cargo-outdated icon indicating copy to clipboard operation
cargo-outdated copied to clipboard

Published 20 hours ago verified publisher icon kbknapp

Not all outdated transitive dependencies are properly detected

Open RalfJung opened this issue 6 years ago • 8 comments

I have seen cargo outdated produce output like this

reqwest->serde                           1.0.64   1.0.65  1.0.65   Normal  ---

telling me that, while my reqwest is up-to-date, serde as used by reqwest is outdated.

However, this information is not reliable. For example, with the following Cargo.toml

[dependencies]
failure = "=0.1.1"

cargo outdated claims that everything is up-to-date even though failure depends on an old version of sym: My Cargo.lock contains syn 0.11.11 where the current version is 0.14.1.

RalfJung avatar Jun 02 '18 06:06 RalfJung

This is likely to be the intended behaviour (though it surprised me too!)

The reasoning seems to be: if I can't do anything about an outdated dependency - either by running cargo update or by editing Cargo.toml - then there's no point in this tool telling me about it.

Previous discussion, with links to more previous discussions, here.

dimbleby avatar Jun 11 '18 13:06 dimbleby

But what can I do about the other outdated indirect dependencies? "You can't do anything about it" would be a good argument to make -R the default, but if I ask for more information I should not be getting wrong information.

Also, it'd be nice to know whether I use an outdated (possibly buggy, possibly security critical) version of a library even if I can't directly change it. I can still go a bug the authors of the libraries I use about this.

RalfJung avatar Jun 11 '18 14:06 RalfJung

I'm also missing this feature, but as opt-in instead of the default. Usually I only want to know if my project has dependencies that can be updated, but sometimes I want an easy way to see which crates pull in old dependencies so I can check if there's a way to help them update (eg by sending a PR).

This is also useful if I'm the author of one of those dependencies myself. :)

kpcyrd avatar Jul 11 '18 00:07 kpcyrd

Actually, is this a duplicate of #25?

jonhoo avatar Jul 12 '18 19:07 jonhoo

Doesn't look like it to me... this here is about having cargo outdated show more things, #25 is about showing fewer things.

RalfJung avatar Jul 12 '18 19:07 RalfJung

I read #25 as ignoring semver, and thus also showing incompatible updates. Unless I'm mistaken, that should lead to all updates being shown, including things that are held back because of = dependencies.

jonhoo avatar Jul 12 '18 20:07 jonhoo

It's not about = dependencies though. It's about crates that are outdated but wouldn't be updated (enough) even if we relaxed all dependencies to *.

RalfJung avatar Jul 12 '18 20:07 RalfJung

Ah, I guess #25 wouldn't make a difference to transitive dependencies, you're right.

jonhoo avatar Jul 12 '18 20:07 jonhoo