cargo outdated misses things? #381
Description
E.g., in my case, our Cargo.lock file contains:
[[package]]
name = "base64"
version = "0.21.4"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "9ba43ea6f343b788c8764558649e08df62f86c6ef251fdaeb1ffd010a9ae50a2"
Which is out of date: the latest version on crates.io is v0.21.6.
However, cargo outdated doesn't mention it:
» cargo outdated | grep base64
»
In my case, this is a transitive dependency. This seems like it is related to or similar to #105, which did have this comment:
Their original requests were a bit off IMO but the general idea is that if we do list all the "real" latest versions of transitional dependencies, it would be much too verbose and users can literally do nothing to get rid of them (unless the dependencies are also developed by them).
I won't speak to the verbosity half of the comment, but "literally do nothing to get rid of them" — no, in the case that they're semver compat (this is the case here) you can upgrade them with a simple cargo update -p base64@0.21.4¹ command, which in my case emits the following diff:
[[package]]
name = "base64"
-version = "0.21.4"
+version = "0.21.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "9ba43ea6f343b788c8764558649e08df62f86c6ef251fdaeb1ffd010a9ae50a2"
+checksum = "c79fed4cdb43e993fcdadc7e58a09fd0e3e649c4436fa11da71c9f1f3ee7feb9"And that's it.
(¹I have some transitive deps to other, semver incompat versions of base64 that require the @ syntax. If you only have a dep against a single version, it's omittable. Simiarly, my diff is also longer, but that's irrelevant.)