You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
As noticed in https://phabricator.services.mozilla.com/D208390#inline-1157256, if there are multiple audits for a crate from a given source which have the same version range and criteria, cargo-vet can get confused and pick the wrong audit as identical to an existing audit when performing imports. This is because other fields, like "who", are explicitly ignored by the same_audit_as check:
As noticed in https://phabricator.services.mozilla.com/D208390#inline-1157256, if there are multiple audits for a crate from a given source which have the same version range and criteria, cargo-vet can get confused and pick the wrong audit as identical to an existing audit when performing imports. This is because other fields, like "who", are explicitly ignored by the
same_audit_as
check:cargo-vet/src/format.rs
Lines 302 to 304 in 9f8f843
While we likely want to keep that behaviour, it might be worthwhile to improve the check to pick the "best" match in the case where multiple audits are considered the same, so that an import for the second audit is not confused with an import for the first audit in a situation like this: https://github.com/mozilla/supply-chain/blob/900ea594716565ecac941ab34d869ccc12892e90/audits.toml#L2769-L2781
Not doing this can lead to surprising changes to imports.lock when nothing needs to have changed.
The text was updated successfully, but these errors were encountered: