In my very large Rust-based project of about 100k lines of code, 100 direct dependencies, and 800 total dependencies, I always require version="*"
for each dependency, except for specific ones that either I cannot or don’t want to upgrade.
Crucially, I also commit my Cargo.lock
, as the Cargo manual recommends.
I normally build with cargo --locked
. Periodically, I will do a cargo update
and run cargo outdated
so that I’m able to see if there are specific packages keeping me at older versions.
To upgrade a specific package, I can just remove it’s record directly from Cargo.lock
and then do a regular cargo build
.
This works very well!
Advantages
- I minimize my number of dependencies, and therefor build times
- I keep my personal ecosystem from falling too far behind that of crates.io
- I rarely wind up with a situation where I have two dependencies that depend on a different symbol version
- I don’t have to change a version in all of my many
Cargo.toml
s
Disadvantages
- I cannot publish my large repository to a wider audience (but that will never happen for this repository)
- People who see my code start feeling ill and start shifting their eyes nervously.
Could also be performance benefits. You could research into updates of every dependency (and some crates don’t publish changelogs, so you have to dive through commit messages), but who has the time for that?