-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allow overriding dependency major version #5640
Comments
You probably need to update your lockfile file for https://doc.rust-lang.org/cargo/reference/specifying-dependencies.html#testing-a-bugfix
Note thar git repository contains openssl 0.10, while you seem to replace 0.9. That means that you probably need to update |
thanks, i'm aware of this. the lockfile is deleted on every try. that is correct, i was asking for a feature that allows overriding 0.9 with 0.10 in Cargo.toml of my project rather than in the actual project that depends on 0.9. intentionally ignoring semver compatibility |
Oh, sorry, I've misunderstood your intentions! Yes, I think currently it is impossible to replace dependency specifications: that is, if a crate depends on However, it is possible to override the dependency itself. My understanding is that your project depends on library |
yep, doing that now, this helps me :) |
Yeah, such extension is possible in theory! However, the current "fork upstream and edit Cargo.toml" has two benefits:
|
i'd really like to see this too, imo it is a huge usability issue for both The fork-and-update approach is nice for the case when you're just a version behind, but, practically there are a bunch of situations that are not that and in my experience you often end up having to fork a pile of transitive dependencies to edit their dependency versions to test a patch, at which point As a simple example, for packages
To test an unpublished local change to D (or if D publishes a 0.3.0 release), there's no way to patch up to that from A without forking and altering both B and C. The documentation 1 2 3 also only mentions versions are important in one of the three places, and does not cover transitive dependencies at all, so it'd be neat to clear that up with whatever the outcome of this is. |
Any chance of getting this implemented? Overriding dependencies manually, even if there is a potential semver violation, is an important task in many complex projects. Unfortunately, the real world is not ideal, and it is possible to have situations where dependency versions in upstream projects just don't match, and there is a need to set things manually. Right now, I can't do anything to fix a dependency issue in my project without manually forking some repositories and doing fixes there, and then using the It does not seem at the first glance to be a hard thing to do from the technical standpoint: just allow specifying dependency version overrides in the manifest, e.g. like this: [[version-overrides.some-crate]]
version = "1.2.3" # override dependencies only for some-crate=1.2.3 but not e.g. some-crate=2.3.1
[version-overrides.some-crate.dependencies]
dependency = "3.2.1" # overridden version This configuration would work as a simple replace in the manifest of the overridden crate, and won't do anything else. So in the example above, Cargo would behave as if the manifest of This does go against the idea of semantic versions, but as I said, sometimes there are things which have to be done, and it is great if tools give the developer a power to do them. |
This comment has been minimized.
This comment has been minimized.
Isn't this exactly this case from the doc?
https://doc.rust-lang.org/cargo/reference/manifest.html#using-patch-with-multiple-versions
…On Fri, 21 Feb 2020 at 23:54, Cam Cope ***@***.***> wrote:
Also, it's not currently possible to patch multiple versions of the same
dependency in your project. Example dependency tree from the project-level
Cargo.toml:
A = 2.0
B = 1.0
A = 2.0
C = 1.0
A = 1.0
A has a bug that you need to patch. You can only specify a single version
because the patch is unversioned:
[patch.crates-io]
A = { git = "https://github.com/my/repo.git", branch = "fix-0.2" }
As long as C is the only user of ***@***.*** you can just patch it (or as
previously requested, override the constraint) to use the same version, but
this doesn't scale if the dependency is widely used (which is somewhat
likely due to rust's small stdlib).
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#5640?email_source=notifications&email_token=AANB3M6OS4TLXQVUS3WDYETREBLRFA5CNFSM4FFVLY5KYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEMULOZA#issuecomment-589870948>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AANB3M22JZBMWTNCDLIZDFLREBLRFANCNFSM4FFVLY5A>
.
|
Ah yes, I missed the note underneath about the name being ignored. That format is kind of confusing though, I was thinking about adding a config variant like:
Is there a reason it wasn't done that way originally? |
The batch feature is not working due to a combination of: - dalek-cryptography/ed25519-dalek#126 and: - our x tooling unifying all features, and throwing batch into the mix as soon as it exists, despite it not being used, - the new reoslver not being switched on (diem#3134) A fix has been mered upstream in dalek-cryptography/ed25519-dalek#127 but is not released yet, leaving us bereft of a fixed ed25519_dalek version to point to. We could patch the merlin reference on crates.io, except the fixed merlin version is just at the boundary of a major version, and major version incompatibilities halt patch overrides (rust-lang/cargo#5640). Since there is tooling that urgently relies on correct version resolution to work and is suggesting the rather extreme measure of putting this technical fix in our formally-verified-crypto fork (novifinancial/ed25519-dalek-fiat#8), I think we would rather de-activate the feature entirely. A mention of it in code is explicitly left in (with no side effects) as a reminder to reinstate it once either of the following happens: - we switch to the new resolver, - a fixed dalek is released, - x has the ability to not run with all features.
