search

obi1kenobi / cargo-semver-checks

Scan your Rust crate for semver violations.
Apache License 2.0
1.17k stars 75 forks source link

Add support for using lock files #991

Open leighmcculloch opened 5 hours ago

leighmcculloch commented 5 hours ago

Describe your use case

When running cargo semver-checks no lock files appear to be used, either for the current / local version of the crate, or for versions of the crate downloaded from crates.io.

This creates a reproducibility issue. When crates publish releases that do not follow semver exactly, semver may fail to compile if no lock files is used. It also creates a situation where one run of the semver-check and a subsequent run can have different inputs and outputs, meaning no reproducibility in CI.

This creates a security issue. Some times use lock files to ensure that the developer is exclusively in control of what versions of dependencies are installed and in use. This is to avoid the problem that just before running a command a crate is compromised and a malware version is uploaded for it. Today using semver-checks as it is appears to expose us to that possibility when other cargo commands provide the --locked option.

Describe the solution you'd like

The ability to pass --locked to the semver-checks command, and for the lock file to be used.

Alternatives, if applicable

No response

Additional Context

No response

obi1kenobi commented 4 hours ago

Hi, thanks for opening this issue.

I'd like to get a bit more context on the workflow you're using and the specific use case, to make sure I understand everything properly.

Additionally, could you say more about this part?

Some times use lock files to ensure that the developer is exclusively in control of what versions of dependencies are installed and in use.

I'm having trouble reconciling this with the fact that developers specify the ranges or exact versions they want in Cargo.toml. The lockfile would only contain a version that is explicitly allowed by the range or exact bound set in Cargo.toml.

Separately, could you describe the possible security issue you are referring to?

Note that --locked exists for cargo install which is specific to binary crates. Library crates, which is what cargo-semver-checks analyzes, do not always contain a Cargo.lock file as part of their package index entry. There has been some motion toward changing that in the future, but unfortunately we can't add those files retroactively: https://github.com/rust-lang/cargo/issues/13447