pin dependencies to versions

If there isn't any version specified for a dependency crate, Cargo may
choose a newer version. This could happen when Cargo.lock is updated
("cargo update") but can also happen unexpectedly when adding or
changing other dependencies. This can allow API-breaking changes to be
picked up, breaking the build.

To prevent this, specify versions for all dependencies. Cargo is still
allowed to pick newer versions that are (hopefully) non-breaking, by
analyzing the semver version number.

There are two special cases here:

1. serde_derive::{Serialize, Deserialize} isn't really used any more. It
was only a separate crate in the past because of compiler limitations.
Nowadays, people turn on the "derive" feature of the serde crate and
use serde::{Serialize, Deserialize}.

2. parse_duration is unmaintained and has an open security issue. (gh
iss. 87) That issue probably isn't critical for us because of where we
use that crate, but it's probably still better to pin the version so we
can't get hit with an API-breaking change at an awkward time.

Cargo.lock

@@ -410,7 +410,6 @@ dependencies = [
  "rand",
  "regex",
  "serde",
- "serde_derive",
  "tar",
  "tokio-postgres",
  "toml",
@@ -1860,6 +1859,9 @@ name = "serde"
 version = "1.0.125"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "558dc50e1a5a5fa7112ca2ce4effcb321b0300c0d4ccf0776a9f60cd89031171"
+dependencies = [
+ "serde_derive",
+]
 
 [[package]]
 name = "serde-xml-rs"

control_plane/Cargo.toml

@@ -12,10 +12,9 @@ tar = "0.4.33"
 postgres = { git = "https://github.com/zenithdb/rust-postgres.git", rev="a0d067b66447951d1276a53fb09886539c3fa094" }
 tokio-postgres = { git = "https://github.com/zenithdb/rust-postgres.git", rev="a0d067b66447951d1276a53fb09886539c3fa094" }
 
-serde = ""
-serde_derive = ""
-toml = ""
-lazy_static = ""
+serde = { version = "1.0", features = ["derive"] }
+toml = "0.5"
+lazy_static = "1.4"
 regex = "1"
 anyhow = "1.0"
 hex = "0.4.3"

control_plane/src/local_env.rs

@@ -13,7 +13,7 @@ use std::path::{Path, PathBuf};
 use std::process::{Command, Stdio};
 
 use anyhow::Result;
-use serde_derive::{Deserialize, Serialize};
+use serde::{Deserialize, Serialize};
 
 use pageserver::zenith_repo_dir;
 use pageserver::ZTimelineId;

pageserver/Cargo.toml

@@ -38,7 +38,7 @@ walkdir = "2"
 thiserror = "1.0"
 hex = "0.4.3"
 tar = "0.4.33"
-parse_duration = "*"
+parse_duration = "2.1.1"
 
 postgres_ffi = { path = "../postgres_ffi" }
 zenith_utils = { path = "../zenith_utils" }

walkeeper/Cargo.toml

@@ -28,7 +28,7 @@ postgres-protocol = { git = "https://github.com/zenithdb/rust-postgres.git", rev
 postgres = { git = "https://github.com/zenithdb/rust-postgres.git", rev="a0d067b66447951d1276a53fb09886539c3fa094" }
 anyhow = "1.0"
 crc32c = "0.6.0"
-parse_duration = "*"
+parse_duration = "2.1.1"
 walkdir = "2"
 
 # FIXME: 'pageserver' is needed for ZTimelineId. Refactor