-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build: Bump Cargo.lock
dependencies
#998
Conversation
Phylum OSS Supply Chain Risk Analysis - INCOMPLETEThe analysis contains 10 package(s) Phylum has not yet processed, |
Phylum OSS Supply Chain Risk Analysis - FAILEDBackgroundThis repository analyzes the risk of new dependencies. An administrator of this repository has set score requirements for Phylum's five risk domains. If you see this comment, one or more dependencies added to the package manager lockfile have failed Phylum's risk analysis. Package:
|
Risk Domain | Identified Score | Requirement | Requirement Source |
---|---|---|---|
License | 20 | 60 | project per-axis threshold |
Issues Summary
Risk Domain | Risk Level | Title |
---|---|---|
License | high | Commercial license risk detected in birdcage@0.2.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The following new packages are transitive dependencies of clap@4.2.1
: anstream
, anstyle-parse
, anstyle-wincon
, clap_builder
, concolor-query
, concolor-override
Still related to clap@4.2.1
, the addition of the windows-targets@0.48.0
and its many arch-specific dependencies. Deduplication of this is blocked by chrono
which is already at its latest available version and still depends on windows-targets@0.42.2
.
The following changes are related to deno-crypto
:
-
Addition of
packed_symd_2
,platforms
, -
Addition of
libm@0.1.4
alongsidelibm@0.2.6
; this looks like an inconsistency starting fromdeno-crypto
's direct dependenciesx25519-dalek
andrsa
requiring a different version oflibm
. Bumpingrsa
to attempt to fix the issue breaks our codebase. -
The newly introduced dependency on
redox_syscall
is related totempfile
and the minor bump is incompatible with a number of other packages which still rely on the old version (notablyparking_lot
).
Overall I'm not too happy with the volume of changes, but manually bumping packages to try and reduce that has proven unfruitful and actually resulted either in even more additions (deno_runtime
and related) or breaking changes (rsa
).
If we want to reduce the impact of these changes, we can hold off on merging this PR. If we want to stay current, we can merge this in. I'd like to ask for a second opinion from team members on this.
I'm in favor of the latter, as the new additions look okay and I think the only real downside is the resulting fragmentation. But I would also like to plan a refactoring pass where we bump our direct dependencies with the objective of staying current and getting leaner as we merge as many duplications as possible.
I agree completely. This PR adds 11 new duplicated packages.
And we still don't have a workaround for #725, which makes this worse. As you suggested, we should go ahead and merge this PR and plan on a push to reduce our duplicate dependencies in the near future. |
Phylum OSS Supply Chain Risk Analysis - SUCCESSThe Phylum risk analysis is complete and did not identify any issues. |
Bump dependencies in
Cargo.lock
for all SemVer-compatible updates.