Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

`generate-lockfile` overwrites a checked-in Cargo.lock

See original GitHub issue

Description

I have a repo where I’ve checked in Cargo.lock, since it’s producing a binary which I’m shipping. I’ve just started getting audit violations in CI for this that I cannot reproduce locally. I’ve tracked this down to the generate-lockfile call at the beginning; this updates the checked-in Cargo-lock. In my case, it brings in a new vulnerability due to a transitive dependency update.

Workflow code

name: Security audit
on:
  push:
    paths:
      - '**/Cargo.toml'
      - '**/Cargo.lock'
jobs:
  security_audit:
    timeout-minutes: 30
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v1
      - uses: actions-rs/audit-check@v1
        with:
          token: ${{ secrets.GITHUB_TOKEN }}

Expected behavior

If a Cargo.lock is in source control, it should be used as-is.

Issue Analytics

  • State:open
  • Created 3 years ago
  • Comments:5

github_iconTop GitHub Comments

3reactions
Nemo157commented, Mar 2, 2021

Rather than generate-lockfile this should call cargo metadata --format-version=1 >/dev/null as a relatively quick no-op “ensure the lockfile is up to date”. It would be good for the action to also take a locked: boolean flag to determine whether to pass --locked to this call for repositories that expect the lockfile to always be up to date.

0reactions
eugene-babichenkocommented, May 6, 2021

Another problem this behavior incurres:

  • Let’s say we have a Cargo.lock that works perfectly fine.
  • It has a dependency (in my case transitive) that is yanked from the crates.io registry but still downloadable.
  • Due to how yanked crates work cargo generate-lockfile just will not be able to create Cargo.lock.

And it doesn’t need to, because a working Cargo.toml is already there.

Read more comments on GitHub >

github_iconTop Results From Across the Web

cargo generate-lockfile - The Cargo Book
This command will create the Cargo.lock lockfile for the current package or workspace. If the lockfile already exists, it will be rebuilt with...
Read more >
Project-specific override for Cargo - Stack Overflow
We can generate the missing .cargo-checksum.json like so: cd ~/.cargo-overlay index_file=$(find crates.io-index -type f -name foo) ...
Read more >
cargo-package(1) - Arch manual pages
Either of these flags requires that the Cargo.lock file is up-to-date. If the lock file is missing, or it needs to be updated,...
Read more >
1525-cargo-workspace - The Rust RFC Book
Lockfile and override interactions ... One of the main features of a workspace is that only one Cargo.lock is generated for the entire...
Read more >
The Cargo Book
lock in your .gitignore . If you're building an executable like a command-line tool or an application, check Cargo.lock into git ...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Specify directory to run audit on

Next page

Add PROJECT_PATH environment variable