Specifying minimum patch level for dependencies

Question

Specifying minimum patch level for dependencies

jeehoonkang opened this issue 7 years ago · 4 comments

Currently, crossbeam-epoch specifies only major and minor version numbers for dependencies.
We agreed upon this in: #48 (comment) , and our Cargo.toml requires crossbeam-utils "0.2" rather than "0.2.1", where 0.2.1 is the the minimum required version. The main argument for requiring "0.2" (discussed in IRC) is basically no one specifies patch level.

However, recently I met: https://github.com/nikomatsakis/lalrpop/blob/master/lalrpop/Cargo.toml which specifies patch levels in its Cargo.toml. Note that lalrpop is is arguably one of the most popular crates for parsing.

For this precedence and the reason I wrote in #48 (comment) (mainly e.g. "0.2" can be resolved to either 0.2.0 or 0.2.1), I'd like to specify patch level for dependencies, namely crossbeam-utils "0.2.1" rather than "0.2".

Answer 1 · 2017-12-12T16:02:37.000Z

Actually the reason is that Cargo treats "0.2" and "0.2.1" identically: it only looks at the left-most major version number. This means that Cargo can use crate version "0.2.1" even if Cargo.toml specifies "0.2.3".

Answer 2 · 2017-12-12T16:52:53.000Z

Ah yeah -- as you said, the more important reason was Cargo treats "0.2" and "0.2.1" identically. My original post was misleading, thanks.

But I still prefer "0.2.3" to "0.2", because the fact that Cargo ignores the patch level is not documented. Also, if the semantic versioning scheme is the specification of Cargo, it can actually distinguish "0.2" and "0.2.1" (but I admit that it's highly unlikely). I just want to be as clear as possible in specifying dependencies.

Answer 3 · 2018-01-07T08:07:12.000Z

I came across this from rust-lang/cargo#4910 and just thought I'd chime in. Apologies for the unsolicited feedback!

This means that Cargo can use crate version "0.2.1" even if Cargo.toml specifies "0.2.3".

This isn't quite right. A version number specified as "0.2.1" is sugar for the full specification "^0.2.1" which allows any version as long as it's SemVer compatible with the specified version. In short, "0.x.y" == "^0.x.y" which allows versions >= 0.x.y but < 0.(x + 1).0. Because functionality can be added at patch level for 0.x.y, it would not be SemVer compatible to use 0.2.1 when 0.2.3 was specified. As such, Cargo cannot use 0.2.1 when Cargo.toml specifies 0.2.3.

Whether you should specify the patch level depends on whether you need to specify the patch level. If you're using functionality found in a newer patch level, you must specify the new patch level or risk your package not building when an incompatible version is (correctly) chosen by Cargo. If you're not using functionality found in a newer patch level you shouldn't specify a newer patch level so that Cargo has more options to choose from when trying to minimize copies of one library in an application. Finally, whether you specify 0.x or 0.x.0 is a matter of preference; they are identical.

Answer 4 · 2018-04-01T14:38:46.000Z

Closing it, as in the Cargo side, it is decided that we don't need to specify the minimum required patch level: rust-lang/cargo#5226