Can we access crates which are used by a crate which we have in our Cargo.toml, please?

Hi,

I'm using crate actix-web, I've it in the [dependencies] of my Cargo.toml file.

I've scanned through actix-web codes.

I've seem that it uses mime crate.

Is there a way for us to use mime crate in our code without explicitly add to Cargo.toml file, please?

I've tried adding mime to Cargo.toml, and I can use it with no problems.

But, how can I be certain that the mime version which I add is the same as the one in which actix-web uses? Is it possible that, in this case, I could potentially have two different versions of mime compiled into my application?

Thank you and best regards,

...behai.

Only if actix-web happens to re-export its mime dependency, which it seems it does not.

Since actix-web doesn't re-export mime, your only option is to look up what version of mime actix-web uses, add that to your Cargo.toml, and then be very careful when updating either dependency that they remain in sync. If they get out of sync, and the two versions aren't semver-compatible, then you will indeed end up with two different versions of mime compiled into your project.

4 Likes

If you care about this problem generally (for any crate), have a look at this config option of cargo-deny.

If you only care about the mime versions or don't want to use another tool, you could write a script that parses the Cargo.lock file produced by a build of your project to automate the check.

3 Likes

There's two possible scenarios. If actix-web only uses mime internally, as an implementation detail, then it's considered a "private dependency". This means actix-web could upgrade its dependency to new major versions over minor version updates of actix-web itself. This means that even if your crate started out making sure to use the same version, it could diverge into two difference versions.

On the other hand, if actix-web uses types or traits from mime in its own API, or in other ways that could break user code when the mime major version changes, then it's considered a "public dependency". In this case, if you also use it with actix-web in a way that breaks when the versions mismatch, you can be sure that the versions will always match (otherwise your code wouldn't compile), and in case you upgrade the major version of your actix-web dependency, you might also be forced to upgrade the major version of your mime dependency.

Minor versions are never duplicated. You can never end up with a crate directly or indirectly using two different versions of some other create that only differ in minor versions. This concept of minor version involves the last number y in 0.x.y versions, and the last two numbers y and z in x.y.z versions for x != 0.

6 Likes

In concrete case of actix-web and mime I've found API that involves mime's types

so it's a public dependency.

1 Like

Hi @jwodder, @mickvangelderen, @steffahn,

Thank you very much your helps. And for all the reference documentations.

I appreciate your helps.

Thank you and best regards,

...behai.