Summary
The copilot-sdk dependency pulls from a Git repository with no pinned revision, branch, or tag. Builds are non-reproducible and can break at any time when the upstream repo changes.
Location
src-tauri/crates/mas-ai/Cargo.toml:12
copilot-sdk = { git = "https://github.com/copilot-community-sdk/copilot-sdk-rust.git" }Impact
- CI builds can break unpredictably when upstream pushes a breaking change
- Different developers may build against different upstream revisions
- Impossible to git-bisect regressions that come from the SDK
- Release artifacts built at different times may have different dependency versions
Fix
Pin to a specific revision or tag:
copilot-sdk = { git = "...", rev = "abc123def" }
# or
copilot-sdk = { git = "...", tag = "v0.5.0" }
Summary
The
copilot-sdkdependency pulls from a Git repository with no pinned revision, branch, or tag. Builds are non-reproducible and can break at any time when the upstream repo changes.Location
src-tauri/crates/mas-ai/Cargo.toml:12Impact
Fix
Pin to a specific revision or tag: