In using a git dependency in one of my projects, I noticed that my expectation of having cargo update my git dependency was different than its current behaviour. After a short discussion in #rust, I think it’s probably better to discuss it here.
Suppose you have the following dependency:
[dependencies.nanovg] git = “https://github.com/Oipo/nanovg-rs”
What this does is, upon first build of the project, it saves the current latest commit on the master branch to Cargo.lock. Every subsequent build then proceeds to use that version until a user manually runs cargo update.
However, when developing, one might want to have cargo automatically check if it’s the latest version and if not, automatically update.
Furthermore, I personally think that the current way of defining a git dependency, without a specific “version” or “commit”, is confusing with the current behaviour of specifying crate dependencies.
There are a couple of things going on here:
- Developers are not able to specify whether a git dependency should be automatically updated to the latest commit
- For git dependencies, one is able to not specify a commit. For crate dependencies, this is not possible, one has to define at least a wildcard for the version.
So what I’d like to discuss here is:
- Would it be a good idea to offer a flag for not wanting to pin a dependency to the Cargo.lock version, but always update it to the latest available?
- Would it be a good idea to harmonise the explicitness of defining a version of a crate dependency with the implicit defining a version of a git dependency?
One proposal for 1. would be to add a flag like so:
[dependencies.nanovg] git = "https://github.com/Oipo/nanovg-rs" pinning = “latest|default” #for git dependencies pinning = “latest|highest_minor|default” #for crate dependencies
Where pinning can be only one of the given options listed.
One proposal for 2. is to disallow merely specifying the git repository, but always include a commit or a wildcard, like so:
[dependencies.nanovg] git = “https://github.com/Oipo/nanovg-rs#*”
This would make it more similar to how crate dependencies are specified.