I'd like to pilot a new lockfile process here. Using this repo since it's widely-used but development is pretty slow, so hopefully it won't be too disruptive to try new stuff. Here's my proposal:
- We add a
Cargo-minimal.lock alongside Cargo-recent.lock which is checked to actually match the minimum dependencies. cargo-rbmt has some facility for checking this; we should take a look at what rust-bitcoin does.
- For
Cargo-recent.lock, we add a cronjob that (attempts to) update every dependency to the latest version, whenever a new version comes out. The PR should query a LLM agent to review the diff, providing a summary of changes (highlighting anything that "seems important" but wasn't mentioned in the CHANGELOG), a security audit, and a summary of how this crate might be affected.
If this works, we can try doing it on other repos. We may need to do something clever to share reviews so we're not re-reviewing the same dep on every repo that needs it. (But OTOH, I would guess that the cost is only a dollar or two per update, on average, and maybe there's value in doing multiple passes.)
We've had several abortive attempts to use humans to review each dependency update. In practice there's just way too much to handle, so instead we put off updating the lockfile til we're forced to. And then we just do it without looking at the diffs.
cc @Arvolear @psgreco -- I would appreciate a concept ACK. I'd also like Blockstream to sponsor the LLM usage here.
I'd like to pilot a new lockfile process here. Using this repo since it's widely-used but development is pretty slow, so hopefully it won't be too disruptive to try new stuff. Here's my proposal:
Cargo-minimal.lockalongsideCargo-recent.lockwhich is checked to actually match the minimum dependencies. cargo-rbmt has some facility for checking this; we should take a look at what rust-bitcoin does.Cargo-recent.lock, we add a cronjob that (attempts to) update every dependency to the latest version, whenever a new version comes out. The PR should query a LLM agent to review the diff, providing a summary of changes (highlighting anything that "seems important" but wasn't mentioned in the CHANGELOG), a security audit, and a summary of how this crate might be affected.If this works, we can try doing it on other repos. We may need to do something clever to share reviews so we're not re-reviewing the same dep on every repo that needs it. (But OTOH, I would guess that the cost is only a dollar or two per update, on average, and maybe there's value in doing multiple passes.)
We've had several abortive attempts to use humans to review each dependency update. In practice there's just way too much to handle, so instead we put off updating the lockfile til we're forced to. And then we just do it without looking at the diffs.
cc @Arvolear @psgreco -- I would appreciate a concept ACK. I'd also like Blockstream to sponsor the LLM usage here.