How to update dependent of dependent packages?

When you refer a dependent package in your cargo.toml, your cargo.lock contains packages that the packages you referred in cargo.toml depends upon. I am calling here dependent of dependent package.

My question here is, how you can update these dependent of dependent packages, as these are not referred directly in your cargo.toml and it is also not advisible to update your cargo.lock directly.

To clarify my question further, let me give one example package that is referred in my cargo.locl that I wanted to update.

Dependent of dependent packate name: h2
Curent version in my cargo.loc = 0.3.12
Desired version: 0.3.18
Reason for update: Security vulanribiity

Let me share here the relevant portion of my cargo.lock file as well:

[[package]]
name = "h2"
version = "0.3.12"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "17f8a914c2987b688368b5138aa05321db91f4090cf26118185672ad588bce21"
dependencies = [
"bytes",
"fnv",
"futures-core",
"futures-sink",
"futures-util",
"http",
"indexmap",
"slab",
"tokio",
"tokio-util",
"tracing",
]

To update all packages in the dependency graph of your project, run cargo update. If you want to update only the one package, instead: cargo update -p h2

This will modify the Cargo.lock file. As you note, "it is also not advisible to update your cargo.lock directly" but that does not mean it shouldn't be changed, just that it shouldn't be changed manually, but only using cargo, to ensure that it is consistent.

You can also, if you wish, delete the Cargo.lock file and let it be recreated. This has a similar effect; in both cases, the lock file will now contain the latest versions published at that moment.

Thank you very much for the help @kpreid. It is really helpful for me.

What if we wanted to update a specific package to a specific version instead of the latest one?

The --precise option lets you do that.