The batch feature is not working due to a combination of: - dalek-cryptography/ed25519-dalek#126 and: - our x tooling unifying all features, and throwing batch into the mix as soon as it exists, despite it not being used, - the new reoslver not being switched on (diem#3134) A fix has been mered upstream in dalek-cryptography/ed25519-dalek#127 but is not released yet, leaving us bereft of a fixed ed25519_dalek version to point to. We could patch the merlin reference on crates.io, except the fixed merlin version is just at the boundary of a major version, and major version incompatibilities halt patch overrides (rust-lang/cargo#5640). Since there is tooling that urgently relies on correct version resolution to work and is suggesting the rather extreme measure of putting this technical fix in our formally-verified-crypto fork (novifinancial/ed25519-dalek-fiat#8), I think we would rather de-activate the feature entirely. A mention of it in code is explicitly left in (with no side effects) as a reminder to reinstate it once either of the following happens: - we switch to the new resolver, - a fixed dalek is released, - x has the ability to not run with all features.
The batch feature is not working due to a combination of: - dalek-cryptography/ed25519-dalek#126 and: - our x tooling unifying all features, and throwing batch into the mix as soon as it exists, despite it not being used, - the new reoslver not being switched on (#3134) A fix has been mered upstream in dalek-cryptography/ed25519-dalek#127 but is not released yet, leaving us bereft of a fixed ed25519_dalek version to point to. We could patch the merlin reference on crates.io, except the fixed merlin version is just at the boundary of a major version, and major version incompatibilities halt patch overrides (rust-lang/cargo#5640). Since there is tooling that urgently relies on correct version resolution to work and is suggesting the rather extreme measure of putting this technical fix in our formally-verified-crypto fork (novifinancial/ed25519-dalek-fiat#8), I think we would rather de-activate the feature entirely. A mention of it in code is explicitly left in (with no side effects) as a reminder to reinstate it once either of the following happens: - we switch to the new resolver, - a fixed dalek is released, - x has the ability to not run with all features. Closes: #5061 Approved by: rexhoffman
Here's a real world example where this feature would be useful: sccache depends on rouille, which hasn't been updated since 2019. rouille depends on tiny_http 0.6. This setup has a bug that surfaces in sccache, and that was fixed in tiny_http 0.7. Considering the lack of activity on the rouille repo, I don't see a bump of its Cargo.toml to use tiny_http 0.7 happening. It seems the only workable solution today is to either move away from rouille (lot of work), or publish a rouille fork to crates.io. (I tried publishing a fork of tiny_http and to use a patch with a |
If you are a maintained project and your dependency has not been updated, then a fork of the dependency seams like the honest way to do things. |
Local fork patches appear to be ignored if the major does not match the original request. |
I agree this seems like a huge problem. Forking every indirect dependency in light of vulnerabilities and the like is totally unscalable / impractical for a downstream project. I would love the option to |
Any updates? This is a very useful feature! |
A problem I'm having is that I am trying out a new release of a popular library to be an early-adopter (actix-web 4) which is mostly compatible with version 3. However some libraries are now unusable because they specify version 3 in their manifests so all of the types are (confusingly) wrong. In this case there is a 99% change that the libraries work, I am ok to deal with that risk as a beta tester and it doesn't make sense to update the library (because they are following the stable version as they should!). Right now there isn't really a good option. We could maintain a branch/fork with a modified manifest but that seems pretty pointless if no code changes are required. In this case I think it makes sense to just have the ability to override the declared dependency to update it from v3 to v4 so that I can test out the new version. |
A problem I'm having is trying to build an old rootfs using yocto release sumo, when building cargo it goes off and gets the latest crates but eg the latest v1 bitflags (1.3.2) won't build with the sumo version of rust (1.24.1) :/ |
Bump, this is a really important practical problem that cargo should allow you to solve the easy way. |
This has bitten me multiple times now, and I still don't have a practical solution to the problem. In my current case, I'm trying to use |
I hit this problem on a weekly basis. |
While re-reading this issue and the comments, because this still comes up frequently for me, I haven't seen a particular argument in favor of making versions
Having a completely separate fork repo or a submodule completely divorces the dependency override from the core repository and adds a third, hidden dependency: keeping two version histories in sync, the project's head and the fork. Vendoring the fork does keep the override adjacent to the core repository, but actually adds a fourth hidden dependency: keeping the vendored code in sync with the upstream or external, forked repo via git subtree or the like. The option proposed in this issue makes documenting and maintaining the override of a transitive dependency much simpler: two lines in |
Patch seems not to work for my project at all in all but the very simplest cases, because I'm transitively depending on a few different versions of the glib/gio/gobject already. As soon as I try to specify a local patch for It ends up being far less work to just comment out large portions of my own code to eliminate those dependencies while testing |
This feature may become much more important if Rust gets LTS releases. LTS users may want to prevent all their dependencies from requiring higher, incompatible versions of crates. For example, a dependency like This is currently doable by individually patching every user of the crate to replace, but that is too laborious. In the users forum this is a recurring question, and the status quo answer is always disappointing. |
@kornelski I am experimenting on patching with patch files #13779. This should solve the problem in the other way, since it is able to patch everything including cargo/tests/testsuite/patch_files.rs Lines 556 to 612 in faba4ab
(That said, I'd like to explore more on ergonomics for it) |
While I understand the general thought (imo another good example is dealing with packages that depend on |
ok, |
We need this because when ibc-rs uses tendermint 0.34 and our fork says 0.36 than Cargo patch isn’t applied. We pretend this is an older release which gets properly patched. Yes, this is dumb but that’s the Cargo way… /s See rust-lang/cargo#5640
I frequently wish for this ability, because of the following use case, which I have not seen mentioned already: Your project depends on a package, and you want to test a change to that package which is only in its repository, not released. Depending on how the repository committers choose (or happen) to manage their
It would be particularly useful to reduce the effort required to patch in these cases, so that users of libraries can more quickly and easily test out changes and give feedback (e.g. to PRs actively in progress). Note that in this hypothetical, the repository is actively maintained — we're not patching stale/abandoned libraries — it's just that we don't want to give them additional tasks to do. The way I would personally like to see this work is to just add a sledgehammer option to [patch.crates-io]
openssl = { git = "https://github.com/sfackler/rust-openssl.git", patch-all-versions = true } This would not work for all cases, but it would work for most of them (in my experience), and it would be faster to configure and have fewer edge-cases than a more precise "replace version 2.0.3 with version 3.0.0". |
I'm currently trying to upgrade plugins for Bevy 0.14, and this is causing so much pain. Bevy has a huge graph of tightly coupled first-party and third-party crates depending on each other in specific major versions, and then depending on specific major versions of related crates like egui, wgpu, and winit. Just updating one Bevy plugin requires replacing multiple crates and over 40 |
That's where I am. 3D graphics involves many tightly coupled high performance moving parts. In this kind of situation, you need good version patching capability so you can test during the churn phase without too much extra work. So that's the use case. |
I have a case for this where there is a PR against the crate to update the major version (it's really only a change in |
There's a related problem of difficulty moving users of a library from 0.x to 1.0 when it goes "stable", without causing churn and fragmentation of an already de-facto stable final 0.x version. I suspect both issues may have the same solution, which selectively allows unification of semver-major versions. |
Some prior art for this in other ecosystems:
And ecosystems that adopt the "add a direct dependency to override indirect deps versions" stategy: |
It would be great if this could be solved via a generic override mechanism that not only allows changing the version, but also the selected features. Use case: One of my projects has many indirect dependencies on rustls, via multiple different direct dependencies. Each of those direct dependencies seems to have different ideas on how to compile rustls, but I know that only a certain selection of features will work on all platforms I care about. |
currently there is no way in replace or patch to specify a different version than the original dependency.
with replace:
with patch:
is simply ignored.
With the complexity of packages growing, it is sometimes nessesary to override versions in Cargo.toml since upstream cant update the version yet if another dependency hasnt updated.
The text was updated successfully, but these errors were encountered: