Hi,
I want to know, what the (code) changes were in one of my dependencies.
For example: I used spin 0.9.8 and now I see that there is spin 0.10.0 . Is there a way ( and if so, how to) to compare the source of these 2 versions? On crates.io, I do not see a commit hash or something like that attached to the version.
Thanks!
cargo-vet can print diffs for you (but it is primarily a dependency auditing tool). There are probably other tools that can too.
crates.io is not merely a catalog of Git repositories; the source of truth is the actual .crate archive files that you can download from crates.io.
Inside of a package you can find an automatically created file named .cargo_vcs_info.json, which contains a commit hash if one was available when the package was created, but there is no guarantee that this file is truthful; it's just a way to determine which commit allegedly matches, which could be verified by comparing the contents of the repository to the packaged files.
thanks!
But... where / how do I download this .crate file from crates.io? There is no download button right? Or am I just blind?
Nevermind. It is in the .cargo/registry/src directory. I missed the part that "cargo add" does not directly download it. I needed to build the package first.
Use diff.rs: diff.rs
It does the diff of the actual crate for you. It's one of the options cargo-vet links to.
1 Like
You might want to use cargo fetch instead of building, so that you don't have any code from the updated versions, including their build scripts, running before you do the audit.
2 Likes
diff.rs feels like an awesome and very easy to use solution thanks for this hint!
using cargo fetch instead of actually building sounds very reasonable, thank you, too!