When publishing a crate, it cannot depend on unpublished crates. Currently, we depend on an unpublished version of graphql_client to avoid a security vulnerability.
Adding a version field to this dependency in Cargo.toml means that we use the patched version from Git when building, but the published version when publishing spr to crates.io.
This is not ideal, but the best we can do at this point. Hopefully, graphql_client will be updated on crates.io soon.
Fortunately, the binaries we produce for our homebrew tap will still be built with the fixed version. That's because the homebrew formula checks out the spr source code and builds it, which uses the fixed version.
Unfortunately, installing with cargo install spr will use the unfixed dependency. At least I think that's the case. I can only really test it after the next time we have published to crates.io.
Test Plan: cargo check && cargo clippy && cargo package
When publishing a crate, it cannot depend on unpublished crates. Currently, we depend on an unpublished version of
graphql_client
to avoid a security vulnerability. Adding a version field to this dependency inCargo.toml
means that we use the patched version from Git when building, but the published version when publishingspr
to crates.io. This is not ideal, but the best we can do at this point. Hopefully,graphql_client
will be updated on crates.io soon.Fortunately, the binaries we produce for our homebrew tap will still be built with the fixed version. That's because the homebrew formula checks out the spr source code and builds it, which uses the fixed version. Unfortunately, installing with
cargo install spr
will use the unfixed dependency. At least I think that's the case. I can only really test it after the next time we have published to crates.io.Test Plan:
cargo check && cargo clippy && cargo package