-
Notifications
You must be signed in to change notification settings - Fork 952
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Roll back once_cell to 1.19.0. #6370
Roll back once_cell to 1.19.0. #6370
Conversation
Roll back `wgpu`'s dependencies on `once_cell` from 1.20.1 to 1.19.0. Version 1.20.1 of `once_cell` added a more complex conditional dependency on `portable-atomic`, which causes `cargo metadata` to incorrectly list `portable-atomic` as a dependency even though the given `once_cell` features are not enabled. The Firefox source tree uses `cargo vet` to enforce supply-chain auditing. Since `cargo vet` depends on `cargo metadata` to tell it what crates are going to be included in the tree, the extraneous dependency above adds `portable-atomic` to the set of sources we must audit. Since `portable-atomic` is roughly 50kloc, we would like to avoid this. Nothing in `wgpu` actually needs `once_cell` 1.20; it was upgraded by Dependabot. So the simplest workaround for the moment is to roll back the version.
The offending Cargo bug: rust-lang/cargo#10801 Recognition of this bug from Complaint from myself about the above: rust-lang/cargo#10801 (comment) |
I have sent a PR to once_cell to work around the cargo bug: matklad/once_cell#267
Well, at least more than half of them are tests (precisely its helper,
|
@taiki-e Thank you very much for this - it's greatly appreciated! As it turns out, we are using I don't think there's anything wrong with portable-atomic spending lines to do what it needs to do. It's difficult for Firefox to take on new dependencies even when their engineering is good. But auditing 28kloc is still a substantial chunk of time. |
For the future: it seems like with matklad/once_cell#267, released as 1.20.2, we can probably just accept another |
Roll back
wgpu
's dependencies ononce_cell
from 1.20.1 to 1.19.0.Version 1.20.1 of
once_cell
added a more complex conditional dependency onportable-atomic
, which causescargo metadata
to incorrectly listportable-atomic
as a dependency even though the givenonce_cell
features are not enabled.The Firefox source tree uses
cargo vet
to enforce supply-chain auditing. Sincecargo vet
depends oncargo metadata
to tell it what crates are going to be included in the tree, the extraneous dependency above addsportable-atomic
to the set of sources we must audit. Sinceportable-atomic
is roughly [edit] 28kloc, we would like to avoid this.Nothing in
wgpu
actually needsonce_cell
1.20; it was upgraded by Dependabot. So the simplest workaround for the moment is to roll back the version.