-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Contradictory MSRV #85
Comments
We can't meaningfully control or guarantee the MSRV set by our dependencies unless we pin all of our dependencies. If the ecosystem as a whole does this, then crate developers will find that people aren't downloading their patch updates. Patch updates are an important part of how the ecosystem responds to critical bugs and security flaws. So it is my opinion that this sort of problem ought to be solved by the end user. If you require a specific version of I'm open to discussion on this, but that is my initial impression of this situation. |
This is exactly what I did. However, as you mentioned, that blocks security updates. I am considering reverting this change for that reason. That means MSRV, at best, indicates it is "possible" to make the crate compile but not necessarily with the default behaviour of Cargo which, in the absence of a lock file, will pick the latest available version of the dependencies. Two problems remain:
Alternatively, nothing should be done, and MSRV should be considered only as an unverified claim. I am not entirely comfortable with this though. Side note: implementing the suggestion about CI could help refining README.md in the sense that it does the minimum pinning to make the crate compile with MSRV. |
Version 6.0.0 bumped the MSRV to 1.70. The README was updated accordingly, along with a notice that relaxed the portrayal of how strong the MSRV is. MSRV has been tested by CI for quite some time, however this won't catch upstream MSRV changes that were made after the PR was merged. That is how the original issue was able to occur. |
I gave cargo's MSRV aware resolver a spin with |
Hi, I read in the main README.md:
And I started getting this recently (when
home
decided to bump their MSRV):I already saw a couple of MSRV debates in some other repositories. I don't have an opinion yet on the matter. However, README.md is now wrong de facto.
Now on opinions, at least I think 1.70.0 as MSRV for a crate such as
home
is slightly radical but I don't know what motivated this sudden change.I had to use a
<
in myCargo.toml
, which apparently has been a huge controversy inbincode
a couple of years ago. Anyway, this is not in the scope ofwhich
, butwhich
is impacted by it because an external dependency broke the official MSRV.The text was updated successfully, but these errors were encountered: