You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The vendoring of git dependencies is incorrectly skipped under certain conditions. From my tests and by looking at the source code of cargo, the conditions for a crate A to be incorrectly skipped during vendoring seems to be :
A is a git dependency
a version of A is already vendored with a version suffix, i.e. log-0.4.22
you change the git revision of A to a different commit, but the crate version defined in the Cargo.toml of A is the same between the two commits
I made a minimal reproduction example in this repo with a CI job checking the update of the log dependency should change the vendor directory.
The log's sources should have changed after this but they have not.
Possible Solution(s)
The part where cargo decides whether it skips the vendoring of a crate or not seems to assume there is nothing to do if the crate version hasn't changed, which is true for dependencies on crates.io, but not for git dependencies where the same crate version can span multiples commits. Maybe this particular skip could be done only for dependencies on crates.io and not for git dependencies. That way, the optimisation is kept for crates.io dependencies which are the most common.
Notes
The skip doesn't happen when the dependency is vendored without suffix, i.e. log.
fix(vendor): trust crate version only when coming from registries
### What does this PR try to resolve?
Fixes#8181
Relates to #11897 and #14525
### How should we test and review this PR?
As mentioned in the contribution guide, I made a first commit adding a test that passes with the actual behaviour. Then, I made a second commit with a fix and modified the test with the new expected behaviour.
### Additional information
The fix doesn't take into account switching from a git dependency to crates.io, which is not handled correctly on master either, and would probably require the vendoring to serialize the source ID to detect source changes.
I specifically limited the trust of immutable version to crates.io, but it could be extended to other registries.
fix(vendor): trust crate version only when coming from registries
### What does this PR try to resolve?
Fixes#8181
Relates to #11897 and #14525
### How should we test and review this PR?
As mentioned in the contribution guide, I made a first commit adding a test that passes with the actual behaviour. Then, I made a second commit with a fix and modified the test with the new expected behaviour.
### Additional information
The fix doesn't take into account switching from a git dependency to crates.io, which is not handled correctly on master either, and would probably require the vendoring to serialize the source ID to detect source changes.
I specifically limited the trust of immutable version to crates.io, but it could be extended to other registries.
Problem
The vendoring of git dependencies is incorrectly skipped under certain conditions. From my tests and by looking at the source code of cargo, the conditions for a crate
A
to be incorrectly skipped during vendoring seems to be :A
is a git dependencyA
is already vendored with a version suffix, i.e.log-0.4.22
A
to a different commit, but the crate version defined in theCargo.toml
ofA
is the same between the two commitsI made a minimal reproduction example in this repo with a CI job checking the update of the log dependency should change the vendor directory.
Steps
git clone https://github.com/stormshield-guillaumed/vendor-repro.git
sed -i s/d1a8306aadb88d56b74c73cdce4ef0153fb549cb/96dbf58ec05e844ec55aa2282f32f612372fbced/ Cargo.toml
cargo vendor --versioned-dirs > .cargo/config.toml
The log's sources should have changed after this but they have not.
Possible Solution(s)
The part where cargo decides whether it skips the vendoring of a crate or not seems to assume there is nothing to do if the crate version hasn't changed, which is true for dependencies on
crates.io
, but not for git dependencies where the same crate version can span multiples commits. Maybe this particular skip could be done only for dependencies oncrates.io
and not for git dependencies. That way, the optimisation is kept forcrates.io
dependencies which are the most common.Notes
The skip doesn't happen when the dependency is vendored without suffix, i.e.
log
.Version
The text was updated successfully, but these errors were encountered: