Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Ignore lockfile #392

Open
hougesen opened this issue Jun 10, 2024 · 1 comment
Open

Ignore lockfile #392

hougesen opened this issue Jun 10, 2024 · 1 comment

Comments

@hougesen
Copy link

Is there a way to ignore any Cargo.lock and only check Cargo.toml?

@hougesen
Copy link
Author

Just to clarify, what I am looking for/to do, is to check if the version in Cargo.toml is the latest.

Since the default for cargo add is to allow bumping the patch version of packages, it is pretty easy for Cargo.toml dependency versions to be out of sync with Cargo.lock. Especially if Cargo.lock is git ignored (See rust-lang/cargo/#315).

For most crates bumping the patch version does not matter much, but there are some libraries in Rust that have "alternative" versioning systems, like serde that has been bumping the patch version of v1.0.1 to v1.0.203 over the last 7 years.

That means the following Cargo.toml will result in 7 years of updates if the user is not careful.

# Cargo.toml

[package]
name = "dummy"
version = "0.1.0"
edition = "2021"

[dependencies]
serde = { version = "1.0.1" }
# Cargo.lock

[[package]]
name = "dummy"
version = "0.1.0"
dependencies = ["serde"]

[[package]]
name = "serde"
version = "1.0.203"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7253ab4de971e72fb7be983802300c30b5a7f0c2e56fab8abfc6a214307c0094"
dependencies = ["serde_derive"]

# ...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant