rust-secure-code / cargo-auditable

Make production Rust binaries auditable
Apache License 2.0
646 stars 28 forks source link

auditable-serde: bump `cargo-lock` to v9 #114

Closed tarcieri closed 1 year ago

tarcieri commented 1 year ago

This is a SemVer breaking change as cargo-lock is part of the public API by way of trait impls, so this also bumps the version of auditable-serde to v0.6.0-pre.

Shnatsel commented 1 year ago

I'm not sure I want to propagate a semver-breaking change all the way up the chain just because cargo-lock got bumped. I think I can add conversion impls for both v8 and v9, both feature-gated, and avoid propagating a semver break up the chain.

I'll prototype this tomorrow unless you beat me to it.

tarcieri commented 1 year ago

That will make the circular dependency relationships even more complicated

Shnatsel commented 1 year ago

Okay, I don't want to make the circular dependencies any worse than they already are, and the only crates.io dependents are cargo audit and cargo auditable crates, so this seems to be the best approach. Merging.

tarcieri commented 1 year ago

Mind cutting a release? I'm also not sure what other dependencies need their versions bumped due to SemVer breaking changes

Shnatsel commented 1 year ago

Not today, too tired. I fear I'll mess something up. I'll take a look at it tomorrow.

Shnatsel commented 1 year ago

I'm not feeling well so I'll avoid cutting releases myself, but you should have publish rights for the crates and you're welcome to do so.