Why serde version in Cargo.lock is not the same as in Cargo.toml

I have following dependencies in Cargo.toml:

[dependencies]
serde = { version = "1.0.164", features = ["derive", "rc"] }
serde_json = { version = "1.0.85", default-features = false, features = ["preserve_order", "unbounded_depth"] }

but after "cargo build", the serde version is not 1.0.164, it's the newest version:
[[package]]
name = "serde"
version = "1.0.204"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "bc76f558e0cbb2a839d37354c575f1dc3fdc6546b5be373ba43d95f231bf7c12"
dependencies = [
"serde_derive",
]

I don't know why and can't find any paper for it.

By default, Cargo uses caret dependencies, that is, "any semver-compatible version higher or equal with this". If you need for some reason to pin the exact version, you need to specify it as "=x.y.z".

4 Likes

If you are writing a library, it is highly discouraged to pin versions. Doing so will make it impossible to use your crate together with another crate that needs a more recent, but semver compatible, version. And the user will get a pretty confusing error message when that happens.

6 Likes

cargo update -p serde --precise 1.0.164 will give you the specific version.

Cargo.lock is used to store exact versions. Cargo.toml specifies minimum versions, and they are updated to latest compatible when possible.

2 Likes

thanks for your answers.