RFC: Precise Pre-release cargo update by eopb · Pull Request #3493 · rust-lang/rfcs (original) (raw)
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
[ Show hidden characters]({{ revealButtonHref }})
mercxry, Brendonovich, Lindronics, LorenzoCardinali, clux, skos-ninja, mustakimali, tl-alessandro-caprarelli, AjithPanneerselvam, brxken128, and 16 more reacted with thumbs up emoji
This RFC proposes extending cargo update to allow updates to pre-release versions when requested with --precise.
For example, a cargo user would be able to call cargo update -p dep --precise 0.1.1-pre0 as long as the version of dep requested by their project and its dependencies are semver compatible with 0.1.1.
This effectively splits the notion of compatibility in cargo.
A pre-release version may be considered compatible when the version is explicitly requested with --precise.
Cargo will not automatically select that version via a basic cargo update.
Relevant to the Cargo team, which will review and decide on the RFC.
label
eopb and others added 14 commits
| [drawbacks]: #drawbacks |
|---|
| - Pre-release versions are not easily auditable when they are only specified in the lock file. |
| A change that makes use of a pre-release version may not be noticed during code review as reviewers don't always check for changes in the lock file. |
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possible mitigation: emit a warning when a pre-release version is locked and the version requirement doesn't use pre-release components. Assuming we get some way to do --deny=warnings for cargo-warnings in CI, that would require adding an allow somewhere outside the lockfile so that it's more reviewable.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(I was gonna say this fits in well with warnings for yanked crates too, but the warning I always thought existed when you have a yanked crate as a dependency doesn't actually exist 😓)
@rfcbot fcp merge
Internally, this treats pre-release like yanked, which is a strong foundation for us to build on. This also aligns with other decisions (breaking changes, yanked) for "trusting the user" when it comes to --precise.
Team member @epage has proposed to merge this. The next step is review by the rest of the tagged team members:
No concerns currently listed.
Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!
See this document for info about what commands tagged team members can give me.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just spelling nits.
Co-authored-by: Eric Huss eric@huss.org
@rfcbot reviewed
Should we give maintainers of semver a head up of this?
🔔 This is now entering its final comment period, as per the review above. 🔔
Should we give maintainers of semver a head up of this?
I made a passing reference but to be more explicit. @dtolnay this has impact on semver and we'd appreciate a look over.
Thanks for the heads up. This looks great to me.
The final comment period, with a disposition to merge, as per the review above, is now complete.
As the automated representative of the governance process, I would like to thank the author for their work and everyone else who contributed.
This will be merged soon.
2 tasks
Huzzah! The @rust-lang/cargo team has decided to accept this RFC.
To track further discussion, subscribe to the tracking issue here:
rust-lang/cargo#13290
