cargo
cargo copied to clipboard
rust-lang
dependency downgrade on cargo update
cargo 1.26.0 (0e7c5a931 2018-04-06)
I run cargo update -p snappy on parity project - rev bca100cdb047906e73d6733f43df73c7603897dd.
cargo output was ok:
Updating git repository `https://github.com/paritytech/rust-snappy`
Updating git repository `https://github.com/paritytech/ring`
Updating registry `https://github.com/rust-lang/crates.io-index`
Adding cmake v0.1.31
Updating snappy v0.1.0 (https://github.com/paritytech/rust-snappy#40ac9a0d) -> #798408ff
Updating snappy-sys v0.1.0 (https://github.com/paritytech/rust-snappy#40ac9a0d) -> #798408ff
but to my surprise, one of my dependencies has been downgraded with no apparent reason
diff --git a/Cargo.lock b/Cargo.lock
index c791ae4..d69a4c7 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -246,6 +246,14 @@ dependencies = [
]
[[package]]
+name = "cmake"
+version = "0.1.31"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+dependencies = [
+ "cc 1.0.17 (registry+https://github.com/rust-lang/crates.io-index)",
+]
+
+[[package]]
name = "common-types"
version = "0.1.0"
dependencies = [
@@ -1969,7 +1977,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
dependencies = [
"num-integer 0.1.36 (registry+https://github.com/rust-lang/crates.io-index)",
"num-traits 0.2.2 (registry+https://github.com/rust-lang/crates.io-index)",
- "rand 0.4.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "rand 0.3.20 (registry+https://github.com/rust-lang/crates.io-index)",
"rustc-serialize 0.3.24 (registry+https://github.com/rust-lang/crates.io-index)",
]
@@ -2765,7 +2773,7 @@ dependencies = [
"lazy_static 1.0.0 (registry+https://github.com/rust-lang/crates.io-index)",
"libc 0.2.36 (registry+https://github.com/rust-lang/crates.io-index)",
"num_cpus 1.8.0 (registry+https://github.com/rust-lang/crates.io-index)",
- "rand 0.4.2 (registry+https://github.com/rust-lang/crates.io-index)",
+ "rand 0.3.20 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
@@ -3118,7 +3126,7 @@ dependencies = [
[[package]]
name = "snappy"
version = "0.1.0"
-source = "git+https://github.com/paritytech/rust-snappy#40ac9a0d9fd613e7f38df800a11a589b7296da73"
+source = "git+https://github.com/paritytech/rust-snappy#798408ffef8f86dd51481673aca10f5348d7491b"
dependencies = [
"libc 0.2.36 (registry+https://github.com/rust-lang/crates.io-index)",
"snappy-sys 0.1.0 (git+https://github.com/paritytech/rust-snappy)",
@@ -3127,9 +3135,9 @@ dependencies = [
[[package]]
name = "snappy-sys"
version = "0.1.0"
-source = "git+https://github.com/paritytech/rust-snappy#40ac9a0d9fd613e7f38df800a11a589b7296da73"
+source = "git+https://github.com/paritytech/rust-snappy#798408ffef8f86dd51481673aca10f5348d7491b"
dependencies = [
- "cc 1.0.17 (registry+https://github.com/rust-lang/crates.io-index)",
+ "cmake 0.1.31 (registry+https://github.com/rust-lang/crates.io-index)",
"libc 0.2.36 (registry+https://github.com/rust-lang/crates.io-index)",
]
@@ -3942,6 +3950,7 @@ dependencies = [
"checksum chrono 0.4.2 (registry+https://github.com/rust-lang/crates.io-index)" = "1cce36c92cb605414e9b824f866f5babe0a0368e39ea07393b9b63cf3844c0e6"
"checksum cid 0.2.3 (registry+https://github.com/rust-lang/crates.io-index)" = "d85ee025368e69063c420cbb2ed9f852cb03a5e69b73be021e65726ce03585b6"
"checksum clap 2.29.1 (registry+https://github.com/rust-lang/crates.io-index)" = "8f4a2b3bb7ef3c672d7c13d15613211d5a6976b6892c598b0fcb5d40765f19c2"
+"checksum cmake 0.1.31 (registry+https://github.com/rust-lang/crates.io-index)" = "95470235c31c726d72bf2e1f421adc1e65b9d561bf5529612cbe1a72da1467b3"
"checksum conv 0.3.3 (registry+https://github.com/rust-lang/crates.io-index)" = "78ff10625fd0ac447827aa30ea8b861fead473bb60aeb73af6c1c58caf0d1299"
"checksum crc 1.7.0 (registry+https://github.com/rust-lang/crates.io-index)" = "bd5d02c0aac6bd68393ed69e00bbc2457f3e89075c6349db7189618dc4ddc1d7"
"checksum crossbeam 0.3.2 (registry+https://github.com/rust-lang/crates.io-index)" = "24ce9782d4d5c53674646a6a4c1863a21a8fc0cb649b3c94dfc16e45071dea19"
rand crate has been downgraded for num-bigint and rayon-core which require rand >= 0.3, < 0.5
Thanks for the report! This is definitely a bug in the output of cargo update at least in that it should inform you what's happening. Otherwise though this is a result of Cargo's crate graph resolution where it will pick the first crate graph that works (rather than optimizing for fewer crate versions). In that sense this is expected behavior in that this can happen, but further invocations of cargo update -p ... can help fix the issue.
cc @Eh2406, you might find this interesting as well!
This is definitely a bug in the output of cargo update at least in that it should inform you what's happening.
Specifically #5530 with a WIP PR at #5634
Similar issue: If you check out mozilla-central at 6f86cc3479f80ace97f62634e2c82a483d1ede40 and run cargo update -p webrender_api -p webrender in the root dir, it will downgrade the log 0.4.2 dependency of rsdparsa to log 0.3.9 for no apparent reason. The webrender dependency tree is completely independent of rsdparsa so it's not obvious to me why cargo update is changing the dependencies of rsdparsa at all. Note also that subsequently running cargo update -p gkrust reverts the log dependency back. gkrust is the root of the dependency tree.
Note there was an attempt to fix this in https://github.com/rust-lang/cargo/pull/5718, that needs a bit more work.
further invocations of
cargo update -p ...can help fix the issue.
that's not solving the issue unfortunately.
I believe we're seeing this in crates.io too, and I'm not sure why it's happening all of the sudden: https://github.com/rust-lang/crates.io/pull/1607
We're not able to update any dependency right now, because whatever we change triggers the resolver to downgrade conduit-cookie and then cookie to an incompatible version, for no reason I can see.
I tried using rust 1.24.1 (an old stable i happen to have lying around) in case something changed with the resolver lately but it happens there too.
Any advice besides hand-managing Cargo.lock? Any information/logs I can supply that would be helpful?
@carols10cents I think it is definitely due to the ring yanks. All the versions were yanked on the 10th. I tried updating crates.io from an index locked before then, and it is able to update dependencies just fine.
I think the reason is because when the resolver runs, the yanked packages are no longer visible, so it decides it has no other choice but to downgrade conduit-cookie to find a version that doesn't need ring. (I'm not certain, but it looks that way to me.)
You can use some flags as a workaround. For example, to update itertools, update Cargo.toml and run cargo update -p itertools --precise 0.8.0. For log, you can update it with cargo update -p log:0.4.5.
It would be nice if when using -p that it would be more careful about not downgrading unrelated packages.
the yanked packages are no longer visible
The way I understood yanking to be is that if a crate was yanked, you couldn't start depending on a crate, but existing dependencies in your lockfile would be allowed. We had a lockfile with ring in it with a patch to a github branch+hash even, so crates.io should be allowed to continue depending on that version of ring even if it was yanked... right?
If this is a separate bug, I'm happy to move!
right?
I'm not sure. I don't know much about the resolver, so I'll leave it to @Eh2406 or @alexcrichton to explain more. At a minimum I expect cargo update -p somecrate to leave the unrelated crates untouched. Whether or not a bare cargo update should continue to use yanked entries in the lockfile is questionable.
I crated a reproduction for anyone who wants to look at it:
- Download: https://gist.github.com/ehuss/cd5e090d06a9af26add19650bad988b4
- Create an empty
src/lib.rs - Run
cargo update -p itertools
This should only update itertools to 0.8. However, it ends up re-resolving everything else (and thus downgrading "cookie" because "ring" is yanked and unavailable). If you remove this line, then it works as expected (only updates itertools). Perhaps it is filtering out yanked summaries too early?
I extracted @ehuss's comment to a separate bug because I agree that it's unrelated to this issue specifically, as this was previously largely about "cargo does this naturally and there's little we can do, but we should message it better in the message output of cargo update"
@carols10cents you mentioned though that 1.24.1 didn't work for you, but the bug exposed in https://github.com/rust-lang/cargo/issues/6609 should have worked just fine on 1.24.1 so it may mean there's another bug in play here. Do you have a way I can reproduce on nightly/stable today so I can dig into that bug more?
@carols10cents you mentioned though that 1.24.1 didn't work for you, but the bug exposed in #6609 should have worked just fine on 1.24.1 so it may mean there's another bug in play here. Do you have a way I can reproduce on nightly/stable today so I can dig into that bug more?
UGH I lied. I have a rustup override set in my crates.io directory so I didn't actually switch to 1.24.1. When I actually switch to 1.24.1 and update itertools, only itertools updates as I expected. I'm sorry for messing that up.
Sorry this isn't reduced yet, but the way I'm reproducing is by checking out this commit of crates.io, change itertools to 0.7.0 in Cargo.toml, and run cargo update -p itertools. If only itertools is updated in Cargo.lock, that's the behavior I expect. If itertools is upgraded, but conduit-cookie and cookie are downgraded and ring is removed, that's the problem I'm having. I reset the Cargo.lock between each attempt.
The problem behavior is happening for me with stable 1.32.0, beta 1.33.0-beta.4, and nightly 1.34.0-nightly (da6ab956e 2019-01-27).
Ok cool, thanks for the confirmation! No need to worry about a reproduction/reduction in that case, I think #6609 has everything it needs for fixing now.
I have this in my Cargo.toml:
zip = "0.5"
https://crates.io/crates/zip
cargo update downgraded it:
> cargo update
Updating actix-web v3.3.1 -> v3.3.2
Updating addr2line v0.13.0 -> v0.14.1
Updating ahash v0.4.6 -> v0.4.7
Updating aho-corasick v0.7.14 -> v0.7.15
Updating alsa-sys v0.3.0 -> v0.3.1
Updating andrew v0.3.0 -> v0.3.1
Removing arc-swap v0.4.7
Updating arithmetic-eval v0.2.0-beta.1 -> v0.2.0
Updating arithmetic-parser v0.2.0-beta.1 -> v0.2.0
Updating async-executor v1.3.0 -> v1.4.0
Updating async-global-executor v1.4.2 -> v1.4.3
Updating async-io v1.1.10 -> v1.3.1
Updating async-std v1.6.5 -> v1.8.0
Updating auto_enums v0.7.8 -> v0.7.12
Updating auto_enums_core v0.7.8 -> v0.7.12
Updating auto_enums_derive v0.7.8 -> v0.7.12
Updating backtrace v0.3.53 -> v0.3.55
Updating base-x v0.2.6 -> v0.2.8
Removing base64 v0.10.1
Removing base64 v0.11.0
Updating blake2b_simd v0.5.10 -> v0.5.11
Updating bytecount v0.6.0 -> v0.6.2
Updating cc v1.0.65 -> v1.0.66
Removing cloudabi v0.1.0
Updating cmake v0.1.44 -> v0.1.45
Updating combine v4.4.0 -> v4.5.2
Updating const_fn v0.4.2 -> v0.4.5
Removing cookie v0.12.0
Removing cookie v0.14.2
Adding cookie v0.14.3
Updating core-graphics v0.22.1 -> v0.22.2
Updating coreaudio-sys v0.2.5 -> v0.2.6
Updating crc32fast v1.2.0 -> v1.2.1
Updating derivative v2.1.1 -> v2.1.3
Updating derive_utils v0.10.0 -> v0.11.2
Updating dtoa v0.4.6 -> v0.4.7
