Bump subtle to 2.5 in digest

[phillipleblanc]

This is conflicting in one of my projects which needs tonic = 0.11 which requires subtle = 2.5

error: failed to select a version for `subtle`.
    ... required by package `digest v0.10.7`
    ... which satisfies dependency `digest = "^0.10.7"` (locked to 0.10.7) of package `md-5 v0.10.6`
    ... which satisfies dependency `md-5 = "^0.10.6"` (locked to 0.10.6) of package `object_store v0.9.1`
    ... which satisfies dependency `object_store = "^0.9.0"` (locked to 0.9.1) of package `spiced v0.11.0-alpha (/Users/phillip/code/spiceai/spiceai/bin/spiced)`
versions that meet the requirements `^2.4` (locked to 2.4.1) are: 2.4.1

all possible versions conflict with previously selected packages.

  previously selected package `subtle v2.5.0`
    ... which satisfies dependency `subtle = "^2.5.0"` of package `rustls v0.22.3`
    ... which satisfies dependency `rustls = "^0.22"` (locked to 0.22.3) of package `tokio-rustls v0.25.0`
    ... which satisfies dependency `tokio-rustls = "^0.25"` (locked to 0.25.0) of package `tonic v0.11.0`
    ... which satisfies dependency `tonic = "^0.11.0"` (locked to 0.11.0) of package `flightpublisher v0.11.0-alpha (/Users/phillip/code/spiceai/spiceai/tools/flightpublisher)`

failed to select a version for `subtle` which could resolve this conflict

[newpavlov]

Does tonic indeed requires 2.5? If not, it will be easier for tonic specify a more relaxed minimum version. We have capped the subtle version because of MSRV. Plus we are currently in the process of working on digest v0.11, so releasing v0.10 will be a bit inconvenient.

[tarcieri]

We don't cap versions due to MSRV anymore. That caused huge incompatibilities.

However, a requirement for ^2.4 should also match 2.5.0 and newer 2.x versions.

There's something else going on here. I can make a Cargo.toml that includes:

[dependencies]
digest = { version = "0.10.7", features = ["mac"] }
tokio-rustls = "0.25"

And that resolves just fine. Here are some snippets from Cargo.lock:

[[package]]
name = "digest"
version = "0.10.7"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9ed9a281f7bc9b7576e61468ba615a66a5c8cfdff42420a70aa82701a3b1e292"
dependencies = [
 "block-buffer",
 "crypto-common",
 "subtle",
]

[[package]]
name = "rustls"
version = "0.22.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "99008d7ad0bbbea527ec27bddbc0e432c5b87d8175178cee68d2eec9c4a1813c"
dependencies = [
 "log",
 "ring",
 "rustls-pki-types",
 "rustls-webpki",
 "subtle",
 "zeroize",
]

[[package]]
name = "subtle"
version = "2.5.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "81cdd64d312baedb58e21336b31bc043b77e01cc99033ce76ef539f78e965ebc"

As you can see, in this case the Cargo resolver selects subtle v2.5.0 no problem.

@phillipleblanc can you post your Cargo.toml somewhere? Something strange is happening.

[phillipleblanc]

@tarcieri You are right. I somehow corrupted my Cargo.lock file when resolving a merge conflict and apparently it broke this. After deleting Cargo.lock everything is working again.

Thanks for taking a look and apologies for the false alarm.