public
/
keyfork
5
0
Fork 0
Code Issues 16 Pull Requests 1 Packages Projects Releases Wiki Activity

Build tooling to review Cargo.lock bumps #20

New Issue
Open
opened 2024-01-18 21:59:55 +00:00 by ryan · 2 comments
ryan commented 2024-01-18 21:59:55 +00:00
Owner
Copy Link

Given two version of Cargo.lock (base commit, head commit), find out which new versions of packages are added, and run the following steps:

  • Download a tarball of the old version
  • Verify tarball using Lockfile
  • Initialize Git repository, make a commit, based on the existing tarball
  • Download a tarball of the new version
  • Verify tarball using Lockfile
  • Replace working directory with contents of tarball
  • Add all files to Git staging area
  • Run git difftool HEAD
Given two version of Cargo.lock (base commit, head commit), find out which new versions of packages are added, and run the following steps: * Download a tarball of the old version * Verify tarball using Lockfile * Initialize Git repository, make a commit, based on the existing tarball * Download a tarball of the new version * Verify tarball using Lockfile * Replace working directory with contents of tarball * Add all files to Git staging area * Run `git difftool HEAD`
ryan commented 2024-01-19 00:16:26 +00:00
Author
Owner
Copy Link

Can use cargo fetch. Implemented via make review.

Can use `cargo fetch`. Implemented via `make review`.
ryan closed this issue 2024-01-19 00:16:26 +00:00
ryan commented 2024-01-26 08:41:07 +00:00
Author
Owner
Copy Link

Reopening because I'm not happy with this. I want a tool that can be used to audit things before or while cargo update is being run, something that allows more interactivity. The ideal workflow would be:

  1. The total list of potential upgrades is acquired
  2. For each potential upgrade, determine:
    • The impact of the upgrade
    • The amount of dependencies added/forked
  3. If the dependency is approved, run a system similar to make review for each crate to be affected by this change.

make review can still be used by anyone who wishes to review all previously upgraded crates at once, but tooling must exist to streamline the process of choosing what upgrades to include.

Reopening because I'm not happy with this. I want a tool that can be used to audit things before or while `cargo update` is being run, something that allows more interactivity. The ideal workflow would be: 1. The total list of potential upgrades is acquired 2. For each potential upgrade, determine: * The impact of the upgrade * The amount of dependencies added/forked 3. If the dependency is approved, run a system similar to `make review` for each crate to be affected by this change. `make review` can still be used by anyone who wishes to review all previously upgraded crates at once, but tooling must exist to streamline the process of choosing what upgrades to include.
ryan reopened this issue 2024-01-26 08:41:07 +00:00
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
main
ryansquared/quick-and-dirty-prompt
ryan/recover-shardholder-hardware
keyfork-shard-v0.2.2
keyfork-v0.2.3
keyfork-derive-openpgp-v0.1.2
keyfork-v0.2.2
keyforkd-models-v0.2.0
keyforkd-client-v0.2.0
keyforkd-v0.1.1
keyfork-shard-v0.2.0
keyfork-qrcode-v0.1.1
keyfork-prompt-v0.1.1
keyfork-mnemonic-util-v0.3.0
keyfork-entropy-v0.1.1
keyfork-derive-util-v0.2.0
keyfork-derive-path-data-v0.1.1
keyfork-derive-openpgp-v0.1.1
keyfork-derive-key-v0.1.1
keyfork-v0.2.0
keyfork-v0.1.0
smex-v0.1.0
keyfork-bug-v0.1.0
keyfork-bin-v0.1.0
keyfork-slip10-test-data-v0.1.0
keyfork-derive-util-v0.1.0
keyfork-frame-v0.1.0
keyforkd-models-v0.1.0
keyforkd-client-v0.1.0
keyfork-derive-openpgp-v0.1.0
keyfork-entropy-v0.1.0
keyfork-crossterm-v0.27.1
keyfork-prompt-v0.1.0
keyfork-zbar-sys-v0.1.0
keyfork-zbar-v0.1.0
keyfork-qrcode-v0.1.0
keyfork-shard-v0.1.0
keyfork-derive-path-data-v0.1.0
keyforkd-v0.1.0
keyfork-derive-key-v0.1.0
keyfork-mnemonic-util-v0.2.0
keyfork-mnemonic-util-v0.1.0
Labels
Clear labels
No items
No Label
Milestone
Clear milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: public/keyfork#20
No description provided.
Delete Branch "%!s(<nil>)"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?