Something more precise then "cargo update"?

davemilter · November 1, 2023, 1:54pm

I want something like cargo update to update dependency tree and Cargo.lock in my workspace,
but my workspace is large enough, so very often happens duplicates of the same packages with different versions, like today (output of cargo tree -d):

hashbrown v0.12.3
└── indexmap v1.9.3
    └── h2 v0.3.21
        ├── hyper v0.14.27
        │   ├── hyper-tls v0.5.0
        │   │   └── reqwest v0.11.22 (*)
        │   └── reqwest v0.11.22 (*)
        └── reqwest v0.11.22 (*)

hashbrown v0.14.2
├── hashlink v0.8.4
│   └── rusqlite v0.28.0

└── indexmap v2.1.0
    └── petgraph v0.6.4

New version of h2 with updated dependency tree look like in the way, but not yet published.

So I need something like cargo update, but that can prevent duplicates, or allow duplicates only in dev and build time dependencies.

Do you know such tool, or may be some basic tools that I can combine together and get solution?

cuviper · November 1, 2023, 4:36pm

AIUI, the current resolver is greedy about choosing the latest versions it can. I guess you want a resolver that can choose lesser versions when it avoids duplication, but I haven't seen that.

For this particular case, we just need h2 to publish a new release with:

davemilter · November 2, 2023, 10:11am

That is the main problem. Suppose after couple of week they publish new release, I will run cargo update, and got new duplicate dependency problem, because of some other crate was updated, and this would introduced new dependency duplication.

With big workspace, I already half of year can no update all my dependency tree.