-
Notifications
You must be signed in to change notification settings - Fork 2.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cargo publish should refuse an out-of-date lockfile #13986
Comments
To double check my understand, |
no, |
Ah, I was looking at the wrong layer of abstraction. $ cargo publish -n
Compiling cargo v0.81.0 (/home/epage/src/personal/cargo)
Finished `dev` profile [unoptimized + debuginfo] target(s) in 10.03s
Running `/home/epage/src/personal/cargo/target/debug/cargo -Zscript publish -n`
Updating crates.io index
warning: manifest has no description, license, license-file, documentation, homepage or repository.
See https://doc.rust-lang.org/cargo/reference/manifest.html#package-metadata for more info.
Packaging cargo-13986 v0.1.1 (/home/epage/src/personal/dump/cargo-13986)
Verifying cargo-13986 v0.1.1 (/home/epage/src/personal/dump/cargo-13986)
Compiling cargo-13986 v0.1.1 (/home/epage/src/personal/dump/cargo-13986/target/package/cargo-13986-0.1.1)
Finished `dev` profile [unoptimized + debuginfo] target(s) in 0.26s
Packaged 6 files, 1.1KiB (857.0B compressed)
Uploading cargo-13986 v0.1.1 (/home/epage/src/personal/dump/cargo-13986)
warning: aborting upload due to dry run
$ cargo package
warning: manifest has no description, license, license-file, documentation, homepage or repository.
See https://doc.rust-lang.org/cargo/reference/manifest.html#package-metadata for more info.
error: 1 files in the working directory contain changes that were not yet committed into git:
Cargo.lock
to proceed despite this and include the uncommitted changes, pass the `--allow-dirty` flag |
I worry that there are shenanigans that people do during publish such that having I think changing the behavior in the presence of For myself, after doing enough releases, I feel like |
Problem
updating a package's version in Cargo.toml, running
cargo publish
, then creating a tagged commit will cause a desync between the commit and the version on crates.io in the lockfile.the crates.io version will have the appropriate version in Cargo.lock, but the tagged commit will have the wrong version info in the lockfile, causing problems for anyone who tries to build that version with cargo build --locked
Steps
cargo build --locked
Possible Solution(s)
make cargo publish refuse to publish if the lockfile is out of date
Notes
this is particularly annoying when trying to package a rust program with nix, often the only solution is to vendor a fixed lockfile
Version
The text was updated successfully, but these errors were encountered: