" match in the case where multiple audits are considered the same, so that an import for the second audit is not confused with an import for the first audit in a situation like this: https://github.com/mozilla/supply-chain/blob/900ea594716565ecac941ab34d869ccc12892e90/audits.toml#L2769-L2781
Not doing this can lead to surprising changes to imports.lock when nothing needs to have changed.