Problem
Hi everyone!
At my company we are working to improve our dependency updates and supply chain reviews. As part of this we are working on a tool (to be run as part of a CI job) that handles major and minor updates and then produces some output that lists which crates where updated, which updates failed, the versions and so on. Our current approach invokes cargo update internally to handle some of the necessary steps.
We have a handful of crates that are exempt from this automatic updating because of various reasons (related to toolchains, related to external dependencies, stuff like that).
I was thinking that it would be nice to run cargo update with an --exclude option that would allow users to update all the crates except for the ones passed via this flag.
In our scenario we would be updating tens of hundreds of crates while excluding fewer than ten. That is why I think it would be convenient to have the --exclude option and to not go the route of listing all the crates that we want updated.
Proposed Solution
I would propose to add a new flag --exclude to cargo update. This flag would conflict with the option to define the crates to be updated (i.e. cargo update serde --exclude clap would not be allowed). It would be possible to provide one or more crates (e.g. cargo update --exclude serde clap).
Notes
I think I should be able to contribute the required changes myself if this feature request is accepted. I have yet to check all the possible interactions of flags, but after a first look at the code it should be manageable (--breaking should be no issue I think, but the exact behavior with --workspace might need a thought or two, maybe it should just conflict with it as well?).
Workarounds via pinning the crate version via --precise are too cumbersome in comparison I think and users probably don't always want to rewrite their toml files via cargo-edit to handle this use case.
Problem
Hi everyone!
At my company we are working to improve our dependency updates and supply chain reviews. As part of this we are working on a tool (to be run as part of a CI job) that handles major and minor updates and then produces some output that lists which crates where updated, which updates failed, the versions and so on. Our current approach invokes
cargo updateinternally to handle some of the necessary steps.We have a handful of crates that are exempt from this automatic updating because of various reasons (related to toolchains, related to external dependencies, stuff like that).
I was thinking that it would be nice to run
cargo updatewith an--excludeoption that would allow users to update all the crates except for the ones passed via this flag.In our scenario we would be updating tens of hundreds of crates while excluding fewer than ten. That is why I think it would be convenient to have the
--excludeoption and to not go the route of listing all the crates that we want updated.Proposed Solution
I would propose to add a new flag
--excludetocargo update. This flag would conflict with the option to define the crates to be updated (i.e.cargo update serde --exclude clapwould not be allowed). It would be possible to provide one or more crates (e.g.cargo update --exclude serde clap).Notes
I think I should be able to contribute the required changes myself if this feature request is accepted. I have yet to check all the possible interactions of flags, but after a first look at the code it should be manageable (
--breakingshould be no issue I think, but the exact behavior with--workspacemight need a thought or two, maybe it should just conflict with it as well?).Workarounds via pinning the crate version via
--preciseare too cumbersome in comparison I think and users probably don't always want to rewrite their toml files viacargo-editto handle this use case.