Updating dtoa-short v0.3.2 -> v0.3.3
Updating encoding_rs v0.8.24 -> v0.8.26
Updating fetch_unroll v0.2.1 -> v0.2.2
Updating filetime v0.2.12 -> v0.2.13
Updating flate2 v1.0.14 -> v1.0.19
Updating futures v0.3.6 -> v0.3.8
Updating futures-channel v0.3.6 -> v0.3.8
Updating futures-core v0.3.6 -> v0.3.8
Updating futures-executor v0.3.6 -> v0.3.8
Updating futures-io v0.3.6 -> v0.3.8
Updating futures-lite v1.11.2 -> v1.11.3
Updating futures-sink v0.3.6 -> v0.3.8
Updating futures-task v0.3.6 -> v0.3.8
Updating futures-util v0.3.6 -> v0.3.8
Removing getrandom v0.1.15
Removing getrandom v0.2.0
Adding getrandom v0.1.16
Adding getrandom v0.2.1
Updating gimli v0.22.0 -> v0.23.0
Updating h2 v0.2.6 -> v0.2.7
Updating heck v0.3.1 -> v0.3.2
Updating http v0.2.1 -> v0.2.2
Updating hyper v0.13.8 -> v0.13.9
Removing idna v0.1.5
Updating image v0.23.10 -> v0.23.12
Updating indexmap v1.6.0 -> v1.6.1
Updating inotify-sys v0.1.3 -> v0.1.4
Updating instant v0.1.7 -> v0.1.9
Updating itoa v0.4.6 -> v0.4.7
Updating js-sys v0.3.45 -> v0.3.46
Updating libc v0.2.79 -> v0.2.82
Updating libflate v0.1.27 -> v1.0.3
Adding libflate_lz77 v1.0.0
Updating libloading v0.6.4 -> v0.6.6
Removing line_drawing v0.8.0
Updating lock_api v0.4.1 -> v0.4.2
Removing lzw v0.10.0
Updating memchr v2.3.3 -> v2.3.4
Removing memmap v0.7.0
Adding memmap2 v0.1.0
Updating minimp3 v0.5.0 -> v0.5.1
Updating mio v0.6.22 -> v0.6.23
Updating miow v0.2.1 -> v0.2.2
Updating native-tls v0.2.4 -> v0.2.7
Updating net2 v0.2.35 -> v0.2.37
Updating nom_locate v2.0.0 -> v3.0.0
Removing num-complex v0.3.0
Updating num-integer v0.1.43 -> v0.1.44
Updating num-iter v0.1.41 -> v0.1.42
Updating num-rational v0.3.0 -> v0.3.2
Updating object v0.21.1 -> v0.22.0
Updating openssl v0.10.30 -> v0.10.32
Updating openssl-sys v0.9.58 -> v0.9.60
Updating ordered-float v2.0.0 (https://github.com/reem/rust-ordered-float#e8fe06a5) -> #923c571c
Updating parking_lot v0.11.0 -> v0.11.1
Updating parking_lot_core v0.8.0 -> v0.8.2
Removing percent-encoding v1.0.1
Updating png v0.16.7 -> v0.16.8
Adding podio v0.1.7
Updating ppv-lite86 v0.2.9 -> v0.2.10
Updating quote v1.0.7 -> v1.0.8
Updating reamap_config v0.1.0 (ssh://[email protected]/Boscop/reamap#6e70a920) -> #897fd60a
Updating regex v1.4.1 -> v1.4.2
Updating regex-syntax v0.6.20 -> v0.6.21
Updating reqwest v0.10.8 -> v0.10.10
Updating retain_mut v0.1.1 -> v0.1.2
Updating rimd v0.0.2 (https://github.com/RustAudio/rimd#54fd9bd2) -> #7ac15853
Updating ring v0.16.18 -> v0.16.19
Updating rust-argon2 v0.8.2 -> v0.8.3
Updating rustc-demangle v0.1.17 -> v0.1.18
Updating rustls v0.16.0 -> v0.19.0
Updating security-framework v0.4.4 -> v2.0.0
Updating security-framework-sys v0.4.3 -> v2.0.0
Updating serde-big-array v0.3.0 -> v0.3.1
Updating serde_json v1.0.59 -> v1.0.61
Removing serde_urlencoded v0.6.1
Updating signal-hook-registry v1.2.1 -> v1.3.0
Updating smallvec v1.4.2 -> v1.6.0
Updating smithay-client-toolkit v0.12.0 -> v0.12.2
Updating standback v0.2.11 -> v0.2.14
Updating string_cache v0.8.0 -> v0.8.1
Updating syn v1.0.45 -> v1.0.58
Removing take_mut v0.2.2
Updating termcolor v1.1.0 -> v1.1.2
Updating thiserror v1.0.21 -> v1.0.23
Updating thiserror-impl v1.0.21 -> v1.0.23
Updating tiff v0.5.0 -> v0.6.1
