-
Notifications
You must be signed in to change notification settings - Fork 651
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use pin_project_lite. remove futures-util #453
Conversation
Co-authored-by: Daniel Egger <daniel@eggers-club.de>
@@ -57,7 +58,7 @@ trust-dns-resolver = { version = "0.20.0" , optional = true, default-features = | |||
|
|||
[dev-dependencies] | |||
doc-comment = "0.3" | |||
futures-channel = { version = "0.3.7", default-features = false, features = ["sink"] } | |||
futures-util = { version = "0.3.7", default-features = false } |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
futures-util = { version = "0.3.7", default-features = false } | |
futures-util = { version = "0.3.8", default-features = false } |
I'm aware it doesn't really matter but since 0.3.8 is the current version, we might as well use that. ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for point out but we are using 0.3.7 across all the actix-* crates.
There is no lock on the crates so users can choose to use anything above 0.3.7
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep, no need to needlessly bound the version in a library when we don't need to. It's ^0.3.7 to avoid a security warning. Eg: https://deps.rs/crate/actix-web/3.3.2.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not saying we should fix the version, rather the opposite. I actually would even prefer going 0.3 instead of specifying the minor. But by specifying 0.3.8 we're forcing all dependencies to go at least to 0.3.8, without cargo update
which is a good thing in my book.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Allowing versions below 0.3.7 is a security risk and shows up on our deps.rs page as such.
FYI @therealprof: https://github.com/RustSec/advisory-db/blob/master/crates/futures-util/RUSTSEC-2020-0059.md
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a UB for waker fixed in 0.3.6. So it's suggested to use at least that. It's always good to do our part on this matter.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Allowing versions below 0.3.7 is a security risk and shows up on our deps.rs page as such.
FYI @therealprof: https://github.com/RustSec/advisory-db/blob/master/crates/futures-util/RUSTSEC-2020-0059.md
I don't understand what you're trying to tell me, sorry. I would like to go (higher, i.e. 0.3.8), not lower.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In terms of maintaining a library (rather than an app), allowing the most versions of crates in a dep tree makes it most compatible and gives developers the option to upgrade as they decide or, more importantly, pin a lower compatible version because of a bug/yanked crate/security issue or whatever else.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not a huge fan of switching between using pin_project_lite::pin_project!
and using pin_project_lite::pin_project; pin_project!
but other than that looks great to me!
Co-authored-by: Rob Ede <robjtede@icloud.com>
Co-authored-by: Rob Ede <robjtede@icloud.com>
Co-authored-by: Rob Ede <robjtede@icloud.com>
Co-authored-by: Rob Ede <robjtede@icloud.com>
PR Type
Refactor
PR Checklist
Check your PR fulfills the following:
Overview
Replace
futures_channel
withtokio::sync
Replace
pin_project
withpin_project_lite
Replace
futures_util
withfutures_core/sink/task
Sadly this does not cut down the amount of deps with default featurs.(5 less dep with no-default-features)