Cargo update is not updating

niklasrudemo · July 21, 2022, 6:00am

I am new to Rust and following the examples in the Rust Programming Language.

In this section about cargo,
[Dealing with RUSTSEC and patching deps of deps](https://Updating a Crate to Get a New Version)

the example show how the command cargo update updates rand from 0.8.3 to 0.8.4 like so:

$ cargo update
    Updating crates.io index
    Updating rand v0.8.3 -> v0.8.4

But when I do the same, there is no update:

$ cargo update
    Updating crates.io index

and Cargo.toml still looks like this:

[dependencies]

rand = "0.8.3"

when I expected it to have been updated to v0.8.5, which is the most recent version.

Why is cargo update not updating?

blonk · July 21, 2022, 6:15am

The Cargo.toml in this case is sort of "advisory". When you originally built with 0.8.3 cargo automatically picked 0.8.5 for you, so updating won't change anything.

To see what's really being used, check the automatically generated Cargo.lock file.

(There is a syntax to specify an exact version in Cargo.toml, but this is frowned upon, unless you have very specific reasons to do so).

niklasrudemo · July 21, 2022, 6:18am

Thanks!

So update is only relevant if I start out with the latest version, this then is updated, and i subsquently run cargo update?

blonk · July 21, 2022, 6:23am

Basically, yes.

Michael-F-Bryan · July 21, 2022, 11:20am

To elaborate on what @blonk means by "advisory", the rand = "0.8.3" in your Cargo.toml file tells cargo that you depend on the rand crate and want something that is compatible with 0.8.3. This "is compatible" is derived from Semantic Versioning and gives cargo enough wiggle room that cargo update will let you pick up any recent bugfixes.

The Cargo.lock file pins the exact versions of each dependency that are being used so you can have well-defined, repeatable builds^[1]. When a Cargo.lock file is present, cargo build will only ever use the versions it specifies, and the only way to modify Cargo.lock is via cargo update (which updates crates to their latest semver-compatible version) or modifying the dependencies listed in Cargo.toml.

i.e. it doesn't matter whether you are building the crate on your machine or I'm building it or it's built in CI, we'll always use the same version of every crate. ↩︎

system · October 19, 2022, 11:20am

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.