Can't install binary due to yanked dependency?

help
#1

This wasn't the marketing message I recall hearing about yanked crates, that they remain accessible if they are in an existing Cargo.lock. But nevertheless, as I found and originally mentioned in:

Toward Better Crate Dependency Graphs

cargo install cargo-graph --locked 
    Updating crates.io index
  Installing cargo-graph v0.3.1
error: failed to compile `cargo-graph v0.3.1`, intermediate artifacts can be found at `/tmp/cargo-installdryLBw`

Caused by:
  failed to select a version for the requirement `clap = "~2.11.3"`
  candidate versions found which didn't match: 2.33.3, 2.33.2, 2.33.1, ...
  location searched: crates.io index
  required by package `cargo-graph v0.3.1`

Where https://crates.io/crates/clap/versions shoes yanked-mageddon half way down the page, and for all compatible ~2.11.3 (aka >= 2.11.3, < 2.12). Did the original cargo-graph author's release do something wrong here, to disserve this somehow?

#2

The actual download for cargo-graph does not have a lock file. It was published before cargo started including that by default:

Cargo 1.37:

  • The "publish lockfile" feature is now stable. This feature will automatically include the Cargo.lock file when a package is published if it contains a binary executable target. By default, Cargo will ignore Cargo.lock when installing a package. To force Cargo to use the Cargo.lock file included in the published package, use cargo install --locked . This may be useful to ensure that cargo install consistently reproduces the same result. It may also be useful when a semver-incompatible change is accidentally published to a dependency, providing a way to fall back to a version that is known to work. #7026
1 Like
#3

Thanks. It would have been nice if my "cargo 1.51.0-nightly (a73e5b7d5 2021-01-12)" was helpful enough to say:

cargo install cargo-graph --locked 
    Updating crates.io index
  Installing cargo-graph v0.3.1
+warning: no Cargo.lock file published in cargo-graph v0.3.1
error: failed to compile `cargo-graph v0.3.1`, intermediate artifacts can be found at `/tmp/cargo-installdryLBw`

Caused by:
  failed to select a version for the requirement `clap = "~2.11.3"`
  candidate versions found which didn't match: 2.33.3, 2.33.2, 2.33.1, ...
  location searched: crates.io index
  required by package `cargo-graph v0.3.1`
#4

That sounds like a good feature request!

As for cargo-graph in particular, there's a newer fork in cargo-deps.

#5

Wow, thanks! Now I need a tool that also graphs fork graphs! :slight_smile:

#6

Filed: Add warning when `cargo install --locked` used, but there is no Cargo.lock available · Issue #9106 · rust-lang/cargo · GitHub