Use a pinned compiler version to run cargo audit (!2289) · Merge requests · The Tor Project / Core / Arti

Ian Jackson requested to merge Diziet/arti:audit into main Jul 29, 2024

This avoids CI failures like this

https://gitlab.torproject.org/nickm/arti/-/jobs/617654

arising from situations like this

cargo-audit install fails with rust 1.80 https://github.com/rustsec/rustsec/issues/1217
error[E0282]: type annotations needed for Box<_> https://github.com/time-rs/time/issues/693

IMO we should pin many of the other images too but I suspect that may be controversial. I'm hoping that pinning this one to get CI working is uncontroversial (perhaps only on a temporary basis).

The other way to solve this would be to remove --locked which IMO is going in the wrong direction, by exposing us to more rather than fewer uncontrolled inputs from our upstreams.

Use a pinned compiler version to run cargo audit

Merge request reports