Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Not all outdated transitive dependencies are properly detected #134

Open
RalfJung opened this issue Jun 2, 2018 · 8 comments
Open

Not all outdated transitive dependencies are properly detected #134

RalfJung opened this issue Jun 2, 2018 · 8 comments

Comments

@RalfJung
Copy link

RalfJung commented Jun 2, 2018

I have seen cargo outdated produce output like this

reqwest->serde                           1.0.64   1.0.65  1.0.65   Normal  ---

telling me that, while my reqwest is up-to-date, serde as used by reqwest is outdated.

However, this information is not reliable. For example, with the following Cargo.toml

[dependencies]
failure = "=0.1.1"

cargo outdated claims that everything is up-to-date even though failure depends on an old version of sym: My Cargo.lock contains syn 0.11.11 where the current version is 0.14.1.
@dimbleby
Copy link
Contributor

This is likely to be the intended behaviour (though it surprised me too!)

The reasoning seems to be: if I can't do anything about an outdated dependency - either by running cargo update or by editing Cargo.toml - then there's no point in this tool telling me about it.

Previous discussion, with links to more previous discussions, here.

@RalfJung
Copy link
Author

But what can I do about the other outdated indirect dependencies? "You can't do anything about it" would be a good argument to make -R the default, but if I ask for more information I should not be getting wrong information.

Also, it'd be nice to know whether I use an outdated (possibly buggy, possibly security critical) version of a library even if I can't directly change it. I can still go a bug the authors of the libraries I use about this.

@kpcyrd
Copy link
Contributor

kpcyrd commented Jul 11, 2018
edited
Loading

I'm also missing this feature, but as opt-in instead of the default. Usually I only want to know if my project has dependencies that can be updated, but sometimes I want an easy way to see which crates pull in old dependencies so I can check if there's a way to help them update (eg by sending a PR).

This is also useful if I'm the author of one of those dependencies myself. :)

@jonhoo jonhoo mentioned this issue Jul 12, 2018
Open
@jonhoo
Copy link

jonhoo commented Jul 12, 2018

Actually, is this a duplicate of #25?

@RalfJung
Copy link
Author

Doesn't look like it to me... this here is about having cargo outdated show more things, #25 is about showing fewer things.

@jonhoo
Copy link

jonhoo commented Jul 12, 2018

I read #25 as ignoring semver, and thus also showing incompatible updates. Unless I'm mistaken, that should lead to all updates being shown, including things that are held back because of = dependencies.

@RalfJung
Copy link
Author

It's not about = dependencies though. It's about crates that are outdated but wouldn't be updated (enough) even if we relaxed all dependencies to *.

@jonhoo
Copy link

jonhoo commented Jul 12, 2018

Ah, I guess #25 wouldn't make a difference to transitive dependencies, you're right.

@leoschwarz leoschwarz mentioned this issue Feb 2, 2019
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@jonhoo @RalfJung @dimbleby @kpcyrd