Update `toml`, `git2`, and `embed-resource` to their latest versions

nabijaczleweli / cargo-update

A cargo subcommand for checking and applying updates to installed executables

MIT License

1.25k stars 41 forks source link

Update `toml`, `git2`, and `embed-resource` to their latest versions #266

Closed LikeLakers2 closed 3 months ago

LikeLakers2 commented 3 months ago

This PR updates the toml and git2 dependencies, as well as the embed-resource build dependency, to their latest version.

I have not done extensive testing to ensure that cargo-update still works the same - all I have done is run cargo test, which reported no failed tests.

P.S. One of your dependencies, clap 3.2.25, is still outdated. I would have updated it in this PR, but the changes seem non-trivial, and I harbor concerns that I might break cargo-update if I attempt to make the changes.

In any case, I recommend updating it to the latest version, clap 4.5.15, as this removes a dependency on atty 0.2.14, which has a RustSec advisory about a potential unaligned read.

nabijaczleweli commented 3 months ago

embed-resource sure; git2 sure

toml: AFAICT (https://docs.rs/crate/toml/0.8.19/source/Cargo.toml.orig#32) parse is a default feature, so no need to add it explicitly; the port seems to be correct (to_vec in toml 0.5 is to_string().into_bytes(), it also has the to_string/to_string_pretty split)

clap: yes, I tried to port to clap 4 and failed. don't really care, doesn't really matter. they should've stopped clapping years ago :v

per the atty advisory:

In practice however, the pointer won't be unaligned unless a custom global allocator is used.

it isn't, so it's fine. this also means "don't use a custom allocator if using cargo-update as a library" i suppose, but oh well

LikeLakers2 commented 3 months ago

toml: AFAICT (https://docs.rs/crate/toml/0.8.19/source/Cargo.toml.orig#32) parse is a default feature, so no need to add it explicitly

Strange. It didn't compile before I gave it the display feature before, but now it does. Ah well.

clap: yes, I tried to port to clap 4 and failed. don't really care, doesn't really matter. they should've stopped clapping years ago :v

I'm willing to attempt to port it to clap 4 in another PR, if you want me to. However, if I do, I will have to mention that some small parts of the argument parsing may have to be rewritten - not really a problem for me, but I don't know if you'd be okay with that.

Would you like me to try?

nabijaczleweli commented 3 months ago

That's how it be sometimes. Applied as 76c3bf4a1878eb9d683f9040d8d622d51507ff61...0db617cdb063966e76ae0f97c33f3a3dd3c0ae0a, thanks.

Don't bother with the clap thing; if (and that's a very strong if) that ever needs updating I want to actually do it myself to understand why and how the port works, so that this transfers to other crates I'm using clap 2/3 in.