Stream: t-compiler

Topic: bumping dependencies


nikomatsakis (Aug 26 2019 at 19:48, on Zulip):

So https://github.com/rust-lang/rust/pull/63806 bumps rand to 0.7 -- seems ok to me -- any reason not to r+ that anyone can think of? Should this be a "rollup"?

For this sort of PR (bumping the deps of some crate), I always feel a bit unsure how to handle it I admit.

RalfJ (Aug 26 2019 at 20:04, on Zulip):

just had the same with my miri PR^^ I ended up changing miri so that I didnt have to bump rustc deps

RalfJ (Aug 26 2019 at 20:05, on Zulip):

it seems people are fairly quick r+'ing them, but OTOH that's importing arbitrary 3rd party code into the compiler...

nikomatsakis (Aug 26 2019 at 20:08, on Zulip):

it seems people are fairly quick r+'ing them, but OTOH that's importing arbitrary 3rd party code into the compiler...

yes, this

varkor (Aug 28 2019 at 23:11, on Zulip):

when new dependencies are introduced, how well are they audited in the first place?
unless there's a careful review procedure for each one, letting updates through seems no more harmful than the introduction

varkor (Aug 28 2019 at 23:12, on Zulip):

maybe it happens more frequently, but the one time I did see a careful audit was when hashbrown was introduced — there, the entire crate was reviewed

varkor (Aug 28 2019 at 23:13, on Zulip):

though reviewing updates might not be so bad, reviewing the entire crate the first time seems difficult

varkor (Aug 28 2019 at 23:13, on Zulip):

(though that's not to say that we don't need to be more careful)

nikomatsakis (Aug 29 2019 at 13:33, on Zulip):

the whole procedure deserves a bit of discussion, I think

Last update: Nov 22 2019 at 04:30UTC