output varies from run to run, and also misses things

[dimbleby]

I'm running cargo outdated against https://github.com/dimbleby/iron-hmac/tree/update-dependencies (at 3fea6b1e). Here's an example in which an intermediate run of cargo outdated -w causes cargo outdated to change its mind:

$ cargo outdated
Name                      Project  Compat  Latest   Kind    Platform
----                      -------  ------  ------   ----    --------
iron                      0.5.1    ---     0.6.0    Normal  ---
iron->conduit-mime-types  0.7.3    ---     Removed  Normal  ---
iron->error               0.1.9    ---     Removed  Normal  ---
iron->lazy_static         0.2.9    ---     Removed  Normal  ---

$ cargo outdated -w
iron-hmac
================
Name                Project  Compat  Latest   Kind    Platform
----                -------  ------  ------   ----    --------
conduit-mime-types  0.7.3    ---     Removed  Normal  ---
error               0.1.9    ---     Removed  Normal  ---
iron                0.5.1    ---     0.6.0    Normal  ---
lazy_static         0.2.9    ---     Removed  Normal  ---


$ cargo outdated
Name                                 Project  Compat  Latest   Kind    Platform
----                                 -------  ------  ------   ----    --------
conduit-mime-types->rustc-serialize  0.3.24   ---     Removed  Normal  ---
error->traitobject                   0.1.0    ---     Removed  Normal  ---
error->typeable                      0.1.2    ---     Removed  Normal  ---
iron                                 0.5.1    ---     0.6.0    Normal  ---
iron->conduit-mime-types             0.7.3    ---     Removed  Normal  ---
iron->error                          0.1.9    ---     Removed  Normal  ---
iron->lazy_static                    0.2.9    ---     Removed  Normal  ---

All of the above miss various other things that are also outdated. eg hyper was never mentioned, but there's definitely a dependency on an old version:

$ grep "\"hyper " Cargo.lock
 "hyper 0.11.6 (registry+https://github.com/rust-lang/crates.io-index)",
 "hyper 0.11.6 (registry+https://github.com/rust-lang/crates.io-index)",
 "hyper 0.10.13 (registry+https://github.com/rust-lang/crates.io-index)",
 "hyper 0.11.6 (registry+https://github.com/rust-lang/crates.io-index)",

I'm at version 0.6.3:

$ cargo outdated --version
cargo-outdated v0.6.3

[Frederick888]

First of all -w forcibly makes cargo-outdated to run in workspace mode. I had a look at your repo and it doesn't contain a workspace hence -w is not needed. The only scenario that I have in mind to use -w is that the root Cargo.toml is not a virtual one but contains a workspace definition. Under workspace mode cargo outdated handles the naming and deduplication in a slightly different way to let it make more sense, so it's normal that outputs varies when used with and without -w.

Secondly as mentioned in the readme, cargo outdated does not check the real latest version of transitional dependencies.

Finally I cannot reproduce the issue of inconsistent outputs from cargo outdated (without -w) using v0.6.3. One of the annoying facts here is that some issues just become unreproducible if I don't look into them in time... Please let me know if you can still reproduce it. Perhaps it's better to attach your Cargo.lock here.

[dimbleby]

Thanks for your comments:

• I realise that -w is not appropriate in this particular case, I'm doing that only as a way to provoke the inconsistent output
• I also don't repro the original report any more; but that's OK - I have another example. Try racerd at 29cd4c6fd (this one includes a Cargo.lock, and doesn't even need the -w thing to confuse matters).

$ cargo clean
$ cargo update
    Updating registry `https://github.com/rust-lang/crates.io-index`
$ cargo outdated | wc -l
74
$ cargo outdated | wc -l
57
$ cargo outdated | wc -l
73

• Finally, I'm thoroughly confused to learn that cargo outdated does not check for outdated versions of transitive dependencies! (But willing to believe that the fault is mine...) What is it doing at depth > 1?
  • FWIW the behaviour that I'd hoped for would be that it tells me what I need to do to get everything updated: that is, what I need to update in my own Cargo.toml, and then which of my dependencies I need to send pull requests so that they too are up to date.

[dimbleby]

OK I read the README more carefully and now I understand better about transitive dependencies: the way this thing works is by wildcarding versions but only of direct dependencies, and then seeing what changes.

I guess this just doesn't match my mental model, which would have expected it to go: here are all the dependencies - for each, what is the latest available version?

So fair enough, I acknowledge that this is working as designed. However I still feel as though what I had expected would in fact be more natural and useful. Is there any value in me raising an issue saying as much?

[Frederick888]

There were discussions about it. You can find the related stuff basically from here and #52. Their original requests were a bit off IMO but the general idea is that if we do list all the "real" latest versions of transitional dependencies, it would be much too verbose and users can literally do nothing to get rid of them (unless the dependencies are also developed by them).

And btw this time I can reproduce the issue! Thanks a lot.