Idea: Resolving semver for packages with dates


#1

I was talking to a friend who learned Rust a while ago, and one thing she mentioned is that it’s very easy to leave wildcards in Cargo.toml, lose Cargo.lock, and then come back months later and not know what versions of dependencies you were using.

This lead to an interesting idea: given a point in time, you should be able to determine what versions would be resolved at that point in time. If you know when versions are released, you can simply omit versions released after that point for resolution, and for git commits, you can simply travel through the history until you get to a commit before the given time.

Obviously, the solution to all of this is just “save Cargo.lock,” but this seems like an interesting idea for a cargo plugin. I don’t have the time to work on this but I figured someone might find this to be a cool challenge and pick it up. You don’t need to support just wildcards, even; you could do full semver resolution just fine. I don’t specifically know if this would be useful to anyone outside the “I lost my Cargo.lock file” scenario, but it seemed cool enough to share.


#2

Even in the given use-case, there’s another date that matters that you have probably lost together with the lock file: the date you last ran cargo update.

You can probably approximate, and there may be other use cases where this isn’t important: maybe visualising dependency graph evolution of the crates ecosystem over time, or something?


#3

You might not know that date, but if you have a good guess you can resolve dependencies on that date and see how well it works.

I’d love to have this tool, to resolve wildcards in Cargo.toml based on a specified date.


#4

Maybe this would be doable by resetting Cargo’s git index (~/.cargo/registry/index/) to a revision from that time?

(it’s a bit more complicated because it’s now a bare repo, and old commits are not on the master branch)