Dependencies update
ereOn opened this issue · comments
Hi,
We are using openidconnect
as part of our monorepo and also rely a lot on cargo deny
to check/avoid/minimize duplicate dependencies.
I recently wanted to update the openidconnect
crate from 2
to the latest 3
but noticed there are still a couple of direct dependencies that seem out-of-date. These end-up showing as duplicates and we have no other choice but to add exceptions for those. While not a deal breaker or anything, I still wonder whether there would be an opportunity to upgrade those instead of having to add exceptions.
I am talking about crates like rsa
, signature
, serde_with
(to name a few) for which many newer releases have been available for some time (sometimes there is a 2 major versions difference) and which I suspect could be updated in openidconnect
.
Before I make a PR for this, is that something you guys would consider desirable ?
I understand - of course - that keeping always in-sync with the latest versions of each dependency is not a realistic goal, especially with a crate that does as much as openidconnect
, but I feel that for many of those, updating would not be a huge risk or task. A low-hanging fruit if you will. I would add that using updated security crates (for rsa
, signature
and the like) could also be beneficial in terms of security.
What are your thoughts on this?
P.S: Thanks for all the good work on this crate: it is really great.
Hi @ereOn, I'd be happy to merge PRs that update dependencies without affecting any of this crate's public APIs. Any breaking changes should be discussed further, but I believe the crates you listed are only used internally.
@ereOn are there other dependencies still to update, or should we close this issue?
We can close this! Thanks again for considering this.