In npm/ Node.js you can specify the specific versions of “tools” you want to use in the package.json and package-lock.json. Is there a way to do this for the kind of binary tools you can install with cargo?
For example, in my CI/CD I might want to use cargo audit or sqlx (both installed with cargo install) and it would be cool to be able to manage these to some degree with the Cargo.toml / lock files. One reason for this to have consistent versions used in builds to increase stability and security.
Another reason might be to be able to use the Cargo.lock as a cache key in the CI/CD (GitHub Actions in my case) to represent the versions of these tools and have the system know when to restore the cache or not.
Yes and no.
cargo has artifact dependencies. It's an unstable nightly-only feature for now.
Those artifacts are available in build scripts with the path given in an environment variable. That's not very convenient to use from the outside though.
A workaround is adding a wrapper binary in the workspace that has the tool as a dependency (if the tool comes as a library as well). Then you can run that local binary which forwards into the tool.