Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upTool that makes upgrading cargo dependencies easier #15600
Comments
|
Hi Josh, An update and a question for you:
I just want to make sure I understand exactly what information to parse out of the Cargo.lock. |
|
This is a good question. It might make sense to ignore Cargo.lock to start with and only focus on the Cargo.toml files, since Cargo.lock includes dependencies of other dependencies, which cannot necessarily be updated in the same way as the direct dependencies specified in Servo's Cargo.toml files. |
|
That being said, the versions of Servo's dependencies listed in Cargo.lock can be more specific than the ones in Servo's Cargo.toml files (ie. 0.5.3 vs. 0.5), so I guess we do need to parse Cargo.lock to obtain that. |
|
That makes sense. So with regards to the Cargo.toml files you're mentioning, this refers to all the Cargo.toml files within the "components" subdirectory, correct? To re-word the initial description a bit based on my understanding it sounds like this tool should:
Am I understanding this correctly? Apologies for the redundancy but I'm trying to understand what information we are trying to extract, and how we are making decisions within the tool. Thanks |
|
Yes, that looks right. Note that there are TOML files in ports/ as well as in the root directory. |
|
Yeah I noticed those files when I was searching. I take it we should update those as well then. Another question: Is there any criteria to be used when determining if a package should be upgraded? For example, in the sample Cargo.lock (here) there's a dependency for "assert_cli". The version noted in the lock file is 0.2.2. The current version is now listed as 0.3.0. Do we only want non-major upgrades? Do we want to always upgrade to the latest? For starters, we're planning a simple check for ANY version greater than the version in the lock file. But we can attempt to implement specific criteria if desired. Thank you again |
|
Starting with accepting major upgrades sounds fine to me. |
|
Hey Josh, one more quick question. Can we assume users will have the same operating system/version of python/etc.? |
|
The same as what? |
|
The same as everyone else using the servo dependency tool. For example will everyone have Python 3 or will all machines be using Windows 10? |
|
You should be able to assume the same Python version, but that's all. |
|
Ok, thanks |
|
Regarding the update command, I've gone ahead and installed Rust on my laptop for development. I seem to be able to run the "cargo update -p" command and it updates the registry when I run it so that's good. However, I see it's also possible to just run "cargo update" in order to update all dependencies (source). Given that blindly updating all dependencies can cause many problems I can see why we want to use the -p flag and specify which packages to update. So I'm wondering what our tool might do in order to selectively update certain packages (which I know I asked earlier). Perhaps we should consider the option to approve upgrades while running the tool (y/n type prompt)? Otherwise, we could implement some automatic criteria for choosing which packages to update as I mentioned previously (minor upgrades vs major upgrades). Or maybe some logic that you and the servo team already follow as it pertains to updates. Any input you can provide would be appreciated! |
|
Let's go with upgrading everything to start. I'm having trouble identifying meaningful criteria that we could use. |
|
Is this tool completed or in use at all? Does Dependabot accomplish what this issue is asking for? |
|
Yes, Dependabot is a more effective solution. |
This is the tracking issue for the work necessary for this NCSU project description.