cli: Warn if a manifest has solana-program dependency (otter-sec#3250)

Author: acheroncrypto

CHANGELOG.md

@@ -47,6 +47,7 @@ The minor version will be incremented upon a breaking change and the patch versi
 - ts: Include unresolved accounts in the resolution error message ([#3207](https://github.com/coral-xyz/anchor/pull/3207)).
 - lang: Add `LazyAccount` ([#3194](https://github.com/coral-xyz/anchor/pull/3194)).
 - avm: Ask whether to install if the version is not installed with the `use` command ([#3230](https://github.com/coral-xyz/anchor/pull/3230)).
+- cli: Warn if a manifest has `solana-program` dependency ([#3250](https://github.com/coral-xyz/anchor/pull/3250)).
 
 ### Fixes
 

cli/src/checks.rs

@@ -81,6 +81,36 @@ pub fn check_anchor_version(cfg: &WithPath<Config>) -> Result<()> {
     Ok(())
 }
 
+/// Check for potential dependency improvements.
+///
+/// The main problem people will run into with Solana v2 is that the `solana-program` version
+/// specified in users' `Cargo.toml` might be incompatible with `anchor-lang`'s dependency.
+/// To fix this and similar problems, users should use the crates exported from `anchor-lang` or
+/// `anchor-spl` when possible.
+pub fn check_deps(cfg: &WithPath<Config>) -> Result<()> {
+    // Check `solana-program`
+    cfg.get_rust_program_list()?
+        .into_iter()
+        .map(|path| path.join("Cargo.toml"))
+        .map(cargo_toml::Manifest::from_path)
+        .map(|man| man.map_err(|e| anyhow!("Failed to read manifest: {e}")))
+        .collect::<Result<Vec<_>>>()?
+        .into_iter()
+        .filter(|man| man.dependencies.contains_key("solana-program"))
+        .for_each(|man| {
+            eprintln!(
+                "WARNING: Adding `solana-program` as a separate dependency might cause conflicts.\n\
+                To solve, remove the `solana-program` dependency and use the exported crate from \
+                `anchor-lang`.\n\
+                `use solana_program` becomes `use anchor_lang::solana_program`.\n\
+                Program name: `{}`\n",
+                man.package().name()
+            )
+        });
+
+    Ok(())
+}
+
 /// Check whether the `idl-build` feature is being used correctly.
 ///
 /// **Note:** The check expects the current directory to be a program directory.

cli/src/lib.rs

@@ -9,7 +9,7 @@ use anchor_lang::{AccountDeserialize, AnchorDeserialize, AnchorSerialize, Discri
 use anchor_lang_idl::convert::convert_idl;
 use anchor_lang_idl::types::{Idl, IdlArrayLen, IdlDefinedFields, IdlType, IdlTypeDefTy};
 use anyhow::{anyhow, Context, Result};
-use checks::{check_anchor_version, check_idl_build_feature, check_overflow};
+use checks::{check_anchor_version, check_deps, check_idl_build_feature, check_overflow};
 use clap::Parser;
 use dirs::home_dir;
 use flate2::read::GzDecoder;
@@ -1328,6 +1328,7 @@ pub fn build(
 
     // Check whether there is a mismatch between CLI and crate/package versions
     check_anchor_version(&cfg).ok();
+    check_deps(&cfg).ok();
 
     let idl_out = match idl {
         Some(idl) => Some(PathBuf::from(idl)),