cargo-outdated icon indicating copy to clipboard operation
cargo-outdated copied to clipboard
verified publisher icon kbknapp

Ignore lockfile

Open hougesen opened this issue 1 year ago • 2 comments

Is there a way to ignore any Cargo.lock and only check Cargo.toml?

hougesen avatar Jun 10 '24 01:06 hougesen

Just to clarify, what I am looking for/to do, is to check if the version in Cargo.toml is the latest.

Since the default for cargo add is to allow bumping the patch version of packages, it is pretty easy for Cargo.toml dependency versions to be out of sync with Cargo.lock. Especially if Cargo.lock is git ignored (See rust-lang/cargo/#315).

For most crates bumping the patch version does not matter much, but there are some libraries in Rust that have "alternative" versioning systems, like serde that has been bumping the patch version of v1.0.1 to v1.0.203 over the last 7 years.

That means the following Cargo.toml will result in 7 years of updates if the user is not careful.

# Cargo.toml

[package]
name = "dummy"
version = "0.1.0"
edition = "2021"

[dependencies]
serde = { version = "1.0.1" }

# Cargo.lock

[[package]]
name = "dummy"
version = "0.1.0"
dependencies = ["serde"]

[[package]]
name = "serde"
version = "1.0.203"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7253ab4de971e72fb7be983802300c30b5a7f0c2e56fab8abfc6a214307c0094"
dependencies = ["serde_derive"]

# ...

hougesen avatar Jun 10 '24 12:06 hougesen

The CLI help says

-R, --root-deps-only          Only check root dependencies (Equivalent to --depth=1)

which works well (if I understood your usecase right).

freelon avatar Oct 05 '25 20:10 freelon