Finding a pinned dependency edge

djc · September 12, 2022, 8:49am

I have a large workspace where I just noticed, in my weekly cargo update run, that a few of my dependencies (including chrono, js-sys, bumpalo, web-sys, and a bunch of wasm-bindgen crates) got downgraded. I think this means that some crate in my dependency graph is pinning chrono et al to an older version, otherwise I don't think this could happen? My question is: how do I figure out which crate it is.

I started by looking at cargo tree -i chrono to figure out what is depending on chrono, but that is mostly internal crates and a few other ones that I checked (on crates.io). I then tried to check which crates got updated in the same cargo update run, but none of the updated stuff seems to have introduced a pinned dependency. I also checked on https://lib.rs/crates/chrono/rev, but there only the deno CLI seems to have pinned a bunch of dependencies (but this doesn't appear in my workspace).

Any other suggestions on how best to hunt down this anomaly?

alice · September 12, 2022, 8:57am

I would probably try grepping for chrono in my cargo package cache.

grep -e '\<chrono\>' $(find ~/.cargo/registry -name Cargo.toml)

djc · September 12, 2022, 9:34am

That's a good suggestion! A lot of hits for chrono to scroll through, though... I also searched for = ?0.4.20 but that didn't turn up anything relevant either. I've now been bisecting the other non-downgrade updates in a separate crate, and it seems like the update from whoami 1.2.1 to 1.2.2 is implicated. Still trying to figure out how that fits together exactly.

djc · September 12, 2022, 10:11am

I found the underlying problem by adding the dependency that got updated at the same time as the downgrades in a test crate. I wrote up the problem in some detail here:

github.com/ardaku/whoami

Consider allowing newer versions of wasm dependencies

opened 10:10AM - 12 Sep 22 UTC

djc

In https://github.com/ardaku/whoami/pull/38 you constrained the allowed versions… for wasm-bindgen: ```diff [target.'cfg(target_arch = "wasm32")'.dependencies.wasm-bindgen] -version = "0.2" +version = ">= 0.2, <= 0.2.78" ``` However, this means that all transitive downstream dependencies are no longer allowed to depend on newer wasm-bindgen, which seems like a bad idea. If you want to test support for older MSRVs, it's probably worth downgrading your wasm-bindgen versions explicitly in the CI job instead of constraining the upper allowed version. For example, I ran into this because I'd like to use chrono 0.4.22 (the latest version). I happen to have a transitive dependency on whoami through sqlx-core, which I wasn't aware of before today. Therefore, Cargo [silently downgraded](https://github.com/rust-lang/cargo/issues/5702#issuecomment-1243500147) my chrono dependency as I pulled in, since chrono depends on iana-time-zone, which [recently started depending](https://github.com/strawlab/iana-time-zone/pull/38) on wasm-bindgen and (reasonably) requires the current version at the time (0.2.81). This is an issue in particular for wasm-bindgen, because it is set up to be treated as a native library, which means only one version is allowed to be linked. Here's the error I get when I try to force usage of chrono 0.4.22: ``` error: failed to select a version for `wasm-bindgen`. ... required by package `whoami v1.2.2` ... which satisfies dependency `whoami = "^1.2.2"` of package `test-rs v0.1.0 (/Users/djc/src/test-rs)` versions that meet the requirements `>=0.2, <=0.2.78` are: 0.2.78, 0.2.77, 0.2.76, 0.2.75, 0.2.74, 0.2.73, 0.2.72, 0.2.71, 0.2.70, 0.2.69, 0.2.68, 0.2.67, 0.2.66, 0.2.65, 0.2.64, 0.2.63, 0.2.62, 0.2.61, 0.2.60, 0.2.59, 0.2.58, 0.2.57, 0.2.56, 0.2.55, 0.2.54, 0.2.53, 0.2.52, 0.2.51, 0.2.50, 0.2.49, 0.2.48, 0.2.47, 0.2.46, 0.2.45, 0.2.44, 0.2.43, 0.2.42, 0.2.41, 0.2.40, 0.2.39, 0.2.38, 0.2.37, 0.2.36, 0.2.35, 0.2.34, 0.2.33, 0.2.32, 0.2.31, 0.2.30, 0.2.29, 0.2.28, 0.2.27, 0.2.26, 0.2.25, 0.2.24, 0.2.23, 0.2.22, 0.2.21, 0.2.20, 0.2.19, 0.2.18, 0.2.17, 0.2.16, 0.2.15, 0.2.14, 0.2.13, 0.2.12, 0.2.11, 0.2.10, 0.2.9, 0.2.8, 0.2.7, 0.2.6, 0.2.5, 0.2.4, 0.2.3, 0.2.2, 0.2.1, 0.2.0 the package `wasm-bindgen` links to the native library `wasm_bindgen`, but it conflicts with a previous package which links to `wasm_bindgen` as well: package `wasm-bindgen-shared v0.2.81` ... which satisfies dependency `wasm-bindgen-shared = "=0.2.81"` of package `wasm-bindgen-backend v0.2.81` ... which satisfies dependency `wasm-bindgen-backend = "=0.2.81"` of package `wasm-bindgen-macro-support v0.2.81` ... which satisfies dependency `wasm-bindgen-macro-support = "=0.2.81"` of package `wasm-bindgen-macro v0.2.81` ... which satisfies dependency `wasm-bindgen-macro = "=0.2.81"` of package `wasm-bindgen v0.2.81` ... which satisfies dependency `wasm-bindgen = "^0.2.81"` of package `iana-time-zone v0.1.45` ... which satisfies dependency `iana-time-zone = "^0.1.44"` of package `chrono v0.4.22` ... which satisfies dependency `chrono = "^0.4.22"` of package `test-rs v0.1.0 (/Users/djc/src/test-rs)` Only one package in the dependency graph may specify the same links value. This helps ensure that only one copy of a native library is linked in the final binary. Try to adjust your dependencies so that only one package uses the links ='wasm-bindgen' value. For more information, see https://doc.rust-lang.org/cargo/reference/resolver.html#links. all possible versions conflict with previously selected packages. previously selected package `wasm-bindgen v0.2.81` ... which satisfies dependency `wasm-bindgen = "^0.2.81"` of package `iana-time-zone v0.1.45` ... which satisfies dependency `iana-time-zone = "^0.1.44"` of package `chrono v0.4.22` ... which satisfies dependency `chrono = "^0.4.22"` of package `test-rs v0.1.0 (/Users/djc/src/test-rs)` failed to select a version for `wasm-bindgen` which could resolve this conflict ``` So I would like to request you reconsider how you support older MSRVs.

system · December 11, 2022, 10:12am

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.

Topic		Replies	Views
Cargo Pinned Version Trouble? help	4	287	February 13, 2023
Troubleshooting a cyclic dependency help	2	1092	November 9, 2021
[crates.io] Disable yanking crates that have dependant crates?	18	1759	January 12, 2023
Impact of pinning dependencies help	17	3419	January 12, 2023
How to find which crate brings specific external link-time dependency help	5	519	January 12, 2023

Finding a pinned dependency edge

Related Topics