Comments (12)
Ouch! I'm guessing we depend on a crate that used to enable the feature and now doesn't.
Maybe cargo update
should be part of the release checklist.
from xh.
Just the view of a package maintainer here ...
Releases need to be built with --locked
or --offline
when it comes to packaging. This because, there are basically 3 phases of a package build; fetch, build and install.
At least on NetBSD, the fetch phase fetches the source files into the build directory. During the build phase, dowloads are not allowed, only what was already downloaded during fetch is supposed to be used. So, if extra source files are needed, the build will fail.
Not all packaging systems are that strict but, I think it's good that we do it this way. When we fetch source files, we also calculate checksums, so if a file has been altered the build will fail due to a checksum mismatch. This way, we can improve security by only using files that have a checksum assigned.
from xh.
I can confirm this trying to install xh
from crates.io.
Also on Linux with the latest stable Rust version.
from xh.
@blyxxyz I wasn't aware but it looks like cargo-install respects any present Cargo.lock
file when the --locked
option is used. Do you see any downsides in recommending that instead?
from xh.
It means people will miss out on bug fixes, and not everybody is going to notice it. But I've seen packages that recommend it. Some of the distro packages already build with --locked
.
It's good practice either way to regularly run cargo update
and watch out for vulnerabilities. But with --locked
it would be even more important.
I don't have a strong opinion for or against.
from xh.
It would likely be useful to add resolver = "2"
to Cargo.toml to use the stricter dependency resolver.
from xh.
Hm, seems that it wouldn't have caught this problem but that sounds like a good idea.
from xh.
It would likely be useful to add resolver = "2" to Cargo.toml to use the stricter dependency resolver.
We're on edition 2021, so it should default to the newer resolver (I think)
By the way, how helpful do you find our MSRV policy? We could periodically run cargo update
but that means we would raise the minimum supported Rust version more often.
Also, I noticed that installing xh from crates.io without the --locked
flag requires at least 1.70 but our stated MSRV is 1.64.
from xh.
Also, I noticed that installing xh from crates.io without the --locked flag requires at least 1.70 but our stated MSRV is 1.64.
As long as it states the actually required MSRV it's fine. Personally, I'm nearly always on the latest stable but, NetBSD itself is usually on latest -1.
Right now, I'm on 1.73 and NetBSD is on 1.71.1. So, I like when projects state MSRV, so I don't push things that build on my dev system but, fail on the build servers.
from xh.
The fix has been merged, but there isn't a release yet. My workflows using xh are failing.
from xh.
Thanks. v0.19.4 has been released with just this one fix.
from xh.
I have now added cargo update
to our release checklist file.
We will also start updating dependencies more aggressively and encourage people to use the --locked
option when installing xh from crates.io.
from xh.
Related Issues (20)
- HTTP NTLM Auth Support HOT 2
- Latest release fails to build on NetBSD HOT 12
- Install fails on MacOS 13.6.1 HOT 6
- Fish completion should not show file by default HOT 2
- Equivalent command to curl -d HOT 5
- add xh to winget package manager? HOT 2
- Feature request: support unix domain socket HOT 1
- when add `--download` flag , xh does not requests the compressed response body HOT 3
- [Proposal] Display remote IP address like chrome dev tools does HOT 3
- JSON pretty printing inserts extra newline HOT 3
- Incorrect Syntax Reference HOT 1
- Partial download crashes with regex parse error HOT 2
- macos: `xh` config directory not in xdg dirs
- `--verify=no` doesn't apply to redirects HOT 1
- Seeking Discussion Forum HOT 2
- Proposal to add template requests HOT 2
- Download tries to write to subfolder HOT 2
- [Feature Request] How about wasm support? HOT 1
- [Feat] consider add options to impersonate chrome/firefox?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from xh.