Open hougesen opened 3 weeks ago
Just to clarify, what I am looking for/to do, is to check if the version in Cargo.toml
is the latest.
Since the default for cargo add is to allow bumping the patch version of packages, it is pretty easy for Cargo.toml
dependency versions to be out of sync with Cargo.lock
. Especially if Cargo.lock
is git ignored (See rust-lang/cargo/#315).
For most crates bumping the patch version does not matter much, but there are some libraries in Rust that have "alternative" versioning systems, like serde that has been bumping the patch version of v1.0.1
to v1.0.203
over the last 7 years.
That means the following Cargo.toml
will result in 7 years of updates if the user is not careful.
# Cargo.toml
[package]
name = "dummy"
version = "0.1.0"
edition = "2021"
[dependencies]
serde = { version = "1.0.1" }
# Cargo.lock
[[package]]
name = "dummy"
version = "0.1.0"
dependencies = ["serde"]
[[package]]
name = "serde"
version = "1.0.203"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7253ab4de971e72fb7be983802300c30b5a7f0c2e56fab8abfc6a214307c0094"
dependencies = ["serde_derive"]
# ...
Is there a way to ignore any Cargo.lock and only check Cargo.toml?