I'd like to know how to modify the version of a sub-dependency of a crate I'm using.
for example :
{My APP} > Axum (v: xx) > Hyper (v: yy)
depends on depends on
i want to change the version of crate Hyper from yy to zz ..
I know that cargo allows you to make a patch, but it involves cloning the crate repository and modifying its Cargo.toml file and making a local dependency, but it's too complicated just to modify the version of a sub-crate : Cargo overriding-dependencies (Patch)
Why do I want to do this? Because many crates are not up to date on the dependency side, and we end up with a program that depends on several versions of the same crate,
which causes several problems:
Updating a dependency to a new semver incompatible version is likely a breaking change. I.e. when you update hyper in axum's dependencies (note that axum v0.7 already depends on hyper v1, so no need to update it to a more recent version) you likely need to fix quite a few errors in axum due to the breaking changes in hyper. Which is why there isn't an "easier" way than patching axum to update its dependencies.
I just gave an example with (Axum/Hyper), I want to make minor version changes where there are just security patches or bug fixes, and not a change to the code interfaces.
Do you have a concrete example? Cargo's dependency versions are per default specified as "caret requirements". That means if you have a tokio = "1.0.3" requirement, every version of tokio that is >=1.0.3, <2.0.0 will be considered as a possible version the requirement can resolve to, with Cargo trying to get the most recent version that satisfies all other dependencies that depend on tokio v1.* as well. There is no need to update such a requirement to tokio = "1.5", as it is already within the range of supported versions. Instead, you should update your Cargo.lock file with cargo update to make sure you use the latest version of tokio in your local build.
You only run into problems when you start using other requirements than caret, because that can lead to two dependencies resolving to two incompatible versions of another dependency within a semver compatible version range. Like one crate defines tokio = ">=1, < 1.2" and another defines tokio = "1.3". Cargo can't resolve this as it only allows one concrete version of tokio per semver compatibility range (in this case 1.*).
Cargo does allow your package to depend on multiple versions of tokio between semver compatibility ranges, like tokio v1.* and tokio v0.3.*. But to fix you having both compiled for your project, you'd need to fix your dependencies to use tokio v1.* instead of v0.3.*. That would be a breaking change again like I described above, so you are back to patching again.
