Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Can't upgrade 0.22.0 -> 0.22.2 because of new bitflags requirement. #1548

Closed
m-ou-se opened this issue Oct 1, 2021 · 1 comment
Closed

Can't upgrade 0.22.0 -> 0.22.2 because of new bitflags requirement. #1548

m-ou-se opened this issue Oct 1, 2021 · 1 comment

Comments

@m-ou-se
Copy link

m-ou-se commented Oct 1, 2021
edited
Loading

cargo deny check just informed me about RUSTSEC-2021-0119. My dependencies are using 0.22.0, and should be upgraded to the patched 0.22.2.

However, nix 0.22.0 requires bitflags ^1.1, but nix 0.22.1 and 0.22.2 require bitflags >= 1.1.0, < 1.3.0.

Cargo refuses to use multiple semver compatible versions of a crate in a dependency tree (see this comment), so any dependency tree requiring bitflags ^1.3 anywhere cannot upgrade from 0.22.0 to 0.22.2.

For example, i2cdev requires:

bitflags = "1.3"
nix = "0.22"

which can only work with 0.22.0, and not with 0.22.1 or 0.22.2.
@asomers
Copy link
Member

asomers commented Oct 1, 2021

This is a bug in bitflags that's been causing a lot of pain for everyone. They raised their MSRV in a minor version release. Your choices are to upgrade to Nix 0.23 or to remain on Nix 0.22.0 and suppress that RUSTSEC warning. The RUSTSEC warning only applies to a single function, and it's not an exploitable security problem, so that may be an option for you.
bitflags/bitflags#255

@asomers asomers closed this as completed Oct 1, 2021
@trinity-1686a trinity-1686a mentioned this issue Oct 1, 2021
Closed
@Thomasdezeeuw Thomasdezeeuw mentioned this issue Oct 7, 2021
Merged
This was referenced Oct 12, 2021
Closed
Merged
asomers added a commit to asomers/nix that referenced this issue Oct 15, 2021
@asomers
Declare the MSRV in Cargo.toml
e587de7 
This is a new feature in Cargo 1.56.0, currently in beta.  Once Nix's
MSRV is >= 1.56.0, this feature will prevent future problems like the
bitflags 1.3.0 fiasco.

Issue nix-rust#1491
Issue nix-rust#1510
Issue nix-rust#1548
Issue nix-rust#1555
@asomers asomers mentioned this issue Oct 15, 2021
Merged
@Imberflur Imberflur mentioned this issue Dec 6, 2021
Merged
bors bot added a commit that referenced this issue Dec 15, 2021
@bors @asomers
Merge #1561
e5260a8 
1561: Declare the MSRV in Cargo.toml r=rtzoeller a=asomers

This is a new feature in Cargo 1.56.0, currently in beta.  Once Nix's
MSRV is >= 1.56.0, this feature will prevent future problems like the
bitflags 1.3.0 fiasco.

Issue #1491
Issue #1510
Issue #1548
Issue #1555

Co-authored-by: Alan Somers <asomers@gmail.com>
bors bot added a commit that referenced this issue Dec 15, 2021
@bors @asomers
Merge #1561
5197647 
1561: Declare the MSRV in Cargo.toml r=rtzoeller a=asomers

This is a new feature in Cargo 1.56.0, currently in beta.  Once Nix's
MSRV is >= 1.56.0, this feature will prevent future problems like the
bitflags 1.3.0 fiasco.

Issue #1491
Issue #1510
Issue #1548
Issue #1555

Co-authored-by: Alan Somers <asomers@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@asomers @m-ou-se