update various dependencies

[decathorpe]

I'm the maintainer of lsd for Fedora Linux, and some outdated dependencies are making maintenance increasingly difficult.

• deps: update chrono-humanize to v0.2

We have this patched for almost two years in Fedora and it has not caused issues.

• deps: update assert_cmd to v2

Same here, this patch has been in the Fedora package for a while.

• deps: update sys-locale to v0.3

This dependency seems to have been added recently, not sure why an old version was chosen.

• deps: update vsort to v0.2

Same here, this was added recently but 0.1 was used instead of 0.2, not sure why.

• deps: update git2 to v0.18

Using old versions of git2 is not a good idea, since the bundled libgit2 C library often has CVE issues.

• deps: migrate from users to uzers

The "users" crate is unmaintained. The "uzers" crate is an API-compatible fork that also fixes some bugs and security issues.

• deps: update serial_test to v2

The current dependency (v0.5) is reeeeeally old. Not sure why this was never updated.

• deps: update predicates to v3

Same here, predicates v1 is reaally old.

• deps: allow newer versions of url, wild, and xdg crates

Not sure why strange x.0.* style dependencies were used here. It's holding back various updates for both url and xdg crates, and makes maintaining lsd in Fedora more difficult. We have built lsd against the latest versions of all three crates forever, and it has not caused issues.

[muniu-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: decathorpe

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[decathorpe]

PS: I'm not sure why you're keeping Cargo.lock pinned to really old versions. It looks like "cargo update" hasn't been run in ages. I'm sure there's tons of bugfixes (and potentially also security fixes) that happened between the versions pinned in Cargo.lock and the latest compatible versions.

[codecov-commenter]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (89659e4) 85.76% compared to head (f6dec60) 84.51%.
Report is 10 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master     #938      +/-   ##
==========================================
- Coverage   85.76%   84.51%   -1.26%     
==========================================
  Files          51       51              
  Lines        5001     5068      +67     
==========================================
- Hits         4289     4283       -6     
- Misses        712      785      +73     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[zwpaper]

Hi @decathorpe, thanks so much for raising this, it would definitely help a lot!

I found predicates v3 need msrv 1.69, I have updated the msrv in master, can you help rebase your PR onto it?

[decathorpe]

Ah, the MSRV is only checked in CI - it might be a good idea to set package.rust-version in Cargo.toml as well?

Thanks for taking a look, I'll rebase my PR.

[zwpaper]

hi @decathorpe can you help to update the msrv to 1.70, so that we can pass the CI

[decathorpe]

I've bumped the MSRV in the GitHub action and in Cargo.toml.

I also removed the hand-written MSRV check that was present in build.rs that is redundant with defining package.rust-version in Cargo.toml.

[zwpaper]

thanks so much for your help @decathorpe!

[zwpaper]

btw, I have sent you an invitation for the lsd-rs org package maintainers team, welcome aboard if you would like to 😀

[decathorpe]

Great, thank you :)