In Cargo, can we influence the resolution of nested dependencies from our own top-level crate? Is there a way to request Cargo to "unify" a particular nested dependency and either:
- forcibly resolve every copy of that dep in the tree to one singular version XYZ
- fail the resolution if it can't satisfy all constraints simultaneously
...rather than introducing duplicates of differing versions?
it seems like dependency lines I add to my own crates' Cargo.toml
don't alter what my dependencies are able to pull in, so I can't tell how else I might be able to influence the decisions, or if I indeed can. I've found cargo tree -d
to identify duplicates once it happens, and cargo-deny
to fail CI on PRs introducing such a problem, but I'm not sure how to fix it. I also don't know exactly what downsides there are besides size bloat and time spent compiling.
I see this concern hurt new Tokio users who get mixed versions due to deps that haven't been upgraded to 1.0, and I observe it myself with i.e. the crossbeam
crate family, or itertools
, or crates building on/around rand
. The Bevy game engine project has a number of duplicates in its own tree, for an open example.
In one of my projects using Bevy, both of these commands below fail, because I took a dev dependency on criterion
and the newest version of criterion did not particularly demand brand-new rayon/crossbeam, but received it anyway:
cargo update -p crossbeam-utils:0.7.2 --precise 0.8.1 --dry-run
cargo update -p crossbeam-utils:0.8.1 --precise 0.7.2 --dry-run
What I'm hoping for is an opt-in way to say in practice, "give me the newest version of criterion
that won't duplicate any of my deps", or else to say "for criterion's dependency on i.e. rayon
, resolve that to version X as long as it satisfies", which would let me solve the first, I think.
I wonder if this is behavior is fuzzier because the duplication straddles the boundary between some of my formal deps and my dev-deps?