In my very large Rust-based project of about 100k lines of code, 100 direct dependencies, and 800 total dependencies, I always require version="*"
for each dependency, except for specific ones that either I cannot or don’t want to upgrade.
Crucially, I also commit my Cargo.lock
, as the Cargo manual recommends.
I normally build with cargo --locked
. Periodically, I will do a cargo update
and run cargo outdated
so that I’m able to see if there are specific packages keeping me at older versions.
To upgrade a specific package, I can just remove its record directly from Cargo.lock
and then do a regular cargo build
.
This works very well!
Advantages
- I minimize my number of dependencies, and therefor build times
- I keep my personal ecosystem from falling too far behind that of crates.io
- I rarely wind up with a situation where I have two dependencies that depend on a different symbol version
- I don’t have to change a version in all of my many
Cargo.toml
s
Disadvantages
- I cannot publish my large repository to a wider audience (but that will never happen for this repository)
- People who see my code start feeling ill and start shifting their eyes nervously.
I can somewhat relate. I mostly do something like this (instead of the exact dependency version):
chrono = {version = "0", features = ["serde"]} clap = {version = "4", features = ["derive"]} anyhow = "1"
I do, however, typically write application code instead of library, so it’s probably less critical for me. Occasionally do run into dependency hell here and there, but nothing too bad so far!