Hello Everyone, I hope you are having a great day,
I am working on a solana project,
But i keep getting
error: failed to select a version for `zeroize`.
... required by package `curve25519-dalek v3.2.1`
... which satisfies dependency `curve25519-dalek = "^3.2.1"` of package `solana-program v1.16.1`
... which satisfies dependency `solana-program = "=1.16.1"` of package `solana-sdk v1.16.1`
... which satisfies dependency `solana-sdk = "^1.16.1"` of package `ortone v0.1.0 (/home/declanpc/Dev/ortone)`
versions that meet the requirements `>=1, <1.4` are: 1.3.0, 1.2.0, 1.1.1, 1.1.0, 1.0.0
all possible versions conflict with previously selected packages.
previously selected package `zeroize v1.5.3`
... which satisfies dependency `zeroize = "^1.5"` of package `elliptic-curve v0.12.3`
... which satisfies dependency `elliptic-curve = "^0.12"` of package `ecdsa v0.14.8
Steps i have done to resolve it.
I tried installing zeroize in my cargo.toml, cargo says the latest version is above the requirements of a package.
Then i tried installing older version, cargo says that version is below the requirements of another package.
curve25519-dalek v3.2.1 (child-dependency from the solana-sdk crate) pins zerosize to version >= 1, <1.4 whereas elliptic-curve v0.12.* requires zerosize to be version >= 1.5, <2.0, creating the version conflict. You could downgrade elliptic-curve to version 0.11.12, which requires zerosize to be >= 1.0, <2.0, making it possible to use it together with curve25519-dalek.
Then it complained about Snow, i added snow = 0.9.2
it gave me this.
error: failed to select a version for `zeroize`.
... required by package `curve25519-dalek v3.2.1`
... which satisfies dependency `curve25519-dalek = "^3.2.1"` of package `solana-program v1.16.1`
... which satisfies dependency `solana-program = "=1.16.1"` of package `solana-sdk v1.16.1`
... which satisfies dependency `solana-sdk = "^1.16.1"` of package `ortone v0.1.0 (/home/declanpc/Dev/ortone)`
versions that meet the requirements `>=1, <1.4` are: 1.3.0, 1.2.0, 1.1.1, 1.1.0, 1.0.0
all possible versions conflict with previously selected packages.
previously selected package `zeroize v1.5.3`
... which satisfies dependency `zeroize = "^1.5"` of package `elliptic-curve v0.12.3`
... which satisfies dependency `elliptic-curve = "^0.12"` of package `ecdsa v0.14.8`
... which satisfies dependency `ecdsa-core = "^0.14"` of package `p384 v0.11.2`
... which satisfies dependency `p384 = "^0.11.2"` of package `webrtc-dtls v0.7.0`
... which satisfies dependency `dtls = "^0.7.0"` of package `webrtc v0.6.0`
... which satisfies dependency `webrtc = "^0.6.0"` of package `libp2p-webrtc v0.4.0-alpha.3`
... which satisfies dependency `libp2p-webrtc = "^0.4.0-alpha.3"` of package `libp2p v0.51.3`
... which satisfies dependency `libp2p = "^0.51.3"` of package `ortone v0.1.0 (/home/declanpc/Dev/ortone)`
failed to select a version for `zeroize` which could resolve this conflict
Okay, same problem but buried far deeper in your dependency tree. You could try downgrading libp2p, but I don't know to which version. It might be that the solana-sdk and libp2p are incompatible right now, due to this version conflict. curve25519-dalek v4 stops pinning zerosize, so you might have to wait till they release it (currently they are in pre-release RC 2) and solana updates to the the new major release of curve25519-dalek.
Version pinning without an exceptionally good reason in the context of an ecosystem library is a really bad idea, and doing it in the name of MSRV doesn't scale for exactly the reason this thread was created.
It looks like zeroize is no longer being pinned on main, but other things are still being pinned. (I don't know whether it's because of MSRV or some other reason here though.)