Non-semver pin on zeroize =1.3 leads to incompatibility with any crate that requires zeroize >1.4

[reivilibre]

Cargo normally lets you install and use two concurrent versions of a crate, but only if they are not semver compatible (rust-lang/cargo#6584).
Therefore the current hard requirement on zeroize =1.3 is inconvenient as it prevents using any crates that depend on newer versions of that crate.

Please would it be possible to lift this requirement so that later versions of the zeroize crate can be used? As far as I know semver compatibility means that should be OK — am I missing something (does zeroize not follow semver?).

error: failed to select a version for `zeroize`.
    ... required by package `elliptic-curve v0.12.3`
    ... which satisfies dependency `elliptic-curve = "^0.12"` of package `ecdsa v0.14.8`
    ... which satisfies dependency `ecdsa-core = "^0.14"` of package `p256 v0.11.1`
    ... which satisfies dependency `p256 = "^0.11.1"` of package `webrtc-dtls v0.6.0`
    ... which satisfies dependency `dtls = "^0.6.0"` of package `webrtc v0.5.1`
    ... which satisfies dependency `webrtc = "^0.5.1"` of package `matrix_voip_echo v0.1.0 (/home/rei/repo/utils/matrix_voip_echo)`
versions that meet the requirements `^1.5` are: 1.5.7, 1.5.6, 1.5.5, 1.5.4, 1.5.3

all possible versions conflict with previously selected packages.

  previously selected package `zeroize v1.3.0`
    ... which satisfies dependency `zeroize = "=1.3"` of package `x25519-dalek v1.2.0`
    ... which satisfies dependency `x25519-dalek = "^1.2.0"` of package `vodozemac v0.3.0`
    ... which satisfies dependency `vodozemac = "^0.3.0"` of package `matrix-sdk-crypto v0.6.0`
    ... which satisfies dependency `matrix-sdk-crypto = "^0.6.0"` of package `matrix-sdk-base v0.6.1`
    ... which satisfies dependency `matrix-sdk-base = "^0.6.1"` of package `matrix-sdk v0.6.2`
    ... which satisfies dependency `matrix-sdk = "^0.6.2"` of package `matrix_voip_echo v0.1.0 (/home/rei/repo/utils/matrix_voip_echo)`

[tarcieri]

See upstream issues:

• Old version of zeroize curve25519-dalek#387
• Relax zeroize dependency curve25519-dalek#412

curve25519-dalek needs another release to properly relax this dependency.

See also: #89

[Ciantic]

That upstream issue is now merged? And #89 is closed. Is there other problems?

[tarcieri]

The release/2.0 branch of x25519-dalek needs to be bumped to use curve25519-dalek v4.0 whenever that's release.

curve25519-dalek v3 is still pinned to zeroize < 1.4

[paradox-tt]

I'm also experiencing an issue with this. Looking forward to a resolve.

error: failed to select a version for `zeroize`.
    ... required by package `sp-core v7.0.0`
    ... which satisfies dependency `sp-core = "^7.0.0"` of package `sp-application-crypto v7.0.0`
    ... which satisfies dependency `sp-application-crypto = "^7.0.0"` of package `sp-runtime v7.0.0`
    ... which satisfies dependency `sp-runtime = "^7.0.0"` of package `subxt v0.25.0`
    ... which satisfies dependency `subxt = "^0.25.0"` of package `para_pay v0.1.0 (C:\Users\Will\source\repos\ParaPay)`
versions that meet the requirements `^1.4.3` are: 1.5.7, 1.5.6, 1.5.5, 1.5.4, 1.5.3, 1.4.3

all possible versions conflict with previously selected packages.

  previously selected package `zeroize v1.3.0`
    ... which satisfies dependency `zeroize = "=1.3"` of package `x25519-dalek v1.2.0`
    ... which satisfies dependency `x25519-dalek = "^1.2.0"` of package `vodozemac v0.3.0`
    ... which satisfies dependency `vodozemac = "^0.3.0"` of package `matrix-sdk-crypto v0.6.0`
    ... which satisfies dependency `matrix-sdk-crypto = "^0.6.0"` of package `matrix-sdk-base v0.6.1`
    ... which satisfies dependency `matrix-sdk-base = "^0.6.1"` of package `matrix-sdk v0.6.2`
    ... which satisfies dependency `matrix-sdk = "^0.6.2"` of package `matrix_messenger v0.1.0 (C:\Users\Will\source\repos\MatrixMessenger)`
    ... which satisfies path dependency `matrix_messenger` (locked to 0.1.0) of package `para_pay v0.1.0 (C:\Users\Will\source\repos\ParaPay)`

failed to select a version for `zeroize` which could resolve this conflict

[Decodetalkers]

Waiting for it

[tarcieri]

#99 is the tracking ticket to follow development