Command to update Cargo.lock to minimal versions
matklad opened this issue · 13 comments
From today's meeting.
Problem:
You write a library A, which depends on B, so you put B = 1.0
in A's Cargo.toml. The you run Cargo build, and Cargo greedily pulls B 1.1 into the lockfile. Then you accidentally start depending on features introduced in 1.1, but you don't change Cargo.toml
. Your test locally pass, and CI passes as well, and you publish a crate whose Cargo.toml is a lie.
Solution:
Add cargo update --minimal
, which generates lockfile picking the minimum possible version of all crates (it's not possible, of course, because there's no total order on dependency graphs, but some heuristics might work well in practice). Then in CI environment you generate the minimal lockfile to make sure you don't accidentally depend on newer than Cargo.toml features.
Note that we can envision some kind of static solution here, for example, by tagging library functionality with #since attribute. However, actually testing things is still needed, because you may depend on a critical bugfix from the dependency.
This I think would just involve changing
cargo/src/cargo/core/resolver/mod.rs
Line 1088 in 3ed3497
I am still learning cargo internals, but I would be willing to help someone who wanted to take this on!
Then you accidentally start depending on features introduced in 1.1, but you don't change Cargo.toml
Perhaps there's some way to tackle this problem head-on? Probably not, but it's interesting to think about. Two possible ways I can think of:
-
Force
B
to addsince="1.1.0"
annotations to API introduced inv1.1.0
. Cargo prevents using APIs added later than the minimal version allowed byCargo.toml
. -
Use an automatic tool like https://github.com/rust-lang-nursery/rust-semverver.
The relevant line of code has moved to:
cargo/src/cargo/core/resolver/mod.rs
Line 664 in af60861
I think we would add a arg to:
cargo/src/cargo/core/resolver/mod.rs
Line 573 in af60861
Can give this a try :)
@Dylan-DPC That is wonderful!
The idea is that the sort on line L664 determines the order that cargo tries versions of packages. Currently from newest to oldest and we want to reverse that order.
Steps as I see it:
- Add a
-Z
flag, like I did in https://github.com/rust-lang/cargo/pull/4990/files - Get that flag on L364 something like
config.cli_unstable().minimal_versions
and pass it toRegistryQueryer
- Use it in the sort function,
if minimal_versions {a.summary.version().cmp(b.summary.version()) } else the existing code
- Add it to some tests. I'd fine them by (temporarily) hard coding
minimal_versions
to true and looking at wich test incargo\tests\testsuite\resolve.rs
fail.
How can I be helpful!?
Thanks @Eh2406 will take a look whenever I'm free and see how far I get :)
If that turns out to be challenging, feel free to ask!
Get that flag on L364 something like config.cli_unstable().minimal_versions and pass it to RegistryQueryer
L364 of which file?
Sorry I wasn't clear
cargo/src/cargo/core/resolver/mod.rs