cargo audit blocking development by breaking CI
Fairly frequently, something somewhere in our dependency chain gets flagged by RUSTSEC.
It is good that we find out about this, and address it quickly (much of the time, we fix it by updating our Cargo.lock
; most of the rest of the time we change our CI to ignore it as not applicable or not interesting).
However, it is disruptive and unnecessary to have this break unrelated MRs in CI.
I suggest the following change:
- If the advisory applies to
main
too, and the commit we are testing is not itself equal tomain
, ignore that advisory.
The effect would be that a new advisory would have no effect on MR CI, and we could merge other work as usual. But CI on main
would start to always fail. This might mask semantic conflicts briefly, but this is probably tolerable because such semantic conflicts would start to afflict MR branches too.
Switching to cargo-deny
(#1045) might make implementation easier, and in any case should probably be done first.