use pin_project_lite. remove futures-util

[fakeshadow]

PR Type

Refactor

PR Checklist

Check your PR fulfills the following:

• Tests for the changes have been added / updated.
• A changelog entry has been made for the appropriate packages.
• Format code with the latest stable rustfmt

Overview

Replace futures_channel with tokio::sync
Replace pin_project with pin_project_lite
Replace futures_util with futures_core/sink/task

Sadly this does not cut down the amount of deps with default featurs.(5 less dep with no-default-features)

[therealprof]

Suggested change

	futures-util = { version = "0.3.7", default-features = false }
	futures-util = { version = "0.3.8", default-features = false }

I'm aware it doesn't really matter but since 0.3.8 is the current version, we might as well use that. ;)

[fakeshadow]

Thanks for point out but we are using 0.3.7 across all the actix-* crates.
There is no lock on the crates so users can choose to use anything above 0.3.7

[robjtede]

Yep, no need to needlessly bound the version in a library when we don't need to. It's ^0.3.7 to avoid a security warning. Eg: https://deps.rs/crate/actix-web/3.3.2.

[therealprof]

I'm not saying we should fix the version, rather the opposite. I actually would even prefer going 0.3 instead of specifying the minor. But by specifying 0.3.8 we're forcing all dependencies to go at least to 0.3.8, without cargo update which is a good thing in my book.

[robjtede]

Allowing versions below 0.3.7 is a security risk and shows up on our deps.rs page as such.

FYI @therealprof: https://github.com/RustSec/advisory-db/blob/master/crates/futures-util/RUSTSEC-2020-0059.md

[fakeshadow]

There was a UB for waker fixed in 0.3.6. So it's suggested to use at least that. It's always good to do our part on this matter.

[therealprof]

Allowing versions below 0.3.7 is a security risk and shows up on our deps.rs page as such.

FYI @therealprof: https://github.com/RustSec/advisory-db/blob/master/crates/futures-util/RUSTSEC-2020-0059.md

I don't understand what you're trying to tell me, sorry. I would like to go (higher, i.e. 0.3.8), not lower.

[robjtede]

In terms of maintaining a library (rather than an app), allowing the most versions of crates in a dep tree makes it most compatible and gives developers the option to upgrade as they decide or, more importantly, pin a lower compatible version because of a bug/yanked crate/security issue or whatever else.

[therealprof]

I'm not a huge fan of switching between using pin_project_lite::pin_project! and using pin_project_lite::pin_project; pin_project! but other than that looks great to me!