v2.3.0

Lockfiles

Lockfiles are a common mechanism that allows package manager to lock dependencies to concrete versions, ensuring reproducible builds.

When specifying project dependencies, you define version requirements. Usually, those requirements can accept multiple versions. For instance, specifying 1.2.3 would allow all versions >=1.2.3 and <2.0.0. Similarly, the specification alexandria_math = { git = "https://github.com/keep-starknet-strange/alexandria.git", branch = "next" } can be resolved to more than one commit hash. Up to this version, Scarb would always pull the latest commit from the branch next, which may change between Scarb runs. This not recommended, as some regressions or incompatibilities may be introduced in the new commit. Additionally, for security reasons users should control what changes are pulled to their builds. Consequently, users often had to manually lock their dependency revisions, e.g. by specifying the commit hash from the dependency package repository in the manifest file.

Lockfiles automatically lock dependencies to a certain revisions, by writing resolved versions to a file beside the project manifest called Scarb.lock. This file is then read before Scarb resolves dependencies, and locked versions are used by the resolver. If you change your dependencies specification in the manifest file, lockfile will change as well. Lockfiles contain exact specifications of all packages from full tree of dependencies (including dependencies of dependencies etc.). Scarb lockfiles can easily be reviewed by the user.

Lockfiles should be commited to version control systems, allowing for full tracking of concrete version changes.

Cairo Version

This version of Scarb comes with Cairo v2.3.0.

What's Changed

• Update fs4 to 0.7.0 and move procmacros dependencies to workspace by @mkaput in #772
• Revert matching parsing errors in git db client contains method by @maciektr in #774
• Ensure git checkout returns existing revision by @maciektr in #775
• Upgrade Cairo to 734a28823 by @mkaput in #784
• Add Filesystem::into_child method for easier chaining by @mkaput in #782
• Upgrade Cairo to 9fab18dcc by @mkaput in #785
• Extract protected_run_if_not_ok! macro by @mkaput in #787
• Add tracing instrumentation to package ops by @mkaput in #789
• Update Cairo to 0f0b3786e7 by @mkaput in #795
• Implement base data models for registry index by @mkaput in #767
• Implement Checksum and Digest mechanisms by @mkaput in #783
• Bump semver from 1.0.19 to 1.0.20 by @dependabot in #797
• Bump the non-critical group with 5 updates by @dependabot in #796
• Allow specifying custom source patches by @szymmis in #791
• Fix ops::package leaving old path in created FileLockGuard by @mkaput in #792
• Add lockfile structure by @maciektr in #777
• Generate lock files by @maciektr in #778
• Resolve with locked versions by @maciektr in #779
• Implement lockfile tests by @maciektr in #780
• Omit std source packages from lockfile by @maciektr in #800
• Generate lockfiles for examples by @maciektr in #781
• Bump rustix from 0.38.13 to 0.38.19 by @dependabot in #804

New Contributors

• @Utilitycoder made their first contribution in #728

Full Changelog: v2.3.0-rc1...v2.3.0