Updating time v0.2.22 -> v0.2.23
Removing tinyvec v0.3.4
Updating tokio v0.2.22 -> v0.2.24
Updating toml v0.5.7 -> v0.5.8
Updating tracing v0.1.21 -> v0.1.22
Updating unicode-normalization v0.1.13 -> v0.1.16
Updating unicode-segmentation v1.6.0 -> v1.7.1
Updating ureq v0.11.4 -> v1.5.4
Removing url v1.7.2
Updating vcpkg v0.2.10 -> v0.2.11
Updating vst v0.2.0 -> v0.2.1
Updating wasm-bindgen v0.2.68 -> v0.2.69
Updating wasm-bindgen-backend v0.2.68 -> v0.2.69
Updating wasm-bindgen-futures v0.4.18 -> v0.4.19
Updating wasm-bindgen-macro v0.2.68 -> v0.2.69
Updating wasm-bindgen-macro-support v0.2.68 -> v0.2.69
Updating wasm-bindgen-shared v0.2.68 -> v0.2.69
Updating wayland-client v0.28.1 -> v0.28.3
Updating wayland-commons v0.28.1 -> v0.28.3
Updating wayland-cursor v0.28.1 -> v0.28.3
Updating wayland-egl v0.28.1 -> v0.28.3
Updating wayland-protocols v0.28.1 -> v0.28.3
Updating wayland-scanner v0.28.1 -> v0.28.3
Updating wayland-sys v0.28.1 -> v0.28.3
Updating web-sys v0.3.45 -> v0.3.46
Updating webpki v0.21.3 -> v0.21.4
Updating webpki-roots v0.18.0 -> v0.21.0
Updating weezl v0.1.1 -> v0.1.3
Updating xcursor v0.3.2 -> v0.3.3
Updating zip v0.5.8 -> v0.5.6
Updating zip v0.5.8 -> v0.5.6
before I had:
[[package]]
name = "zip"
version = "0.5.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "543adf038106b64cfca4711c82c917d785e3540e04f7996554488f988ec43124"
dependencies = [
"byteorder",
"bzip2",
"crc32fast",
"flate2 1.0.14",
"thiserror",
"time 0.1.44",
]
Why did it choose to downgrade zip?
Calling cargo update -p zip after this didn't cause cargo to update it!
After I wrote
zip = "0.5.9"
in my Cargo.toml file, it updated it correctly, so there was no reason to not choose this version in the first place!
Btw, why doesn't it display downgrades in a more visible way so that I can manually fix them?
(E.g. by printing "Downgrading" instead of "Updating")
I just noticed this accidentally because it was the last line in the very long cargo update output.
@Boscop do you have a way for me to reproduce to try and figure out what specifically happened in the resolver? And a big +1 on a more obvious output for downgrades.
@Eh2406 Would it be sufficient if I upload the Cargo.lock file how it was before cargo update?
I think the dependencies part of Cargo.toml and Cargo.lock will probably be sufficient. If you gave me them, then I would start a new project with the files in it and try a cargo update. If that gives us the line Updating zip v0.5.8 -> v0.5.6, then I can try to dig in.
Here's another case that I think might be related:
djc-2021 main test-rs $ cargo init foo
Created binary (application) package
djc-2021 main test-rs $ cargo add [email protected]
Updating crates.io index
Adding chrono v0.4 to dependencies. [this is misleading, see https://github.com/rust-lang/cargo/issues/11073]
Features:
- rustc-serialize
- serde
djc-2021 main test-rs $ rg -C2 chrono Cargo.lock
31-
32-[[package]]
33:name = "chrono"
34-version = "0.4.22"
35-source = "registry+https://github.com/rust-lang/crates.io-index"
--
147-version = "0.1.0"
148-dependencies = [
149: "chrono",
150-]
151-
djc-2021 main test-rs $ cargo add whoami
Updating crates.io index
Adding whoami v1.2.2 to dependencies.
