[package]
name = "project_a"
version = "2.2.2"
[dependencies]
either = { version = "=1.8.1" }
project_b/Cargo.toml:
[package]
name = "project_b"
version = "3.3.3"
[dependencies]
# none
The external project, either, depends on a crates.io-published version of project_b.
Therefore project_b is a transitive dependency of project_a, however the transitive project_b is different from the workspace version.
Currently crates.io:project_b is incorrectly masked to version 0.0.1 in Cargo.lock.
This PR identifies transitive dependencies by not masking dependencies with a source attribute. I think this is sensible and cannot think of a scenario where a workspace package would have a source attribute.
[[package]]
name = "either"
version = "1.8.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7fcaabb2fef8c910e7f4c7ce9f67a1283a1715879a7c230ca9d6d1ae31f16d91"
dependencies = [
"project_b 3.3.3 (registry+https://github.com/rust-lang/crates.io-index)",
]
[[package]]
name = "project_a"
version = "0.0.1"
dependencies = [
"either",
]
[[package]]
name = "project_b"
version = "0.0.1"
[[package]]
name = "project_b"
version = "3.3.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7fcaabb2fef8c910e7f4c7ce9f67a1283a1715879a7c230ca9d6d1ae31f16d91"
By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.
Workspace dependencies with a
source
attribute are likely to be transitive and not sourced from the workspace.Issue #, if available:
None raised.
Description of changes:
Similar to https://github.com/LukeMathWalker/cargo-chef/issues/224.
Given a workspace project:
project_a/Cargo.toml
:project_b/Cargo.toml
:The external project,
either
, depends on a crates.io-published version ofproject_b
.Therefore
project_b
is a transitive dependency ofproject_a
, however the transitiveproject_b
is different from the workspace version.Currently
crates.io:project_b
is incorrectly masked to version 0.0.1 inCargo.lock
.This PR identifies transitive dependencies by not masking dependencies with a
source
attribute. I think this is sensible and cannot think of a scenario where a workspace package would have asource
attribute.By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.