Cargo duplicating dependency when it seems like it shouldn't be

pkgw · January 19, 2023, 10:32pm

Hi all,

I have a case where Cargo is duplicating a dependency when I feel like it shouldn't be. The streamlined scenario is this:

I have a crate, inner, that depends on ndarray >=0.8
I have another crate, outer, that depends on inner and ndarray 0.14

In this case, I end up with two copies of ndarray: one at 0.14.0, for outer, and one at 0.15.6 (the latest release) for inner. It really seems to me, based on what seems sensible and the docs, that Cargo should realize that 0.14.0 satisfies both of these version constraints, and not duplicate the package. Am I missing something here?

(Some extra experiments:

Same thing happens if I switch the >= dep to outer
Same kind of thing happens if I have, e.g, a dep on clap >=2 and one on clap 3
Choice of resolver = "1" or resolver = "2" does not affect results

)

17cupsofcoffee · January 19, 2023, 10:39pm

If outer's dependency looks like ndarray = "0.14", that is equivalent to ndarray = "^0.14".

^0.14 means 'the newest version that is semver compatible with 0.14'. 0.x versions are not semver compatible with each other^[1], so 0.15 would not satisfy that requirement.

>=0.8, on the other hand, means 'the newest version greater than or equal to 0.8, and 0.15 does satisfy that.

At least in Cargo's implementation of semver - I think the original spec is less strict? ↩︎

H2CO3 · January 19, 2023, 10:39pm

0.14.x and 0.15.x are not semver-compatible.

riking · January 19, 2023, 10:42pm

OP's question seems to be, why is 0.14 not selected to satisfy the >=0.8 constraint?

In general, Cargo will always try to pick the newest versions available when it's asked to resolve from scratch.

pkgw · January 20, 2023, 2:51pm

Yes, @riking gets the point here. The crux of the question is why 0.15 is even coming up at all when 0.14 easily satisfies all of the requirements.

This seems like a non-trivial bug/misbehavior to me? If inner is a helper that's compatible with a dependency that has multiple versions that are formally semver-incompatible (that is, ndarray >=0.8), I'd hope that specifying that wide compatibility range would allow inner to play nice with crates that use any of those versions (e.g., outer can depend on ndarray 0.14, 0.13, or whatever). But instead the default resolution results in a duplicated dep, unless the crate happens to call for the latest available version of the common dep.

edit: for reference, the Cargo implementation is here. The header comment describes the resolution algorithm in a bit more detail. Its description is consistent with the observed behavior, I think, but it still seems to me that this behavior has some unfortunate consequences.

pkgw · January 20, 2023, 3:13pm

After doing a bit more digging, I see that this issue is explored in:

github.com/rust-lang/cargo

Cargo resolver picks two versions of a crate, even when one is enough

opened 07:39AM - 26 Apr 22 UTC

closed 05:14PM - 24 May 22 UTC

omid

C-bug

### Problem Diesel 2 (rc.0) depends on `uuid >=0.7.0, <2.0.0` and my app depe…nds on `uuid =0.8.2` because some other deps depend on that. Cargo resolver always pick two versions of `uuid`, `0.8.2` and `1.0.0`. (in my case) It's the same if I remove the `=`, also the same if I remove `uuid` dep from my app and only some other deps depend on `uuid 0.8.2`. Test scenario to cover this case: ``` #[cargo_test] fn uuid_test() { Package::new("uuid", "0.8.2").publish(); Package::new("uuid", "1.0.0").publish(); Package::new("diesel", "2.0.0") .dep("uuid", ">=0.7.0, <2.0.0") .publish(); let p = project() .file( "Cargo.toml", r#" [package] name = "foo" version = "1.0.0" [dependencies] diesel = "2.0" uuid = "0.8.2" "#, ) .file("src/lib.rs", "") .build(); p.cargo("tree -i uuid").with_stdout_contains("uuid v0.8.2").run(); } ``` ### Steps 1. Create a new project 2. Add the following deps: ``` diesel = {version = "2.0.0-rc.0", features = ["uuid"]} uuid = "=0.8.2" ``` 3. Run `cargo tree -i uuid` ### Possible Solution(s) _No response_ ### Notes _No response_ ### Version ```text cargo 1.60.0 (d1fd9fe 2022-03-01) release: 1.60.0 commit-hash: d1fd9fe2c40a1a56af9132b5c92ab963ac7ae422 commit-date: 2022-03-01 host: x86_64-unknown-linux-gnu ```

Major-open semver range does not properly unify with closed semver ranges

opened 12:07AM - 31 Dec 20 UTC

CAD97

C-bug A-dependency-resolution

**Problem** If a dependency's version is constrained to cover multiple semver…-incompatible releases, the version selected does not unify with more specific restrictions from elsewhere in the build graph. E.g. a requirement for `>=0.0.0, <0.9.0` and a requirement for `^0.4.0` results in both version `0.4.x` and `0.8.y` being pulled in (or `0.4.x` and `0.1.0` with `-Zminimal-versions`), rather than unifying both versions to just `0.4.x`. Manually adjusting the lockfile to use `0.4.x` in both cases works as expected; this is just an issue with the "find the best solution" codepath, not the "check the lockfile satisfies" codepath. Originally reported by @MaximilianKoestler on URLO: https://users.rust-lang.org/t/crate-interoperability-and-3rd-party-types-in-interfaces/53431 **Steps** Repro from @MaximilianKoestler : https://github.com/MaximilianKoestler/crate-version-testing Using the `rgb` crate as our target, this is exemplified using just the three packages: ```toml [package] name = "lib_a" [dependencies] rgb = ">=0.4.0, <0.5.0" ``` ```toml [package] name = "lib_b" [dependencies] rgb = ">=0.0.0, <0.9.0" ``` ```toml [package] name = "bin_c" [dependencies] lib_a = { path = "../lib_a" } lib_b = { path = "../lib_b" } ``` The generated lockfile: ```toml # irrelevant parts removed and reordered [[package]] name = "lib_a" dependencies = [ "rgb 0.4.0", ] [[package]] name = "lib_b" dependencies = [ "rgb 0.8.25", ] [[package]] name = "bin_c" dependencies = [ "lib_a", "lib_b", ] [[package]] name = "rgb" version = "0.4.0" source = "registry+https://github.com/rust-lang/crates.io-index" [[package]] name = "rgb" version = "0.8.25" source = "registry+https://github.com/rust-lang/crates.io-index" ``` **Possible Solution(s)** Ideally, if all constraints overlap, only a single version should be selected. Otherwise, maintaining support for old semver-incompatible versions of public dependencies (when the subset you're using didn't change) is almost meaningless, as cargo won't unify the dependency off of the most recent semver-compatible range (or first with `-Zminimal-versions`). **Notes** Output of `cargo version`: `cargo 1.50.0-nightly (75d5d8cff 2020-12-22)` (also occurs on stable)

system · April 20, 2023, 3:13pm

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.

Topic		Replies	Views
Managing multiple versions of a dependency help	13	929	May 2, 2021
Cargo refuses to compile multiple SemVer-compatible versions of the same crate	4	677	March 30, 2021
Cargo: how to "import" dependency versions from another dependent crate? help	4	771	June 21, 2020
PSA: Please specify precise dependency versions in Cargo.toml announcements	51	10595	May 15, 2022
Add a crate with same version as a dependency is using? help	13	2139	January 12, 2023

Cargo duplicating dependency when it seems like it shouldn't be

Related Topics