You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Just noticed today on a CI job that cargo audit is failing to build with a rust version under 1.74 because the version set for clap is 4 and now that pulls in 4.5, which needs 1.74 or higher to build
We should probably either bump the MSRV for cargo audit or constrain the clap version to be under 4.5
The text was updated successfully, but these errors were encountered:
Clap 4.5 was not released at the time of publishing cargo-audit 0.19. Without an MSRV-aware resolver in Cargo we cannot really enforce MSRV in any meaningful fashion, since any dependency can increase MSRV at any time.
We could, in theory, have some CI pipeline that builds the whole project with the latest dependency versions every day, and if any dependency at all bumps MSRV, publish a new release with MSRV in cargo audit likewise increased; but I fail to see the utility in that.
The only reasonable solution I can think of is to use cargo install --locked cargo-audit to use the exact versions the release was tested with, and are known to have a compatible MSRV.
Hello!
Just noticed today on a CI job that cargo audit is failing to build with a rust version under 1.74 because the version set for clap is
4
and now that pulls in 4.5, which needs 1.74 or higher to buildWe should probably either bump the MSRV for cargo audit or constrain the clap version to be under 4.5
The text was updated successfully, but these errors were encountered: