From a3818dee583894e797bcacd7bedcc9e0360ac275 Mon Sep 17 00:00:00 2001 From: Eric Seppanen Date: Mon, 3 May 2021 13:38:10 -0700 Subject: [PATCH] pin dependencies to versions If there isn't any version specified for a dependency crate, Cargo may choose a newer version. This could happen when Cargo.lock is updated ("cargo update") but can also happen unexpectedly when adding or changing other dependencies. This can allow API-breaking changes to be picked up, breaking the build. To prevent this, specify versions for all dependencies. Cargo is still allowed to pick newer versions that are (hopefully) non-breaking, by analyzing the semver version number. There are two special cases here: 1. serde_derive::{Serialize, Deserialize} isn't really used any more. It was only a separate crate in the past because of compiler limitations. Nowadays, people turn on the "derive" feature of the serde crate and use serde::{Serialize, Deserialize}. 2. parse_duration is unmaintained and has an open security issue. (gh iss. 87) That issue probably isn't critical for us because of where we use that crate, but it's probably still better to pin the version so we can't get hit with an API-breaking change at an awkward time. --- Cargo.lock | 4 +++- control_plane/Cargo.toml | 7 +++---- control_plane/src/local_env.rs | 2 +- pageserver/Cargo.toml | 2 +- walkeeper/Cargo.toml | 2 +- 5 files changed, 9 insertions(+), 8 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index e8ae4c42c6..2bac054279 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -410,7 +410,6 @@ dependencies = [ "rand", "regex", "serde", - "serde_derive", "tar", "tokio-postgres", "toml", @@ -1860,6 +1859,9 @@ name = "serde" version = "1.0.125" source = "registry+https://github.com/rust-lang/crates.io-index" checksum = "558dc50e1a5a5fa7112ca2ce4effcb321b0300c0d4ccf0776a9f60cd89031171" +dependencies = [ + "serde_derive", +] [[package]] name = "serde-xml-rs" diff --git a/control_plane/Cargo.toml b/control_plane/Cargo.toml index 0d49488bd7..f408763b01 100644 --- a/control_plane/Cargo.toml +++ b/control_plane/Cargo.toml @@ -12,10 +12,9 @@ tar = "0.4.33" postgres = { git = "https://github.com/zenithdb/rust-postgres.git", rev="a0d067b66447951d1276a53fb09886539c3fa094" } tokio-postgres = { git = "https://github.com/zenithdb/rust-postgres.git", rev="a0d067b66447951d1276a53fb09886539c3fa094" } -serde = "" -serde_derive = "" -toml = "" -lazy_static = "" +serde = { version = "1.0", features = ["derive"] } +toml = "0.5" +lazy_static = "1.4" regex = "1" anyhow = "1.0" hex = "0.4.3" diff --git a/control_plane/src/local_env.rs b/control_plane/src/local_env.rs index 019b063370..d983c3be95 100644 --- a/control_plane/src/local_env.rs +++ b/control_plane/src/local_env.rs @@ -13,7 +13,7 @@ use std::path::{Path, PathBuf}; use std::process::{Command, Stdio}; use anyhow::Result; -use serde_derive::{Deserialize, Serialize}; +use serde::{Deserialize, Serialize}; use pageserver::zenith_repo_dir; use pageserver::ZTimelineId; diff --git a/pageserver/Cargo.toml b/pageserver/Cargo.toml index 5309a77591..3b1e4bd503 100644 --- a/pageserver/Cargo.toml +++ b/pageserver/Cargo.toml @@ -38,7 +38,7 @@ walkdir = "2" thiserror = "1.0" hex = "0.4.3" tar = "0.4.33" -parse_duration = "*" +parse_duration = "2.1.1" postgres_ffi = { path = "../postgres_ffi" } zenith_utils = { path = "../zenith_utils" } diff --git a/walkeeper/Cargo.toml b/walkeeper/Cargo.toml index fdd5b8b223..e4ae947570 100644 --- a/walkeeper/Cargo.toml +++ b/walkeeper/Cargo.toml @@ -28,7 +28,7 @@ postgres-protocol = { git = "https://github.com/zenithdb/rust-postgres.git", rev postgres = { git = "https://github.com/zenithdb/rust-postgres.git", rev="a0d067b66447951d1276a53fb09886539c3fa094" } anyhow = "1.0" crc32c = "0.6.0" -parse_duration = "*" +parse_duration = "2.1.1" walkdir = "2" # FIXME: 'pageserver' is needed for ZTimelineId. Refactor