alamb commented on issue #7648: URL: https://github.com/apache/arrow-rs/issues/7648#issuecomment-2967609308
> multiple-versions = "deny" I think doing this may prevent us from updating dependencies until everything lower in the dependency chain has been updated - that may be not good (especially for dependencies like tokio / tonic / py03) where transitive dependencies may take some time to update I think you can achieve the same goal in your project (no duplicated dependencies) by helping all the downstream crates to update their dependencies and wait until they have released such versions (it will delay updating your crate for sure) Putting the lint into arrow-rs means now we will force *ALL* arrow-rs users to wait for dependency updates, rather than just those that care about keeping a single dependency version. This would certainly increase the urgency of trying to get downstream crates to update, but I also think it would increase the maintenance burden significantly So TLDR I think: 1. Denying security issues is a good idea 2. Denying multiple dependencies is not a good idea for this crate -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: github-unsubscr...@arrow.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
