Pinning deps in Cargo.toml

[RCasatta]

IIUC pinning deps in Cargo.toml 2fc7f0e could cause issues in downstream libs, what I see in other projects is leaving the version specified in the Cargo toml to potentially violate the MSRV via semver version selection but using cargo update -p in CI (and a mention in the README about the pinning in the MSRV section)

https://github.com/rust-bitcoin/rust-bitcoin/blob/cdbd4be4b1391cd4b1537ab05a0cfb0d13e37c59/contrib/test.sh#L11-L15

[neonmoe]

That is correct, apparently. I had assumed that you could just have a few distinct versions of a crate, but apparently e.g. having minreq = "2.9.0" and log = "0.4.20" in one Cargo.toml will break.

That said, I think I will wait for someone to complain with a specific use-case before dropping the maximum requirements. It's just two crates, which were already quite stable at their respective maximum versions, and the current pinned versions allow this crate to be very straightforwardly msrv-compliant. I will add a note about bumping the MSRV to make this a non-issue in 3.0.0 however. At least until some dependency starts requiring Rust 1.90 or something, I guess 😁

[notmandatory]

Not sure if exactly part of this issue, but with the bitcoindevkit/bdk project I just found that minreq 2.9.0 breaks our MSRV of 1.57.0 because we're unable to pin the version of rustls to 0.21.1, I'm getting the below error. But if I first pin minreq to 2.8.0 everything works fine.

cargo update -p rustls:0.21.6 --precise "0.21.1"
    Updating crates.io index
error: failed to select a version for the requirement `rustls = "^0.21.6"`
candidate versions found which didn't match: 0.21.1
location searched: crates.io index
required by package `minreq v2.9.0`
    ... which satisfies dependency `minreq = "^2.6.0"` (locked to 2.9.0) of package `bitcoind v0.32.0`
    ... which satisfies dependency `bitcoind = "^0.32.0"` (locked to 0.32.0) of package `bdk_bitcoind_rpc v0.1.0 (/Users/steve/git/notmandatory/bdk/crates/bitcoind_rpc)`
    ... which satisfies path dependency `bdk_bitcoind_rpc` (locked to 0.1.0) of package `example_rpc v0.1.0 (/Users/steve/git/notmandatory/bdk/example-crates/example_rpc)`

[neonmoe]

Not really related to this issue, but loosening the requirement from 0.21.6 to 0.21.1 didn't seem to cause any problems, so I released that as 2.9.1.

[loziniak]

Hello. I've ran into a version conflict when developing a simple Tauri app:

$ npm run tauri dev
> tauri
> tauri dev

    Updating crates.io index

        Info Watching /mnt/share/prj/myapp/myapp-electron-poc/tauri/src-tauri for changes...
error: failed to select a version for `log`.
    ... required by package `minreq v2.10.0`
    ... which satisfies dependency `minreq = "^2.10.0"` of package `jams_electron_poc v0.0.1 (/mnt/share/prj/myapp/myapp-electron-poc/rust)`
    ... which satisfies path dependency `jams_electron_poc` of package `app v0.1.0 (/mnt/share/prj/myapp/myapp-electron-poc/tauri/src-tauri)`
versions that meet the requirements `>=0.4.0, <0.4.19` are: 0.4.18, 0.4.17, 0.4.16, 0.4.15, 0.4.14, 0.4.13, 0.4.11, 0.4.8, 0.4.7, 0.4.6, 0.4.5, 0.4.4, 0.4.3, 0.4.2, 0.4.1, 0.4.0

all possible versions conflict with previously selected packages.

  previously selected package `log v0.4.20`
    ... which satisfies dependency `log = "=0.4.20"` of package `app v0.1.0 (/mnt/share/prj/myapp/myapp-electron-poc/tauri/src-tauri)`

failed to select a version for `log` which could resolve this conflict

[neonmoe]

Fair enough, I'll remove the pins. I'll do it in a minor version though, as someone might be depending on 2.9 working with the MSRV out-of-the-box.

[neonmoe]

Fixed in 2.11.0!