Support workspace-level crate version denylist / local yanking #13856
Labels
A-dependency-resolution
Area: dependency resolution and the resolver
A-patch
Area: [patch] table override
C-feature-request
Category: proposal for a feature. Before PR, ping rust-lang/cargo if this is not `Feature accepted`
S-needs-info
Status: Needs more info, such as a reproduction or more background for a feature request.
Problem
Occasionally, crates release a semver-violating version that causes breakage when consumed.
Cargo currently has two main features to address this issue:
The first approach is the best one, but it requires active intervention of the crate authors which may sometime take a few days. The second approach works great if the dependency was already used through a good version, however it's not easy to use when we want start using this dependency. This dependency can be deep in the chain so applying requirements locally in the workspace may not work. There are also solutions involving forking the crate or pointing to some other source (such as the Git repo), but these feel more complex than needed since the working version already exists in the registry, cargo resolution should be able to resolve it.
The scenario is the following:
foo
has a private dependency onclumsy ^1.0.0
bar
has a private dependency onclumsy ^2.0.0
myproject
depends onfoo
onlyclumsy
releases2.0.1
which contains a semver violationmyproject
wants to add a dependency onbar
, but by doing so cargo pulls the brokenclumsy 2.0.1
instead of the workingclumsy 2.0.0
myproject
now needs to wait for an upstream fix or manually edit the lock file to addfoo
andclumsy 2.0.0
, which is pretty tedious.Proposed Solution
The solution for me would be to help resolution / updating the lock file in presence of semver violations without expecting coordination from third-party libraries, In the problem description, the fix could also be applied in
bar
, but in all casesmyproject
has to wait for a fix upstream instead of fixing it itself locally and moving on. I expect the solution to be applied locally at the workspace level and not be used when publishing the top crate to the registry.The restricted solution for this issue of semver violations would be to have a way to mark at the workspace level that a crate version should be treated as yanked. When cargo performs resolution, a crate version is treated as yanked if it is marked as such either on the registry or in the workspace manifest (for example in the patch section). Resolution proceeds with regular yanking semantics. With this solution,
myproject
would flagclumsy@2.0.1
as yanked and cargo resolution would selectclumsy@2.0.0
.A more general solution would be to allow patching dependency requirements.
myproject
could patchbar
to depend onclumsy =2.0.0
instead ofclumsy ^2.0.0
.Another general solution would be support for version substitution when patching the registry. Right now
patch.crates-io.clumsy
can swap it to apath
orgit
dependency, but it could also support swapping for a different version from the registry.Notes
Despite being currently affected by the scenario above, I prefer to avoid sharing exact details of the crates involved as general improvements to occasional semver violations feel more important than blaming specific instances which should be fixed eventually anyway. It's not the first time that I encounter a semver violation, nor the last and it would be nice to have an escape hatch. EDIT: The violation that prompted me to fill this issue was fixed through yanking after 3 days.
Also related:
The text was updated successfully, but these errors were encountered: