-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make cargo outdated
part of cargo itself
#4309
Comments
I'm sure there are many examples where these can be helpful. Here's one that inspired me to write up this proposal: servo/unicode-bidi#46 (comment) |
I think we'd probably want to canvas what other package managers do here, e.g. do npm, yarn, bundler, rubygems, pip, etc do anything like this? I was personally under the impression that this sort of concerns was typically farmed out to a third-party service. |
Here’s a summary of similar features in some other package managers. JS NPMNPM CLI has built-in Like It looks like that Ref: https://docs.npmjs.com/cli/outdated Description(from https://github.com/npm/npm/blob/latest/doc/cli/npm-outdated.md) This command will check the registry to see if any (or, specific) installed packages are currently outdated. In the output:
ExampleEdit $ npm outdated
Package Current Wanted Latest Location
underscore MISSING 1.7.0 1.8.3 underscore
$ npm install
[email protected] node_modules/underscore
$ npm outdated
Package Current Wanted Latest Location
underscore 1.7.0 1.7.0 1.8.3 underscore JS YarnYarn CLI has built-in Ref: https://yarnpkg.com/lang/en/docs/cli/outdated/ DescriptionLists version information for all package dependencies. This information includes the currently installed version, the desired version based on semver, and the latest available version. For example, say your package.json has the following dependencies listed: "dependencies": {
"lodash": "4.15.0",
"underscore": "~1.6.0"
} The command run should look something like this: yarn outdated
Package Current Wanted Latest
lodash 4.15.0 4.15.0 4.16.4
underscore 1.6.0 1.6.0 1.8.3
✨ Done in 0.72s. Ruby GemsGems CLI has built-in Ref: http://guides.rubygems.org/command-reference/#gem-outdated Description(From ref.) The outdated command lists gems you may wish to upgrade to a newer version. You can check for dependency mismatches using the dependency command and update the gems with the update or install commands. Ruby BundlerBundler CLI has built-in Ref: https://bundler.io/v1.11/bundle_outdated.html Description(From ref.) Outdated lists the names and versions of gems that have a newer version available in the given source. Calling outdated with Python PIPPIP CLI's Ref: https://pip.pypa.io/en/stable/reference/pip_list/ ExamplesList installed packages.
List outdated packages (excluding editables), and the latest version available.
|
In summary:
|
So, IMHO, we can plan to for these functionalities, applicable only to direct dependencies of a package/workspace. a) A built-in b) Expand (a) to support workspaces. c) Add options to d) Expand (c) to also support workspaces. These two can be enough for shell scripts and third-party cargo commands to easily build automations for stable upgrades, meaning that run the tests with single upgrades and revert if there's compile or test errors. What do you think? |
https://crates.io/crates/cargo-outdated works well today |
Unfortunately, Also, a question would be about the original proposal to add optional warning (possibly as an opt-in, via env-var and/or cli option) for |
I'd be totally down for adding native |
Also thanks so much for doing that investigation @behnam, it's quite helpful! |
A big +1 for getting I've been using Just to update the yarn output, it actually looks like the following now:
Having the URL in the output is quite nice to be able to see the changes too. Separating the dev-dependencies, build-dependencies and dependencies more cleanly than yarn does would be nice too but then it might become too complex to display with workspaces. One change to do compared to
I only care about If we want to go c) I would recommend checking the I'd be interested to do the implementation if that ends up being accepted for cargo! |
Good ideas, @Keats!
Agreed. Also, on a similar note, a
I'm not sure what
Actually, I think the readonly functionality won't be that complex for workspaces, since there's expected to be one But, it's a good reminder that we also need something like NPM's And as a plus, this would be Cargo's internal tool to warn on a workspace (or even a package) having direct dependencies on multiple versions of a single package.
Exactly. I'm not sure if we want a feature to perform these checks more than one level depth. I think we can start with direct deps and see if there's demand for an option to extend.
Awesome! I won't be able to get to this in the next few weeks, but can help with some tests and reviews, if needed. |
So, looks like we have general consensus on the core functionality of a built-in Also, let's CC author of |
Build dependencies would be
My worry was more on how to display it well in the terminal when you have many workspaces like habitat. I guess scrolling a bit is not a huge issue |
Agreed, @Keats. :) Funny thing about |
The `[build-dependencies]` section was missing from the Dependency sections list, making it hard to find its existence and link to `specifying-dependencies` page. This puts the section title in the list, so a normal find works. Background: rust-lang#4309 (comment)
[doc/manifest] Add build-dependencies to Dependency sections list The `[build-dependencies]` section was missing from the Dependency sections list, making it hard to find its existence and link to `specifying-dependencies` page. This puts the section title in the list, so a normal find works. Background: #4309 (comment)
@alexcrichton, is this something that needs an RFC, or we can go ahead with the general consensus here and start the implementation? If no RFC, I suppose we can create a new tracker issue for the built-in |
Sorry all, I just saw this! I'm totally fine with adding a native The biggest thing I see that needs to happen for
There's also Slightly off topic, this sort of brings up the topic of third party subcommands moving closer to native commands, and if there's an official method or place for this to happen? Similar to how libs move to the nursery, is there a place where third party subcommands can move closer to |
There are two reasons you might have an outdated dependency of a crate you use. Either the author hasn't upgraded yet, or you have the old version in your
So from time to time I remove my |
We have just made a new release. Could you please test it again?
Good point. Actually when I was refactoring So yeah, it would be better to have such a guideline, or even a list of subcommand development suggestions to developers. |
I was literally looking for a new version when you wrote that 😀. Before:
After:
After removing
👍 |
@lnicola, are you saying that |
@behnam I actually had a copy of it, so I just tried If you're asking why I said I remove |
@Frederick888 Looking at my output, I think semver-breaking updates for dependencies are not reported anymore?
|
@lnicola Actually it wasn't supposed to be reported. Previously if a package has multiple occurrences with different versions/semver requirements in the dependency tree, the program may misbehaviour from time to time.
|
I don't think that was the case for
I see. It might be useful to have those reported, so you know that your dependencies use older crates. But I don't feel too strongly about it. |
Regarding making it easier for third-party libraries to use Basically, I think reading and validating the manifest (with understandings of workspace and various dependencies) should be a separate library from the commands consuming the manifest to take actions. |
I believe some of the confusion about "why doesn't |
Is there any current progress on this? Does anyone know what the last status of this was in upstream? |
Do we have an update for this? I like |
Just leaving a note here that cargo tree was recently adopted into cargo proper in #8062, which, at least to me, indicates that it's not impossible the same may happen to cargo outdated if someone does the work. |
cc @deg4uss3r |
Thanks for the cc @kbknapp I'm in the middle of wrapping up at my current job, but I should be more free starting next week to really look into this :) |
Hey, have you been able to look into this perchance? |
@svenstaro Yes I have! Progress is moving slowly, but I am working on it :) starting the new job at the same time is tough though |
Ok sweet, thanks for the update! |
@deg4uss3r friendly ping :D |
@svenstaro Thank you very much for keeping me honest! So, I am working on this; however, I have been doing so offline because I see a lot of little things to improve on This will look VERY rough right now, I'm sorry it's been a pretty interesting 2020 so far! So this simplifies the project way down to only looking at workspace dependencies and requesting the latest from https://crates.io through the API. I think this is the best choice to add to cargo since we want it to always work no more compile issues with conflicting dependencies and it will only check the outdated dependencies of the current project rather than diving into dependencies that the launcher will have no control over. There's A LOT (as you can tell) that I need to work on the biggest is integrating with
I would love some opinions on this scaled down version before I continue further though as, personally I think this is what we want as a Edit: I'm sure there's some really simple optimizations I haven't done yet but right now it's pretty fast, it takes about 9 seconds (release build, from rustc stable |
Great to see some progress! Since you asked for feedback: Features that I really like in the current version: |
I use |
I suggest looking at |
To begin |
btw #10498 exists for moving cargo-edit's cargo-upgrade into cargo. I wonder if
Could you clarify which "modes" you are talking about that it'd need to support |
cargo upgrade v0.10.3 now provides a table summary of upgrades. This doesn't completely replace Example for clap: $ cargo upgrade --dry-run
Updating 'https://github.com/rust-lang/crates.io-index' index
Checking clap's dependencies
name old req locked latest new req note
==== ======= ====== ====== ======= ====
clap_derive =4.0.0-alpha.0 - - =4.0.0-alpha.0 pinned
clap_lex 0.2.2 - - 0.2.2
bitflags 1.2 1.3.2 1.3.2 1.2 compatible
textwrap 0.15.0 0.15.0 0.15.0 0.15.0
unicase 2.6 2.6.0 2.6.0 2.6
indexmap 1.0 1.9.1 1.9.1 1.0 compatible
strsim 0.10 0.10.0 0.10.0 0.10
atty 0.2 0.2.14 0.2.14 0.2
termcolor 1.1.1 1.1.3 1.1.3 1.1.1 compatible
terminal_size 0.1.12 0.1.17 0.2.1 0.2.1
backtrace 0.3 0.3.66 0.3.66 0.3
once_cell 1.12.0 1.13.0 1.13.0 1.12.0 compatible
trybuild 1.0.18 1.0.63 1.0.63 1.0.18 compatible
rustversion 1 1.0.8 1.0.8 1
trycmd 0.13 0.13.4 0.13.4 0.13
humantime 2 2.1.0 2.1.0 2
snapbox 0.2.9 0.2.10 0.2.10 0.2.9 compatible
shlex 1.1.0 1.1.0 1.1.0 1.1.0
static_assertions 1.1.0 1.1.0 1.1.0 1.1.0
note: Re-run with `--pinned` to upgrade pinned version requirements
note: Re-run with `--to-lockfile` to upgrade compatible version requirements
warning: aborting upgrade due to dry run (actual output is colored to make it easier to scan) |
If this gets picked up, one reasonable change from |
Just wanted to note here that |
feat(update): Tell users when they are still behind ### What does this PR try to resolve? Part of this is an offshoot of #12425 which is about pulling some of `cargo upgrade`s behavior into `cargo update`. One of the "'Potential related `cargo update` improvements" is informing the user when they are behind. Part of this is to help close the gap of users being behind on their dependencies unaware. This is commonly raised when discussing an MSRV-aware resolver (see rust-lang/rfcs#3537) but breaking changes are just as big of a deal so I'm starting this now. See also #7167, #4309 Compared to `cargo upgrade` / `cargo outdated`, I'm taking a fairly conservative approach and tweaking the existing output as a starting point / MVP. We can experiment with a richer or easier-to-consume way of expressing this over time. I view us telling people they aren't on the latest as a warning, so I made that text yellow. `clap $ cargo update --dry-run` ![image](https://github.com/rust-lang/cargo/assets/60961/4bf151e3-6b57-4073-8822-9140dd731d5e) `clap $ cargo update --dry-run --verbose` ![image](https://github.com/rust-lang/cargo/assets/60961/fbf802fb-3a6a-4e8b-a6ec-4ce49fb505f6) ### How should we test and review this PR? This sets up the minimal implementation and slowly adds bits at a time, with a test first that demonstrates it. ### Additional information I'm expecting that the `cargo upgrade` integration will extend the notes to say something like "X dependencies may be updated with `--breaking`"
While its not as fancy as |
In Rust ecosystem, one main concern for library developers is to not have semver breaking updates to their package, because of the fear that majority of the dependent packages not getting the routing updates that would follow a breaking update.
There are two general solutions to this problem:
The old-school back-porting of updates, so that dependents on any API version would get all the routine updates. This solution can easily become a huge maintenance cost on library developers and is not a common practice in the Rust community at the moment.
Help owner of dependent packages to update their dependency versions and apply the changes needed, if any. This solution can be much less time consuming, and distributes the workload throughout the dependency chain. It also means that only the versions being used get the maintenance work needed, but not all theoretically-possible versions. So, in rustacean words: you pay for what you use.
Based on this, I want to propose to add new features to help owners with keeping their dependencies up-to-date. Most of the functionality can be exposed via the
cargo update
command.Proposed Features
Warn on dependencies stuck in older versions. This would be a plain warning on
cargo update
. The feature would be enabled by default, but there will be an option to disable it; and there can be one release version of Cargo as transition period, where the option is disabled by-default, but there's a notice about the upcoming change, if it applies.Commands to auto-update some/all dependency versions to latest. This option would update the relevant manifests to use a latest version of a single or multiple packages. This can also be an option to
cargo update
, similar to--precise
, but instead of updating the lock file, it would also update the manifest with the latest version, or some user-provided version.This is a tool to update Cargo Manifest files. Currently,
cargo update
only works with the Cargo Lock file, so it may be a good idea to have a separate sub-command for the manifest manipulation features. But since it's a core functionality, it's better have this functionality in Cargo proper.Auto-update versions to a successful build. This is something that we can aim for in longer term, to have cargo update dependencies, and in case of failures, bisect and find the most-recent version that does not break the builds and/or tests. Best place for this may be a third-party cargo command and not cargo itself.
What do you think?
The text was updated successfully, but these errors were encountered: