Cargo audit pulls clap 4.5, which needs rustc 1.74 (where the MSRV is 1.70 for cargo audit)

[tarikeshaq]

Hello!

Just noticed today on a CI job that cargo audit is failing to build with a rust version under 1.74 because the version set for clap is 4 and now that pulls in 4.5, which needs 1.74 or higher to build

We should probably either bump the MSRV for cargo audit or constrain the clap version to be under 4.5

[Shnatsel]

Clap 4.5 was not released at the time of publishing cargo-audit 0.19. Without an MSRV-aware resolver in Cargo we cannot really enforce MSRV in any meaningful fashion, since any dependency can increase MSRV at any time.

We could, in theory, have some CI pipeline that builds the whole project with the latest dependency versions every day, and if any dependency at all bumps MSRV, publish a new release with MSRV in cargo audit likewise increased; but I fail to see the utility in that.

The only reasonable solution I can think of is to use cargo install --locked cargo-audit to use the exact versions the release was tested with, and are known to have a compatible MSRV.

[tarikeshaq]

Yeah, that's totally fair! Cargo's semver guidelines tell us to treat MSRV bumps as minor bumps (which is what clap did!) so we could fix our dependency on the minor version (4.5 etc) but that's a soft handshake and as you said, cannot be enforced

I'll leave this open in case folks stumble against it like I did, but please do feel free to close it when you feel it is appropriate

[tarcieri]

Yeah, our dependencies have adopted a more aggressive set of MSRV policies so we'll need to follow suit.

I'm not sure it makes sense to even advertise a static MSRV anymore.