search

kbknapp / cargo-outdated

A cargo subcommand for displaying when Rust dependencies are out of date
MIT License
1.17k stars 87 forks source link

Ignore lockfile #392

Open hougesen opened 3 weeks ago

hougesen commented 3 weeks ago

Is there a way to ignore any Cargo.lock and only check Cargo.toml?

hougesen commented 3 weeks ago

Just to clarify, what I am looking for/to do, is to check if the version in Cargo.toml is the latest.

Since the default for cargo add is to allow bumping the patch version of packages, it is pretty easy for Cargo.toml dependency versions to be out of sync with Cargo.lock. Especially if Cargo.lock is git ignored (See rust-lang/cargo/#315).

For most crates bumping the patch version does not matter much, but there are some libraries in Rust that have "alternative" versioning systems, like serde that has been bumping the patch version of v1.0.1 to v1.0.203 over the last 7 years.

That means the following Cargo.toml will result in 7 years of updates if the user is not careful.

# Cargo.toml

[package]
name = "dummy"
version = "0.1.0"
edition = "2021"

[dependencies]
serde = { version = "1.0.1" }
# Cargo.lock

[[package]]
name = "dummy"
version = "0.1.0"
dependencies = ["serde"]

[[package]]
name = "serde"
version = "1.0.203"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7253ab4de971e72fb7be983802300c30b5a7f0c2e56fab8abfc6a214307c0094"
dependencies = ["serde_derive"]

# ...