Paolo Bonzini <pbonz...@redhat.com> writes:
> Il ven 1 nov 2024, 11:21 Junjie Mao <junjie....@hotmail.com> ha scritto:
>
> How about specifying also the exact version in Cargo.toml, e.g.:
>
> [dependencies]
> -proc-macro2 = "1"
> -quote = "1"
> -syn = { version = "2", features = ["extra-traits"] }
> +proc-macro2 = "=1.0.84"
> +quote = "=1.0.36"
> +syn = { version = "=2.0.66", features = ["extra-traits"] }
>
> Unfortunately, versions of nested dependencies, such as either and
> unicode-ident, may still have newer patch versions after a lockfile
> regeneration. That can be worked around by turning nested dependencies
> to direct ones with fixed version constraints, but looks quite ugly.
>
> Yeah, that's the reason why I didn't do it... Since we don't have any
> security-sensitive dependencies, changes to the lock files are going to be
> rare and it's easier to just look at them more closely.
Got your point. Thanks for the clarification!
Reviewed-by: Junjie Mao <junjie....@hotmail.com>
--
Best Regards
Junjie Mao
