`cargo update` but not too new?


cargo update is handy to be up to date on the latest version available but I can't find any option to specify that I want crates to be x time old.

The purpose is to not use cutting edge version by default but only crates that are x months old so we have some step back on eventual bugs/malware etc., overriding this rule if ever needed.

Thanks for any insight :slight_smile:

Semantic versioning doesn't take into account "version age". You can't do that.

What you can do is look manually at the versions of your dependencies and lock to the one you want.

foo = "=1.2.3" # 1.2.3 was n months old at the time of writing this

That seems rather useless[1] to me since you should probably use the version with the most bugfixes available to you 1.2.x, that is the default cargo behavior if you only set "1.2.3" without the = or with a ~ in its place.


  1. And if you're developing a library that's just plainly a pain for your consumers. ↩ī¸Ž


Consider that if you pick "3 days old", nothing is stopping that from being immediately between a new release and a follow-up critical fix. I think the idea of "warn on versions that are a bit too new" is intriguing though...

I think it makes sense to avoid new minor versions as new feature means new code which may bring new bug. But avoiding new bugfix versions only makes your program vulnerable to known bugs.

If a dependency is specified with tilde requirement cargo update will not bump its minor version, but still apply bugfix versions.

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.