cargo-outdated
cargo-outdated copied to clipboard
Not all outdated transitive dependencies are properly detected
I have seen cargo outdated
produce output like this
reqwest->serde 1.0.64 1.0.65 1.0.65 Normal ---
telling me that, while my reqwest is up-to-date, serde as used by reqwest is outdated.
However, this information is not reliable. For example, with the following Cargo.toml
[dependencies]
failure = "=0.1.1"
cargo outdated
claims that everything is up-to-date even though failure
depends on an old version of sym
: My Cargo.lock
contains syn 0.11.11
where the current version is 0.14.1.
This is likely to be the intended behaviour (though it surprised me too!)
The reasoning seems to be: if I can't do anything about an outdated dependency - either by running cargo update
or by editing Cargo.toml
- then there's no point in this tool telling me about it.
Previous discussion, with links to more previous discussions, here.
But what can I do about the other outdated indirect dependencies? "You can't do anything about it" would be a good argument to make -R
the default, but if I ask for more information I should not be getting wrong information.
Also, it'd be nice to know whether I use an outdated (possibly buggy, possibly security critical) version of a library even if I can't directly change it. I can still go a bug the authors of the libraries I use about this.
I'm also missing this feature, but as opt-in instead of the default. Usually I only want to know if my project has dependencies that can be updated, but sometimes I want an easy way to see which crates pull in old dependencies so I can check if there's a way to help them update (eg by sending a PR).
This is also useful if I'm the author of one of those dependencies myself. :)
Actually, is this a duplicate of #25?
Doesn't look like it to me... this here is about having cargo outdated
show more things, #25 is about showing fewer things.
I read #25 as ignoring semver, and thus also showing incompatible updates. Unless I'm mistaken, that should lead to all updates being shown, including things that are held back because of =
dependencies.
It's not about =
dependencies though. It's about crates that are outdated but wouldn't be updated (enough) even if we relaxed all dependencies to *
.
Ah, I guess #25 wouldn't make a difference to transitive dependencies, you're right.