Finding a pinned dependency edge

I have a large workspace where I just noticed, in my weekly cargo update run, that a few of my dependencies (including chrono, js-sys, bumpalo, web-sys, and a bunch of wasm-bindgen crates) got downgraded. I think this means that some crate in my dependency graph is pinning chrono et al to an older version, otherwise I don't think this could happen? My question is: how do I figure out which crate it is.

I started by looking at cargo tree -i chrono to figure out what is depending on chrono, but that is mostly internal crates and a few other ones that I checked (on crates.io). I then tried to check which crates got updated in the same cargo update run, but none of the updated stuff seems to have introduced a pinned dependency. I also checked on https://lib.rs/crates/chrono/rev, but there only the deno CLI seems to have pinned a bunch of dependencies (but this doesn't appear in my workspace).

Any other suggestions on how best to hunt down this anomaly?

I would probably try grepping for chrono in my cargo package cache.

grep -e '\<chrono\>' $(find ~/.cargo/registry -name Cargo.toml)
1 Like

That's a good suggestion! A lot of hits for chrono to scroll through, though... I also searched for = ?0.4.20 but that didn't turn up anything relevant either. I've now been bisecting the other non-downgrade updates in a separate crate, and it seems like the update from whoami 1.2.1 to 1.2.2 is implicated. Still trying to figure out how that fits together exactly.

I found the underlying problem by adding the dependency that got updated at the same time as the downgrades in a test crate. I wrote up the problem in some detail here: