-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cargo update should not highlight non-semver-compatible "(latest: v0.23.5)" for indirect dependencies #13908
Comments
@rustbot label +Command-update +A-console-output |
Thanks for the suggestion! Agree it is not actionable locally and quite verbose, especially when you have only few direct dependencies and that's very noisy. However, I see it as an opportunity to encourage user to collaborate with upstreams. Putting in behind One similar work we've done is future-compatible warnings. Cargo indeed puts them behind |
This seems like bad reasoning, since
I suppose that the If anything, I would be happy if you showed Unchanged semver-incompatible bumps for my workspace's direct dependencies, but it currently doesn't -- so that also feels inconsistent. To summarize:
(I happen to do a lot of this, trying to push the ecosystem forward -- but I think I'm in a small minority, and anyway it's still a different level of actionable/effort to effect changes like this, so any production user will have to timebox these efforts.) (cc @epage who's done a lot of work in this area.) |
Sorry for the delay, I've been doing some focused time trying to wrap things up before I get to my 100+ github notifications between MSRV, 2024 Edition, and RustNL (wish timing worked to talk to you in person about this). This also caused confusion in #13873 (comment) This was previously discussed in #13372. The idea behind this comes from
I'd have to check the implementation and issues, but I have a feeling this runs counter to the feedback you gave for CC @jonhoo as you mentioned in the release changes stream your excitement for reporting changes and want to make sure we capture multiple perspectives |
I'm curious what feedback you're thinking of exactly! I think giving this |
With
changed dependencies are shown, regardless of the nature of the change ( Why doesn't this make sense when an MSRV isn't set? Cargo is preventing an upgrade and we want the user to know. Right now, resolving some of those upgrades is more manual (edit version requirements, bug dependencies) but we will be adding support for a flag to help with the version requirements. |
IIRC the output in
Yes, I understand what it's doing and why it is the way it is. I'm arguing that whether the "(latest ..)" badge is shown should be independent of whether a dependency is changed (due to a semver-compatible upgrade/downgrade), because whether a semver-compatible update happened since the last time I ran Including the plan for the MSRV-aware resolver, I think there are 3 different categories here:
|
Thanks for CCing me! Yeah, I think I agree with @djc above on the things that are important to highlight. In particular, I agree that dependencies that could not be updated to the latest version for a reason that is under the user's control (i.e., direct dependency or MSRV) should be highlighted independently of whether that dependency happened to be updated in this particular I very much empathize with @weihanglo wanting to encourage upstream contribution, but as @djc points out there is a trade-off here where overloading users with hard-to-action information is likely to lead to worse overall outcomes (people ignoring warnings) rather than the virtuous effects we wish to see. I sadly don't have a great suggestion for how to highlight updates that are blocked indirectly. Personally, I also tend to run |
…cted In discussin this in rust-lang#13873, it highlighted that we need to make sure we tell people when we get in this state. I decided to keep "latest" and "required rust version" messages mutually exclusive to avoid too much noise. I gave "required rust version" higher precedence as its the more critical to operation and, if you are using an MSRV-incompatible package, it likely is "latest" already. I was tempted to change colors to make "required rust version" stand out from "latest" but was unsure what direction to go, so I held off. Options included - red for "required rust version", yellow for "latest" - yellow for "required rust version", nothing for "latest" There is also more discussion on how to format "latest" at rust-lang#13908.
…cted In discussin this in rust-lang#13873, it highlighted that we need to make sure we tell people when we get in this state. I decided to keep "latest" and "required rust version" messages mutually exclusive to avoid too much noise. I gave "required rust version" higher precedence as its the more critical to operation and, if you are using an MSRV-incompatible package, it likely is "latest" already. I was tempted to change colors to make "required rust version" stand out from "latest" but was unsure what direction to go, so I held off. Options included - red for "required rust version", yellow for "latest" - yellow for "required rust version", nothing for "latest" There is also more discussion on how to format "latest" at rust-lang#13908.
…cted In discussin this in rust-lang#13873, it highlighted that we need to make sure we tell people when we get in this state. I decided to keep "latest" and "required rust version" messages mutually exclusive to avoid too much noise. I gave "required rust version" higher precedence as its the more critical to operation and, if you are using an MSRV-incompatible package, it likely is "latest" already. I was tempted to change colors to make "required rust version" stand out from "latest" but was unsure what direction to go, so I held off. Options included - red for "required rust version", yellow for "latest" - yellow for "required rust version", nothing for "latest" There is also more discussion on how to format "latest" at rust-lang#13908.
…cted In discussin this in rust-lang#13873, it highlighted that we need to make sure we tell people when we get in this state. I decided to keep "latest" and "required rust version" messages mutually exclusive to avoid too much noise. I gave "required rust version" higher precedence as its the more critical to operation and, if you are using an MSRV-incompatible package, it likely is "latest" already. I was tempted to change colors to make "required rust version" stand out from "latest" but was unsure what direction to go, so I held off. Options included - red for "required rust version", yellow for "latest" - yellow for "required rust version", nothing for "latest" There is also more discussion on how to format "latest" at rust-lang#13908.
feat(update): Report when incompatible-rust-version packages are selected ### What does this PR try to resolve? In discussin this in #13873, it highlighted that we need to make sure we tell people when incompatible-rust-version packages are selected. I decided to keep "latest" and "required rust version" messages mutually exclusive to avoid too much noise. I gave "required rust version" higher precedence as its the more critical to operation and, if you are using an MSRV-incompatible package, it likely is "latest" already. ### How should we test and review this PR? ### Additional information I was tempted to change colors to make "required rust version" stand out from "latest" but was unsure what direction to go, so I held off. Options included - red for "required rust version", yellow for "latest" - yellow for "required rust version", nothing for "latest" There is also more discussion on how to format "latest" at #13908.
feat(update): Report when incompatible-rust-version packages are selected ### What does this PR try to resolve? In discussin this in #13873, it highlighted that we need to make sure we tell people when incompatible-rust-version packages are selected. I decided to keep "latest" and "required rust version" messages mutually exclusive to avoid too much noise. I gave "required rust version" higher precedence as its the more critical to operation and, if you are using an MSRV-incompatible package, it likely is "latest" already. ### How should we test and review this PR? ### Additional information I was tempted to change colors to make "required rust version" stand out from "latest" but was unsure what direction to go, so I held off. Options included - red for "required rust version", yellow for "latest" - yellow for "required rust version", nothing for "latest" There is also more discussion on how to format "latest" at #13908.
feat(update): Report when incompatible-rust-version packages are selected ### What does this PR try to resolve? In discussin this in #13873, it highlighted that we need to make sure we tell people when incompatible-rust-version packages are selected. I decided to keep "latest" and "required rust version" messages mutually exclusive to avoid too much noise. I gave "required rust version" higher precedence as its the more critical to operation and, if you are using an MSRV-incompatible package, it likely is "latest" already. ### How should we test and review this PR? ### Additional information I was tempted to change colors to make "required rust version" stand out from "latest" but was unsure what direction to go, so I held off. Options included - red for "required rust version", yellow for "latest" - yellow for "required rust version", nothing for "latest" There is also more discussion on how to format "latest" at #13908.
refactor(update): Prepare for smarter update messages ### What does this PR try to resolve? This is to make it easier to - Make #14401 path aware - Work on #13908, depending on what is decided - Improve the heuristics for when we show `Locking` messages There are fixes along the way that were found by making the code more consistent in prep for consolidating it, mostly for #14401. ### How should we test and review this PR? Along the way, some odd code structures are used for the sake of making the diff easier to follow. These get cleaned up towards the end I didn't add tests for the fixes because of the code consolidation that happens that causes us to cover more real-world scenarios with fewer tests. ### Additional information
#14445 tweaked this to skip showing workspace members being locked when doing the regular manifest->lockfile sync |
Instead of always listing the absolute latest version as a warning color, we now differentiate - compatible updates are always actionable - incompatible, direct deps are always actionable These get reported and made yellow while non-actionable messages are unstyled. This is not intended as *the* solution for rust-lang#13908 though it makes improvements in that direction. This is prep work for improved MSRV reporting where we will differentiate this further by only considering MSRV-compatible updates as actionable (or rustc-compatible when not using MSRV-aware reslver). I just used a broad stroke to say "compatible" in the message means "semver compatible" and use `^` - We could focus on "compatible with dependent version reqs" which is what will be most actionable but seeing if we can get away without having to track all in-coming version reqs. - We could be more nuanced in language but the more verbose we are, the more we take away from higher priority messages
#14461 further tweaks things. As noted in the PR, this is more of a stepping stone for some MSRV changes. As a side benefit, it experiments with how to handle this issue. After the rest of the MSRV reporting changes are in, I'll be looking for input on where we are at and discuss it with the cargo team. |
fix(resolve): With `latest` message, differentiate actionable updates ### What does this PR try to resolve? Instead of always listing the absolutely latest version as a warning color, we now differentiate - compatible updates are always actionable - incompatible, direct deps are always actionable These get reported and made yellow while non-actionable messages are unstyled. ### How should we test and review this PR? I just used a broad stroke to say "compatible" in the message means "semver compatible" and use `^` - We could focus on "compatible with dependent version reqs" which is what will be most actionable but seeing if we can get away without having to track all in-coming version reqs. - We could be more nuanced in language but the more verbose we are, the more we take away from higher priority messages ### Additional information This is not intended as *the* solution for #13908 though it experiments with what to do for that. This is prep work for improved MSRV reporting where we will differentiate this further by only considering MSRV-compatible updates as actionable (or rustc-compatible when not using MSRV-aware reslver).
#14471 is the last step. Once that hits nightly, I'll be looking for a new round of feedback and then take it to the Cargo team. |
feat(resolve): Report MSRV compatible version instead of incomptible ### What does this PR try to resolve? This expands on #14461 to where only MSRV-compatible versions are "actionable". MSRV-incompatible versions are therefore unstyled. We report the MSRV needed so people can choose to unblock by updating their MSRV. I had wondered if we should report the the absolute latest MSRV-incompatible version or the one with the next higher MSRV from where the user is at. Both are reasonable use cases, so I erred with absolute latest version. ```console $ cargo update --workspace -v ``` ![image](https://github.com/user-attachments/assets/27e40dda-287b-4223-a377-0233205307a2) ### How should we test and review this PR? I changed the label from `latest` to `available` to not have to keep coming up with relevant terms for each case. ### Additional information This is the final step before asking for new feedback on #13908
Instead of always listing the absolute latest version as a warning color, we now differentiate - compatible updates are always actionable - incompatible, direct deps are always actionable These get reported and made yellow while non-actionable messages are unstyled. This is not intended as *the* solution for rust-lang#13908 though it makes improvements in that direction. This is prep work for improved MSRV reporting where we will differentiate this further by only considering MSRV-compatible updates as actionable (or rustc-compatible when not using MSRV-aware reslver). I just used a broad stroke to say "compatible" in the message means "semver compatible" and use `^` - We could focus on "compatible with dependent version reqs" which is what will be most actionable but seeing if we can get away without having to track all in-coming version reqs. - We could be more nuanced in language but the more verbose we are, the more we take away from higher priority messages
…cted In discussin this in rust-lang#13873, it highlighted that we need to make sure we tell people when we get in this state. I decided to keep "latest" and "required rust version" messages mutually exclusive to avoid too much noise. I gave "required rust version" higher precedence as its the more critical to operation and, if you are using an MSRV-incompatible package, it likely is "latest" already. I was tempted to change colors to make "required rust version" stand out from "latest" but was unsure what direction to go, so I held off. Options included - red for "required rust version", yellow for "latest" - yellow for "required rust version", nothing for "latest" There is also more discussion on how to format "latest" at rust-lang#13908.
#14471 should now be in nightlies. Could people give it a try and let us know what works well and what doesn't? |
Instead of always listing the absolute latest version as a warning color, we now differentiate - compatible updates are always actionable - incompatible, direct deps are always actionable These get reported and made yellow while non-actionable messages are unstyled. This is not intended as *the* solution for rust-lang#13908 though it makes improvements in that direction. This is prep work for improved MSRV reporting where we will differentiate this further by only considering MSRV-compatible updates as actionable (or rustc-compatible when not using MSRV-aware reslver). I just used a broad stroke to say "compatible" in the message means "semver compatible" and use `^` - We could focus on "compatible with dependent version reqs" which is what will be most actionable but seeing if we can get away without having to track all in-coming version reqs. - We could be more nuanced in language but the more verbose we are, the more we take away from higher priority messages
@djc part of the intent for that was to surface technical debt in your dependency tree. I tried to distinguish actionable items by giving them a color. The overall challenge is finding the right balance for what to include and how to include it without overwhelming the user. We had talked about the transitive breaking changes in the cargo team meeting before your post and decided to go ahead and cut them for now. |
…ilable This is part of rust-lang#13908
fix(resolve): Don't list transitive, incompatible dependencies as available ### What does this PR try to resolve? We have limited capability to clearly communicate to the user the different update states without overwhelming them. Before we showed all versions that were behind, with color distinguishing how actionable they are. Color doesn't communicate enough though and we don't want to add footnotes to clarify everything. For now, the least useful messages will be removed, available, transitive, incompatible versions. These only give the user a hint of tech debt within their dependencies and can't be acted upon. This is part of #13908 ### How should we test and review this PR? ### Additional information
@djc are things in a satisfactory state for closing this? |
Yes, I think things are in a much better state now. Thanks! |
I came to this issue wondering where the notifications of outdated transitive dependencies went, and how to get them back - am I right to assume that they're removed completely? Not even the --verbose flag shows them. I have used them in the past to provide PRs to projects with outdated dependencies which I transitively depend on, which IMO benefits the ecosystem quite a lot. |
Problem
I just ran my weekly
cargo update
against the workspace at work, and it highlighted this change:This workspace does not have a direct dependency on rustls. As such, I would suggest this information isn't actionable enough to merit a mention in the non-verbose
cargo update
output (it would definitely fit in with the verbose output).Steps
No response
Possible Solution(s)
No response
Notes
No response
Version
The text was updated successfully, but these errors were encountered: