-
Notifications
You must be signed in to change notification settings - Fork 176
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fossa unconditionally calls cargo generate-lockfile
#982
Comments
Thank you for reporting this defect. I have created an internal ticket in our backlog to address this behavior. I or someone from the team will post an update to this thread once the patch/or/workaround lands. |
@Swatinem are you able to provide For unblocking/workaround, I suggest [dependencies]
regex = { git = "https://github.com/rust-lang/regex", rev = "711bf162ecccfe81c1032d9c01f5096b0a7b7c8b" } |
We (Sentry) have most likely observed this same bug for non-git dependencies as well, such as |
The reason that We do need to support operating in a way that doesn't update the lockfile, perhaps using |
@untitaker Can you explain why the workaround is infeasible there? If you pin the dependency in the |
@scruffystuffs The workaround to pin by git SHA in toml definetly helps to reduce the amount of pending approvals required (considering that HEAD is updating quite often), but doesn't work in the general case. declaring
The lockfile is checked in. It is not updated during |
To give you some concrete examples, here are two repos where The end result is that everytime a new version of any transitive dependency is released (not updated), it is seen as "new/changed dependency" by FOSSA on a commit that didn't change either file. |
Thanks for the explanation and examples. That will be very useful in testing. We're definitely going to fix this, we just need to try not to reintroduce the dep download footgun. As @meghfossa stated, we're tracking this internally, and we'll update this ticket when we've got a fix for this. |
@scruffystuffs i just checked locally, and I don't think
Our fossa jobs in relay also take 2 minutes, so i believe those packages are indeed downloaded |
As the title says,
cargo generate-lockfile
is being called unconditionally here:fossa-cli/src/Strategy/Cargo.hs
Line 317 in bde67a0
We have a project that already maintains a lockfile, and that lockfile has a specific git commit for a git dependency.
However
generate-lockfile
bumps that git commit to the branch HEAD, which then fails later on because that branch contains breaking changes. (more specifically, it removes a workspace crate that is directly depended upon)The text was updated successfully, but these errors were encountered: