Skip to content

Cargo pulling wrong versions of crates - only finding latest #10235

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
mikehentges opened this issue Dec 28, 2021 · 2 comments
Closed

Cargo pulling wrong versions of crates - only finding latest #10235

mikehentges opened this issue Dec 28, 2021 · 2 comments
Labels
C-bug Category: bug

Comments

@mikehentges
Copy link

Problem

With Cargo 1.57, on windows and WSL2 (Ubuntu), Cargo seems to be ignoring the version numbers in the Cargo.toml file, and if the Cargo.lock file is removed (or a new project is started), it will pull later versions of crates - the last one published.

Steps

cargo clean
mv Cargo.lock Cargo.lock.old
cargo build

A diff of Cargo.lock and Cargo.lock.lold show different versions of crates being pulled. For example:
[dependencies]
clap = "3.0.0-beta-5"
itoa = "0.4.8"

The Cargo.lock shows that
clap - 3.0.0-rc.9
itoa - 1.0.1

get built instead.

Possible Solution(s)

No response

Notes

No response

Version

cargo 1.57.0 (b2e52d7ca 2021-10-21)
release: 1.57.0
commit-hash: b2e52d7cab0a286ee9fcc0c17510b1e72fcb53eb
commit-date: 2021-10-21
host: x86_64-pc-windows-msvc
libgit2: 1.3.0 (sys:0.13.23 vendored)
libcurl: 7.79.1-DEV (sys:0.4.49+curl-7.79.1 vendored ssl:Schannel)
os: Windows 10.0.22000 (Windows 10 Pro) [64-bit]

and

cargo 1.57.0 (b2e52d7ca 2021-10-21)
release: 1.57.0
commit-hash: b2e52d7cab0a286ee9fcc0c17510b1e72fcb53eb
commit-date: 2021-10-21
host: x86_64-unknown-linux-gnu
libgit2: 1.3.0 (sys:0.13.23 vendored)
libcurl: 7.79.1-DEV (sys:0.4.49+curl-7.79.1 vendored ssl:OpenSSL/1.1.1l)
os: Ubuntu 20.04 (focal) [64-bit]
@mikehentges mikehentges added the C-bug Category: bug label Dec 28, 2021
@ehuss
Copy link
Contributor

ehuss commented Dec 28, 2021

When a dependency is specified as a plain version number, it is interpreted as a caret requirement which means it will pull in the most recent semver-compatible version. If you want to prevent that from happening and only use a specific version, you can use an equal requirement like =1.2.3, though usually that isn't necessary as a Cargo.lock file is usually used to keep a dependency at a specific version.

I realize for pre-release versions that can be a little awkward as some projects decide to make breaking changes. This is discussed a little in the Pre-releases section, and how to handle them is still an open question (#2222).

@mikehentges
Copy link
Author

Well, I see - it's a "feature", not a bug. Thanks for the references, this makes more sense. The lock file prevented the version upgrade on my previous project - so only the new one was getting "upgraded" like this. Couldn't see why the same Cargo.toml dependency was producing 2 different outputs.

@Sild Sild mentioned this issue Jan 13, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C-bug Category: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ehuss @mikehentges