How to check dependency versions?

Hi Folk,

Recently, one of my users reported a compilation failure with my package. I have noticed I relied on a feature of dbus package introduced in 0.9.1 while I specified dbus = "0.9" in my Cargo.toml.

Is there a way to compile my project with a oldest possible versions of the dependencies so I know that my dependencies are correct?

I have also get another issue with clap. My Cargo.toml specifies clap = "2.0", but on older rust editions, clap >= 2.28 does not compile. I have not find any easy way to enforce the version of a dependency. Finally, I have changed my dependency in clap = "2.0, < 2.28". I am not very satisfied of the workaround: the user of newer rust edition still use an outdated version of clap.

I believe that clap has made a mistake when declaring the minimal supported edition, but it is now too late to fix it. If they have had a tool to check their requirements maybe it didn't happen. What do you think?

Globally, does anyone have some recipe to deal with that issues?

I don't know, but here are some relevant Cargo tickets:
https://github.com/rust-lang/cargo/issues/5657
https://github.com/rust-lang/cargo/issues/9930

1 Like

Please don't do this. If users of your crate need an older version they can force the version themself. Using an upperbound will make it impossible to use your crate if they also happen to depend on 2.y where y >= 28 as cargo doesn't allow more than one semver compatible version of a crate to be used inside a workspace.

1 Like

I agree, but I did not find any easy way to enforce a version. Do you have any suggestion?

Yes. Upgrade to a modern version of clap, it's at 3.x by now.

Granted it doesn't prevent the issue from happening again in principle, but it does solve it now without crippling the dependency upgrade path.

Unfortunately, I don't have the time to make this migration for now.

BTW, how am I going to support my users with older rust editions?

Is your crate a library or an application? The other responders seem (I apologize if I misunderstand) to be assuming that it is a library, but it seems unusual for a library to depend on clap.

A library of mine did once depend on clap, but that was strange and I don't think I approve of it in hindsight.

1 Like

An application. You can find it here: wisun-br-linux/app_wsbrd_cli at main · SiliconLabs/wisun-br-linux · GitHub.

For applications you should check in Cargo.lock. This file contains the exact versions to use for all crates when building your application.

1 Like

You mean I should provide my Cargo.lock?

tldr:
Cargo.lock for binaries.
Cargo lock in .gitignore for libraries.

https://doc.rust-lang.org/cargo/guide/cargo-toml-vs-cargo-lock.html

1 Like

Make sense. I am going to think about that.

At least, I have answer to one of my question: I can enforce the version of clap using:
cargo update -p clap --precise 2.27.1