Skip to content

Apply dependabot security fixes #214

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
urschrei merged 1 commit into from
Nov 10, 2025
Merged

Apply dependabot security fixes #214

urschrei merged 1 commit into from
Nov 10, 2025

Conversation

@urschrei
Copy link
Member

@urschrei urschrei commented Nov 7, 2025
edited
Loading

@urschrei
Copy link
Member Author

urschrei commented Nov 7, 2025

I don't understand these CI failures. Note that they also occur in #212 (the automated version of this PR).

@michaelkirk
Copy link
Member

michaelkirk commented Nov 7, 2025

I'm not really sure either, but it sounds like a new manifestation of what is ultimately an MSRV problem.

@adamreichold
Copy link
Member

adamreichold commented Nov 8, 2025

I think the salient point is

this version of Cargo is older than the `2024` edition, and only supports `2015`, `2018`, and `2021` editions.

so yes, this is a MSRV problem, i.e. we need to lock down certain dependencies, in this nalgebra to older versions or bump our MSRV.

@adamreichold
Copy link
Member

adamreichold commented Nov 8, 2025

But I think completing the CI overhaul would be time better spent, because as discussed there, I do not see why our MSRV policy should extend to demo/example code at all. Fixing what the CI actually tests first would be preferable IMHO.

@urschrei
Copy link
Member Author

urschrei commented Nov 8, 2025

I believe that PR just needs a rebase, if people are happy with it.

@urschrei
Copy link
Member Author

urschrei commented Nov 8, 2025

(#204)

@urschrei urschrei force-pushed the dependabot_fixes branch 5 times, most recently from 4c25bc8 to 627532e Compare November 9, 2025 21:04
@urschrei
Copy link
Member Author

urschrei commented Nov 9, 2025

Our nalgebra dev dependency indirectly (via quote) has an MSRV of 1.68 (March 2023). I've bumped our MSRV to that, and it's passing.

However, the --workspace switch for our Clippy invocation forces rstar-demo to build against the current rstar codebase, and kiss3d's parry3d dependency is using the pre f718353 API, which accepted borrowed Point values. Some options:

  • Cut a new (breaking, because of the API change?) rstar release and wait for kiss3d and parry3d to update
  • Exclude rstar-demo from the Clippy run for now: cargo clippy --workspace --exclude rstar-demo --tests

@adamreichold
Copy link
Member

adamreichold commented Nov 10, 2025

Exclude rstar-demo from the Clippy run for now: cargo clippy --workspace --exclude rstar-demo --tests

I would prefer the exclusion.

@urschrei
Copy link
Member Author

urschrei commented Nov 10, 2025

We're now passing, with the following changes:

  • MSRV 1.68 (2021 edition) for all three crates
  • rstar-demo is temporarily excluded from tests

@urschrei urschrei added this pull request to the merge queue Nov 10, 2025
Merged via the queue into master with commit 4a9576a Nov 10, 2025
6 checks passed
@urschrei urschrei deleted the dependabot_fixes branch November 10, 2025 19:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaelkirk michaelkirk michaelkirk approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@urschrei @michaelkirk @adamreichold