Tokio version is pinned

[quambene]

Currently, the version for tokio dependency is pinned. For example, tokio = "=1.47.1" in release 1.64.2 (see https://github.com/MystenLabs/sui/blob/mainnet-v1.64.2/Cargo.toml#L548), but also tokio = "=1.49.0" in main (see https://github.com/MystenLabs/sui/blob/main/Cargo.toml#L546).

That's problematic because it forces downstream dependencies to use the same version, but also means that patches or security patches for this pinned version can't be included. So at least the patch version shouldn't be pinned (e.g. tokio = "~1.47" instead of tokio = "=1.47.1").

[github-actions]

Thank you for opening this issue, a team member will review it shortly. Until then, please do not interact with any users that claim to be from Sui support and do not click on any links!

[amnn]

Hi @quambene, the tokio version is pinned because our test infrastructure uses a shimmed/replaced version of tokio when it runs and so we need to a fairly tight constraint to make sure cargo does not update tokio to a version that will cause testing issues.

Handing over to @mystenmark to advise on whether it's okay for us to relax this to allow patch version updates.