How to pin wasm-bindgen to a specific version for CI/CD?

I am working on a library that has a dependency on wasm-bindgen and needs to run some tests in Github Actions. In my Github workflow for CI, I install wasm-bindgen-cli via cargo binstall --no-confirm wasm-bindgen-cli@0.2.89.

I have two crates in my workspace, a proc_macro crate and a library crate. The library crate has a dependency on wasm-bindgen = "0.2.89" which I would have thought, given there are no transitive dependencies requiring a newer version, should be the version used. However, referring to this run, wasm-bindgen, web-sys, js-sys etc are still being updated to the latest versions. What are my options for solving this problem?

• I don't think specifying the dependency as wasm-bindgen = "=0.2.89" is correct since the version should be upgradable to any patch version greater than 0.2.89 in downstream crates, i.e., outside of CI
• I don't think checking in a Cargo.lock file is correct since this should only be done for binary crates to the best of my knowledge
• I have tried to put wasm-bindgen = "=0.2.89" in the dev-dependencies section which seems flaky. It worked once in CI, but then failed after I changed the keywords in Cargo.toml, although I suspect the caching from actions-rust-lang/setup-rust-toolchain@v1 might have something to do with this

What is the correct way to solve this problem?

Would committing your Cargo.lock lockfile (or cache it in CI) and run Cargo with the --locked flag be an option for you? You can also set a precise version for a dependency with cargo update wasm-bindgen --precise 0.2.89.

this is false assumption. the official guidance now is "do what is best for the project"

specifically, the cargo FAQ explicitly mentioned the usage for CI:

Ensuring CI only fails due to new commits and not external factors

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.