Skip to content

"over-promising" on minimal versions #597

New issue
New issue
Open
Open
"over-promising" on minimal versions#597
@luukvanderduim

Description

@luukvanderduim
luukvanderduim
opened on Jul 17, 2025

Hi Matt and Arnold,

We just went through the process of aligning our minimal versions in Cargo.toml to accurately reflect the true minimal versions, as we'd "over-promised" on several occasions previously.

For example, we initially had:

futures-lite = { version = "2", default-features - false }

This implied a semver space of 2.0.0 up to (but not including) 3.0.0, which we thought was quite lenient for users. However, this was an over-promise because our direct dependency, zbus, actually requires futures-lite version 2.6.0. The true minimal dependency in a unified dependency graph is always the highest minimal version required among shared dependencies.

(zbus depends on 2.6 because earlier versions have an indirect dependency on instant which is deprecated and as such
received a security advisory)

Verifying Minimal Versions with Cargo

Cargo offers an unstable flag to check for direct minimal versions. This flag attempts to generate a Cargo.lock file using the minimal versions and will return an error if it cannot unify your declared minimums with the dependency graph's minimums.

We used the following command:

cargo +nightly generate-lockfile -Z direct-minimal-versions

We had to run this command and iteratively adjust our dependencies multiple times to arrive at a Cargo.toml that accurately reflects the real minimums. This also generated a Cargo.lock that helps ensure more reproducible builds across our team.

Integrating into CI

Following this, we added the following job to our ci.yml:

  reproducible-builds:
    runs-on: ubuntu-latest
    steps:
      - name: Git checkout
        uses: actions/checkout@v3
      - name: Install nightly toolchain
        uses: dtolnay/rust-toolchain@master
        with:
          toolchain: nightly
      - name: Generate lockfile with minimal direct versions
        # Create a lockfile with minimal direct versions for reproducible builds.
        # See advisory: https://blog.rust-lang.org/2023/08/29/committing-lockfiles/
        run: cargo +nightly generate-lockfile -Z direct-minimal-versions

Encountered Issue with AccessKit

When running cargo +nightly generate-lockfile -Z direct-minimal-versions on AccessKit, we encountered the following error:

(main)> cargo +nightly generate-lockfile -Z direct-minimal-versions
    Updating crates.io index
error: failed to select a version for `raw-window-handle`.
    ... required by package `accesskit_winit v0.29.0 (/home/luuk/code/accesskit/platforms/winit)`
versions that meet the requirements `^0.5` are: 0.5.0

package `accesskit_winit` depends on `raw-window-handle` with feature `std` but `raw-window-handle` does not have that feature.

failed to select a version for `raw-window-handle` which could resolve this conflict

It appears raw-window-handle 0.5.0 did not have a feature 'std'. It introduced the 'std' in version 0.5.2. After fixing this specific issue, you will likely encounter more similar discrepancies when generating a minimal versions lockfile again.

Hope this helps !

~ Luuk

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions