You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The installation instructions (especially for cargo-audit) do not use the lockfile of the repository, but use the latest compatible versions of the dependencies. This has lead to breaking new installations of cargo-audit for one day due to incompatible gix dependencies (Byron/gitoxide#1328).
The main drawback if this switch is that it would make us responsible for releasing security upgrades when one of our dependencies is affected by a vulnerability, but we already have to tooling in place to detect and fix vulnerabilities.
The practices regarding cargo install are not well established in the ecosystem yet (recent RFC opened to change cargo's default behavior), but I think --locked is what makes more sense now in our context.
The text was updated successfully, but these errors were encountered:
gix has already adopted it, but the tool is far from complete. It did not catch the recent reqwest issue that only surfaced at runtime. I believe it also doesn't catch version changes in re-exports, which is what broke semver for tame-index.
The installation instructions (especially for
cargo-audit
) do not use the lockfile of the repository, but use the latest compatible versions of the dependencies. This has lead to breaking new installations ofcargo-audit
for one day due to incompatible gix dependencies (Byron/gitoxide#1328).The main drawback if this switch is that it would make us responsible for releasing security upgrades when one of our dependencies is affected by a vulnerability, but we already have to tooling in place to detect and fix vulnerabilities.
The practices regarding
cargo install
are not well established in the ecosystem yet (recent RFC opened to change cargo's default behavior), but I think--locked
is what makes more sense now in our context.The text was updated successfully, but these errors were encountered: