Skip to content

docs: add lock file section to the resolver docs#15587

Open
Fishrock123 wants to merge 1 commit intorust-lang:masterfrom
Fishrock123:docs-cargo-resolver-lock-file
Open

docs: add lock file section to the resolver docs#15587
Fishrock123 wants to merge 1 commit intorust-lang:masterfrom
Fishrock123:docs-cargo-resolver-lock-file

Conversation

@Fishrock123
Copy link

@Fishrock123 Fishrock123 commented May 22, 2025

Adds some documentation about how lockfiles work to the resolver section, particularly regarding when lock files exist in library dependencies.

Effectively re-adds an updated section of docs that was lost here: https://github.com/rust-lang/cargo/pull/12382/files#diff-197a732275c32bdbdb079bdd92ac8a4ba585ee556ea978e9e661804eb76ce9eeL117-L121

Related to this Zulip thread https://rust-lang.zulipchat.com/#narrow/channel/246057-t-cargo/topic/cargo.20lock.20in.20dependency/with/519679182

@Fishrock123
docs: add lock file section to the resolver docs
738f5e7 
Adds some documentation about how lockfiles work to the resolver section, particularly regarding when lock files exist in library dependencies.

Effectively re-adds an updated section of docs that was lost here:
https://github.com/rust-lang/cargo/pull/12382/files#diff-197a732275c32bdbdb079bdd92ac8a4ba585ee556ea978e9e661804eb76ce9eeL117-L121

Related to this Zulip thread https://rust-lang.zulipchat.com/#narrow/channel/246057-t-cargo/topic/cargo.20lock.20in.20dependency/with/519679182
@rustbot
Copy link
Collaborator

rustbot commented May 22, 2025

r? @ehuss

rustbot has assigned @ehuss.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

@rustbot rustbot added A-documenting-cargo-itself Area: Cargo's documentation S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels May 22, 2025
weihanglo
weihanglo reviewed May 23, 2025
View reviewed changes
src/doc/src/reference/resolver.md

## `Cargo.lock` lock-files

The `Cargo.lock` file provides deterministic builds at different times and on
Copy link
Member

@weihanglo weihanglo May 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There are some other places the book mentions Cargo.lock

it is a bit duplicate everywhere. We might want some level of consolidation.

src/doc/src/reference/resolver.md
Dependancy resolution is not run when cargo reads from `Cargo.lock`.

Not all cargo commands use `Cargo.lock` by default. Examples include
`cargo install` and `cargo update`.In these cases, `--locked` can usually be
Copy link
Member

@weihanglo weihanglo May 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a bit off. cargo update would always consult the existing Cargo.lock, especially when doing a partial update.

src/doc/src/reference/resolver.md
The `Cargo.lock` file provides deterministic builds at different times and on
different systems, by ensuring that the exact same dependencies, versions, and
sources are used as when the `Cargo.lock` file was last generated.
Dependancy resolution is not run when cargo reads from `Cargo.lock`.
Copy link
Member

@weihanglo weihanglo May 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is incorrect. Cargo always performs dependency resolutions and prefers to versions tracked in Cargo.lock.

src/doc/src/reference/resolver.md
### Libraries with `Cargo.lock`

Cargo treats `Cargo.lock` files differently when a crate is used as a library
dependency where an upper level `Cargo.lock` would exist. In these cases cargo will
Copy link
Member

@weihanglo weihanglo May 23, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Upper-level / top-level is pretty vague here. Cargo actually ignores any lockfile but the one at the workspace root.

src/doc/src/reference/resolver.md
Copy link
Member

@weihanglo weihanglo May 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perhaps instead, we can just talk about the property of a single view of dependency resolution, so that we don't repeat ourselves and still provide what you originally wanted to know.

### Single view of dependency resolution

When building a package or a workspace, Cargo computes a single,
unified resolution of all dependencies across the entire dependency graph.
This maximizes the reuse of package versions within the resolution process.
Unlike some other package managers, Cargo does not use Cargo.lock files
from dependencies or perform per-dependency resolution.
All resolution is done from the root.

@weihanglo
Copy link
Member

weihanglo commented Jun 2, 2025
edited
Loading

@rustbot author

@rustbot rustbot removed the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Aug 18, 2025
@rustbot
Copy link
Collaborator

rustbot commented Aug 18, 2025

Reminder, once the PR becomes ready for a review, use @rustbot ready.

@rustbot rustbot added the S-waiting-on-author Status: The marked PR is awaiting some action (such as code changes) from the PR author. label Aug 18, 2025
@epage
Copy link
Contributor

epage commented Sep 11, 2025

For myself, I would try to fit lockfiles into a new section under Constraints and Heuristics. Unsure if I'm losing too much nuance but we can describe lockfiles as being relevant to pick_next_version, preferring the locked version over all else.

epage added a commit to epage/cargo that referenced this pull request Sep 12, 2025
@epage
docs(resolver): Describe the role of the lockfile
b35565b 
I put it after version numbers and version requirements as it builds on
those two topics.

Unsure whether this fully resolves the concern from rust-lang#15587 of users
coming from other ecosystems that have been burned by library lockfiles
affecting them to know that they won't be subject to that.
@epage epage mentioned this pull request Sep 12, 2025
Merged
github-merge-queue bot pushed a commit that referenced this pull request Sep 12, 2025
@ehuss
docs(resolver): Describe the role of the lockfile (#15958)
506023f 
### What does this PR try to resolve?

This fills a whole in our coverage of dependency resolution by
specifying how a `Cargo.lock` impacts it.

### How to test and review this PR?

I put it after version numbers and version requirements as it builds on
those two topics.

Unsure whether this fully resolves the concern from #15587 of users
coming from other ecosystems that have been burned by library lockfiles
affecting them to know that they won't be subject to that.
@epage
Copy link
Contributor

epage commented Sep 12, 2025

For myself, I would try to fit lockfiles into a new section under Constraints and Heuristics. Unsure if I'm losing too much nuance but we can describe lockfiles as being relevant to pick_next_version, preferring the locked version over all else.

Did this in #15958.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@weihanglo weihanglo weihanglo left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@ehuss ehuss

Labels

A-documenting-cargo-itself Area: Cargo's documentation S-waiting-on-author Status: The marked PR is awaiting some action (such as code changes) from the PR author.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@Fishrock123 @rustbot @weihanglo @epage @ehuss