Hi,

We are using openidconnect as part of our monorepo and also rely a lot on cargo deny to check/avoid/minimize duplicate dependencies.

I recently wanted to update the openidconnect crate from 2 to the latest 3 but noticed there are still a couple of direct dependencies that seem out-of-date. These end-up showing as duplicates and we have no other choice but to add exceptions for those. While not a deal breaker or anything, I still wonder whether there would be an opportunity to upgrade those instead of having to add exceptions.

I am talking about crates like rsa, signature, serde_with (to name a few) for which many newer releases have been available for some time (sometimes there is a 2 major versions difference) and which I suspect could be updated in openidconnect.

Before I make a PR for this, is that something you guys would consider desirable ?

I understand - of course - that keeping always in-sync with the latest versions of each dependency is not a realistic goal, especially with a crate that does as much as openidconnect, but I feel that for many of those, updating would not be a huge risk or task. A low-hanging fruit if you will. I would add that using updated security crates (for rsa, signature and the like) could also be beneficial in terms of security.

What are your thoughts on this?

P.S: Thanks for all the good work on this crate: it is really great.

Hi @ereOn, I'd be happy to merge PRs that update dependencies without affecting any of this crate's public APIs. Any breaking changes should be discussed further, but I believe the crates you listed are only used internally.

@ereOn are there other dependencies still to update, or should we close this issue?

We can close this! Thanks again for considering this.