this post was submitted on 19 Jun 2023
9 points (90.9% liked)

Rust Lang

148 readers
1 users here now

Rules [Developing]

Observe our code of conduct

Constructive criticism only

No endless relitigation

No low-effort content

No memes or image macros

No NSFW Content

founded 2 years ago
MODERATORS
 

In my very large Rust-based project of about 100k lines of code, 100 direct dependencies, and 800 total dependencies, I always require version="*" for each dependency, except for specific ones that either I cannot or don't want to upgrade.

Crucially, I also commit my Cargo.lock, as the Cargo manual recommends.

I normally build with cargo --locked. Periodically, I will do a cargo update and run cargo outdated so that I'm able to see if there are specific packages keeping me at older versions.

To upgrade a specific package, I can just remove it's record directly from Cargo.lock and then do a regular cargo build.

This works very well!

Advantages

  • I minimize my number of dependencies, and therefor build times
  • I keep my personal ecosystem from falling too far behind that of crates.io
  • I rarely wind up with a situation where I have two dependencies that depend on a different symbol version
  • I don't have to change a version in all of my many Cargo.tomls

Disadvantages

  • I cannot publish my large repository to a wider audience (but that will never happen for this repository)
  • People who see my code start feeling ill and start shifting their eyes nervously.
you are viewing a single comment's thread
view the rest of the comments
[–] refefer 1 points 1 year ago

I can certainly see the trade-offs. I typically write high performance optimizers, so my dependency list is fairly compact; the big risk I see in general, without knowing anything of you application, is bug fixes or quality of life improvements. Those that manifest as full version bumps are fairly insidious with '*', and can make porting to the future a potential nightmare.

All that said, there's something nice about using a fixed version of common crates to develop against. One of the big advantages of languages like Python and Go is that robust stdlib which makes many tasks trivial to program assuming a wide enough coverage of libraries.