On 15/03/2019 14:31, Xidorn Quan wrote:
Servo has a policy banning duplicate dependencies with a whitelist,
and such list currently has:

This exact allow-list is not part of Servo’s policy, but is constantly evolving. If you can reduce it (typically by updating some intermediate dependencies to versions that use e.g. log 0.4 instead of 0.3), this is great and we love you.

If you add a new exception to the allow-list, in review we will ask that you make some effort to avoid doing so. If the effort turns out to be disproportionate (for example: many intermediate dependencies are affected, and they in turn would affect other crates in the graph) or if we want to avoid waiting too long on upstream (because a patch is at risk of bitrotting, or blocks other work, or…) then we may accept growing the list.

The important part is that machine-verification avoids accidentally adding new duplications.


On 15/03/2019 15:38, Andreas Tolfsen wrote:
It is my experience that far
too many dependencies are defined on exact version numbers, e.g.
"log = 0.3.9", which effectively forces us to vendor that exact
version in-tree.

It does not force that.

Specifying `log = "0.3.9"` in Cargo.toml’s [dependencies] section is equivalent to `log = "^0.3.9"` which is equivalent to `log = ">=0.3.9 < 0.4.0"`.

So if a project uses crates A with the above and crate B with `log = "0.3.12"`, then version 0.3.15 is acceptable to satisfy both dependencies.

What would force an exact version is `log = "=0.3.9"`. (Note that the first equal sign is TOML syntax for key/value pairs, while the second one is part of the version specification string, inside the quotes.)

See https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html

--
Simon Sapin
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform

Reply via email to