meta: relax crypto dependency's semver

Pinning crypto libraries in this library makes it hard to manage dependencies in the binary consumer side that relies on this lib. For these reasons it is recommended in Rust idiomatic way to manage the dependency bumps via Cargo.lock in the binary side instead as part of regular maintenance chores. This change both bumps up the crypto to now required mininum versions and makes it flexible to bump up the crypto via binaries that uses the lock file to manage dependency version bumps. Signed-off-by: pinkforest <[email protected]>
radicle-dev · Sep 14, 2022 · 9cbaac5 · 9cbaac5
1 parent b44902c
commit 9cbaac5
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 15 deletions.
diff --git a/Cargo.toml b/Cargo.toml
@@ -27,22 +27,20 @@ thiserror = "1.0"
 
 # CRYPTO
 #
-# NOTE: by policy, we pin non-dev cryptographic libraries to their exact
-# versions, requiring explicit maintainer action to apply upgrades. The
-# `deny.toml` is set up such that unintended upgrades are (hopefully) rejected.
+# The binary consumer dictates these versions via .lock
+# The .lock is used to screen the crypto dependency minor/patch bumps
 #
 [dependencies.chacha20poly1305]
-version = "=0.9.0"
+version = "^0.10.1"
 default-features = false
 features = ["alloc"]
 
 [dependencies.ed25519-zebra]
-version = "=3.0.0"
+version = "^3.0.0"
 
 [dependencies.scrypt]
-version = "=0.8.0"
+version = "^0.10.0"
 default-features = false
-# END CRYPTO
 
 [dev-dependencies]
 tokio = { version = ">= 1.8.4", features = ["macros", "rt"] }

diff --git a/deny.toml b/deny.toml
@@ -165,10 +165,6 @@ deny = [
     # Each entry the name of a crate and a version range. If version is
     # not specified, all versions will be matched.
     #{ name = "ansi_term", version = "=0.11.0" },
-    { name = "chacha20poly1305", version = "> 0.9.0" },
-    { name = "ed25519-zebra", version = "> 3.0.0" },
-    { name = "curve25519-dalek", version = "> 3.2.0" },
-    { name = "scrypt", version = "> 0.8.0" },
 ]
 # Certain crates/versions that will be skipped when doing duplicate detection.
 skip = [

diff --git a/src/crypto.rs b/src/crypto.rs
@@ -15,10 +15,7 @@
 // You should have received a copy of the GNU General Public License
 // along with this program. If not, see <https://www.gnu.org/licenses/>.
 
-use chacha20poly1305::{
-    aead,
-    aead::{Aead, NewAead},
-};
+use chacha20poly1305::{aead, aead::Aead, KeyInit};
 use generic_array::GenericArray;
 use secstr::{SecStr, SecUtf8};
 use serde::{Deserialize, Serialize};