In my very large Rust-based project of about 100k lines of code, 100 direct dependencies, and 800 total dependencies, I always require version="*" for each dependency, except for specific ones that either I cannot or don’t want to upgrade.

Crucially, I also commit my Cargo.lock, as the Cargo manual recommends.

I normally build with cargo --locked. Periodically, I will do a cargo update and run cargo outdated so that I’m able to see if there are specific packages keeping me at older versions.

To upgrade a specific package, I can just remove its record directly from Cargo.lock and then do a regular cargo build.

This works very well!

Advantages

  • I minimize my number of dependencies, and therefor build times
  • I keep my personal ecosystem from falling too far behind that of crates.io
  • I rarely wind up with a situation where I have two dependencies that depend on a different symbol version
  • I don’t have to change a version in all of my many Cargo.tomls

Disadvantages

  • I cannot publish my large repository to a wider audience (but that will never happen for this repository)
  • People who see my code start feeling ill and start shifting their eyes nervously.
  • lemmyrsM
    link
    fedilink
    English
    31 year ago

    I can somewhat relate. I mostly do something like this (instead of the exact dependency version):

    chrono = {version = "0", features = ["serde"]}
    clap = {version = "4", features = ["derive"]}
    anyhow = "1"
    

    I do, however, typically write application code instead of library, so it’s probably less critical for me. Occasionally do run into dependency hell here and there, but nothing too bad so far!