this post was submitted on 19 Jun 2023
9 points (90.9% liked)

Rust Lang

148 readers
1 users here now

Rules [Developing]

Observe our code of conduct

Constructive criticism only

No endless relitigation

No low-effort content

No memes or image macros

No NSFW Content

founded 2 years ago
MODERATORS
 

In my very large Rust-based project of about 100k lines of code, 100 direct dependencies, and 800 total dependencies, I always require version="*" for each dependency, except for specific ones that either I cannot or don't want to upgrade.

Crucially, I also commit my Cargo.lock, as the Cargo manual recommends.

I normally build with cargo --locked. Periodically, I will do a cargo update and run cargo outdated so that I'm able to see if there are specific packages keeping me at older versions.

To upgrade a specific package, I can just remove it's record directly from Cargo.lock and then do a regular cargo build.

This works very well!

Advantages

  • I minimize my number of dependencies, and therefor build times
  • I keep my personal ecosystem from falling too far behind that of crates.io
  • I rarely wind up with a situation where I have two dependencies that depend on a different symbol version
  • I don't have to change a version in all of my many Cargo.tomls

Disadvantages

  • I cannot publish my large repository to a wider audience (but that will never happen for this repository)
  • People who see my code start feeling ill and start shifting their eyes nervously.
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 0 points 1 year ago

I can somewhat relate. I mostly do something like this (instead of the exact dependency version):

chrono = {version = "0", features = ["serde"]}
clap = {version = "4", features = ["derive"]}
anyhow = "1"

I do, however, typically write application code instead of library, so it's probably less critical for me. Occasionally do run into dependency hell here and there, but nothing too bad so far!