-
Notifications
You must be signed in to change notification settings - Fork 81
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cargo deny check
updates Cargo.lock
file
#341
Comments
I propose that we follow the principle of least surprise and have |
I agree in general about needing I think the best and clearest option is to expose |
@Jake-Shadle IMO |
A potential compromise would be to have the failure to pass |
The problem with that is it would require users to actually look at their CI runs for warnings, but in my experience, CI logs are only checked when there is a build failure/error. That being said, we could add a top-level configuration option to emit errors if a lockfile is present and the |
I generally try to make my CI scripts do the same thing when run locally as they'd do when run in CI, to help with debugging and troubleshooting and to allow developers to check that CI will pass before submitting, so I generally don't like tools to act differently in CI like that. BTW, I noticed in rustsec/rustsec#322 that I propose:
Regarding the default, I think we need to lay out explicitly what constraints we have before we try to solve for a solution.
Maybe I am starting to think that |
I think it would be nice if it also supported the |
I've closed this issue, but please comment in #360 for thoughts on default behavior with regard to these flags. |
Describe the bug
We've got a very spectacular master CI failure in our private repo where we use cargo deny.
This bug wasn't hitting us until we started migrating some of our crates to a private crates registry.
In our
Cargo.lock
file there are currently a bunch of packages with(
elastio
is our company name)But this isn't enough, for that to work we have to add our private registry token to
~/.git-credentials
and only thencargo
will be able to download crates from our private Cloudsmith registry.Our
cargo deny check
step didn't write the token to~/.git-credentials
however. It used the other way, where it was setting the env var:However, it appears that when this env var is set
cargo metadata
(that is used bycargo-deny
) is updating theCargo.lock
file and it replaces allsource = "registry+..."
entries with the URL from the env var. But it does not only that, it also updates the versions of the dependencies (just likecargo update
does).For some time it didn't cause us troubles, but one day we published a new major version of our private crate, started incrementally updating
Cargo.toml
files in our repos and at some point our main repo'smaster
became red becausecargo deny check
started detecting duplicated entries of the private crate.And that's because our lock file was updating all the time by
cargo deny check
To Reproduce
Steps to reproduce the behavior:
.cargo/config
in your cargo project root:cargo check
to generate theCargo.lock
-2
suffix to the URL):Expected behavior
I expect that the lock file is not updated if it exists
Proposals
I suppose
cargo deny check
callscargo metadata
without the--locked
parameter. I suggest that you do add--locked
to thecargo metadata
invocation so thatcargo-deny
doesn't update theCargo.lock
file. However, this will fail ifCargo.lock
is absent, so this should be conditional on the presence ofCargo.lock
Or maybe we should add
--locked
flag tocargo deny check
itself? I am not sure... Is it expected behavior thatcargo deny check
updates the lock file at all?The text was updated successfully, but these errors were encountered: