alamb commented on issue #7648:
URL: https://github.com/apache/arrow-rs/issues/7648#issuecomment-2967609308
> multiple-versions = "deny"
I think doing this may prevent us from updating dependencies until
everything lower in the dependency chain has been updated - that may be not
good (especially for dependencies like tokio / tonic / py03) where transitive
dependencies may take some time to update
I think you can achieve the same goal in your project (no duplicated
dependencies) by helping all the downstream crates to update their dependencies
and wait until they have released such versions (it will delay updating your
crate for sure)
Putting the lint into arrow-rs means now we will force *ALL* arrow-rs users
to wait for dependency updates, rather than just those that care about keeping
a single dependency version. This would certainly increase the urgency of
trying to get downstream crates to update, but I also think it would increase
the maintenance burden significantly
So TLDR I think:
1. Denying security issues is a good idea
2. Denying multiple dependencies is not a good idea for this crate
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
