Stream: git-wasmtime

Topic: wasmtime / issue #5513 Update dependencies

view this post on Zulip Wasmtime GitHub notifications bot (Jan 04 2023 at 16:17):

alexcrichton commented on issue #5513:

Thanks for the PR! One thing to note is that we try to be careful about dependencies in Wasmtime, notably we're auditing new dependencies being added. As you've seen this means that dependency updates need to be audited. Additionally we're avoiding adding new exemptions to the audit list, so all updates need to be audited.

While it's ok to update everything here all-at-once, there's a fair amount to audit, so if you'd prefer to split things up into separate PRs I think that would work well too.

view this post on Zulip Wasmtime GitHub notifications bot (Jan 04 2023 at 16:18):

github-actions[bot] commented on issue #5513:

Subscribe to Label Action

cc @kubkon

<details>
This issue or pull request has been labeled: "cranelift", "wasi"

Thus the following users have been cc'd because of the following labels:

To subscribe or unsubscribe from this label, edit the <code>.github/subscribe-to-label.json</code> configuration file.

Learn more.
</details>

view this post on Zulip Wasmtime GitHub notifications bot (Jan 05 2023 at 09:39):

a1phyr commented on issue #5513:

Is it ok for you if ahash is left out as an exception for now ? I reviewed all others updates.

view this post on Zulip Wasmtime GitHub notifications bot (Feb 14 2023 at 17:12):

EdorianDark commented on issue #5513:

Thanks for working on this.

view this post on Zulip Wasmtime GitHub notifications bot (Feb 14 2023 at 18:01):

alexcrichton commented on issue #5513:

I apologize for a bit of a runaround on what to do about the cargo vet entries here. We're still experimenting ourselves how best to handle this. We decided a little bit ago that for dependency updates like this what we'll do is that one of the "trusted reviewers" will merge new vet entries into main which the PR can then rebase on top of. To that end I've created https://github.com/bytecodealliance/wasmtime/pull/5778 which creates vet entries for the dependencies being pulled in here, so when that merges could you rebase on that to merge?

We independently talked a bit ago about what to do about dependencies transitively used by the standard library and we decided that we would consider updating exemptions based on that but didn't want to record a full audit purely based on the usage in the standard library as well. (mostly just as a heads up, doesn't affect this PR too much with https://github.com/bytecodealliance/wasmtime/pull/5778 having all the necessary vet entries)

Last updated: Nov 22 2024 at 16:03 UTC