djc-2021 main test-rs $ rg -C2 chrono Cargo.lock
22-
23-[[package]]
24:name = "chrono"
25-version = "0.4.20"
26-source = "registry+https://github.com/rust-lang/crates.io-index"
--
117-version = "0.1.0"
118-dependencies = [
119: "chrono",
120- "whoami",
121-]
So Cargo silently downgraded my chrono dependency here. If I bump the dependency to 0.4.22 in Cargo.toml to force the issue, it explains itself:
error: failed to select a version for `wasm-bindgen`.
... required by package `whoami v1.2.2`
... which satisfies dependency `whoami = "^1.2.2"` of package `test-rs v0.1.0 (/Users/djc/src/test-rs)`
versions that meet the requirements `>=0.2, <=0.2.78` are: 0.2.78, 0.2.77, 0.2.76, 0.2.75, 0.2.74, 0.2.73, 0.2.72, 0.2.71, 0.2.70, 0.2.69, 0.2.68, 0.2.67, 0.2.66, 0.2.65, 0.2.64, 0.2.63, 0.2.62, 0.2.61, 0.2.60, 0.2.59, 0.2.58, 0.2.57, 0.2.56, 0.2.55, 0.2.54, 0.2.53, 0.2.52, 0.2.51, 0.2.50, 0.2.49, 0.2.48, 0.2.47, 0.2.46, 0.2.45, 0.2.44, 0.2.43, 0.2.42, 0.2.41, 0.2.40, 0.2.39, 0.2.38, 0.2.37, 0.2.36, 0.2.35, 0.2.34, 0.2.33, 0.2.32, 0.2.31, 0.2.30, 0.2.29, 0.2.28, 0.2.27, 0.2.26, 0.2.25, 0.2.24, 0.2.23, 0.2.22, 0.2.21, 0.2.20, 0.2.19, 0.2.18, 0.2.17, 0.2.16, 0.2.15, 0.2.14, 0.2.13, 0.2.12, 0.2.11, 0.2.10, 0.2.9, 0.2.8, 0.2.7, 0.2.6, 0.2.5, 0.2.4, 0.2.3, 0.2.2, 0.2.1, 0.2.0
the package `wasm-bindgen` links to the native library `wasm_bindgen`, but it conflicts with a previous package which links to `wasm_bindgen` as well:
package `wasm-bindgen-shared v0.2.81`
... which satisfies dependency `wasm-bindgen-shared = "=0.2.81"` of package `wasm-bindgen-backend v0.2.81`
... which satisfies dependency `wasm-bindgen-backend = "=0.2.81"` of package `wasm-bindgen-macro-support v0.2.81`
... which satisfies dependency `wasm-bindgen-macro-support = "=0.2.81"` of package `wasm-bindgen-macro v0.2.81`
... which satisfies dependency `wasm-bindgen-macro = "=0.2.81"` of package `wasm-bindgen v0.2.81`
... which satisfies dependency `wasm-bindgen = "^0.2.81"` of package `iana-time-zone v0.1.45`
... which satisfies dependency `iana-time-zone = "^0.1.44"` of package `chrono v0.4.22`
... which satisfies dependency `chrono = "^0.4.22"` of package `test-rs v0.1.0 (/Users/djc/src/test-rs)`
Only one package in the dependency graph may specify the same links value. This helps ensure that only one copy of a native library is linked in the final binary. Try to adjust your dependencies so that only one package uses the links ='wasm-bindgen' value. For more information, see https://doc.rust-lang.org/cargo/reference/resolver.html#links.
all possible versions conflict with previously selected packages.
previously selected package `wasm-bindgen v0.2.81`
... which satisfies dependency `wasm-bindgen = "^0.2.81"` of package `iana-time-zone v0.1.45`
... which satisfies dependency `iana-time-zone = "^0.1.44"` of package `chrono v0.4.22`
... which satisfies dependency `chrono = "^0.4.22"` of package `test-rs v0.1.0 (/Users/djc/src/test-rs)`
failed to select a version for `wasm-bindgen` which could resolve this conflict
