feat(package): add --exclude-lockfile flag #15234
Conversation
rustbot
added
A-cli
|
Mind cleaning up the commit history (reorder test first, squash test update), including updating commint message for new flag name? |
Was in a haste leaving the office. Sorry. |
|
Thanks for stealing, very much appreciated! (Especially the part where I don't have to come up with a better name for the flag ;-)) |
After dd698ff, `cargo package --no-verify` at least fails in three different cases: * An unpublished package depending on itself as a dev-dependency (cyclic self-referential dev-dependencies). * Can be resolved by removing the `version` field from the affected dev-dependency. * `-Zpackage-workspace` doesn't help with it. * Existing `cargo package` has `--package <pkg>` specifying certain unpublished packages. * Can be resolved by specifying all unpublished packages in one `cargo` call. * `-Zpackage-workspace` also requires all dependency versions available in the target registry when calling, so doesn't help. * `cargo package --no-verify` has been used as a kind of “plumbing commands” to create tarballs without considering dependency orders. The use cases include: * Preparing tarballs for other package managers. * Integrating into custom develop workflows for unpublished/internal crates. * Constructing custom/private registries. This commit shows the former two cases.
When `--exclude-lockfile` is enabled, `cargo package` will not verify the lock file if present, nor will it generate a new one if absent. Cargo.lock will not be included in the resulting tarball. Together with `--no-verify`, this flag decouples packaging from checking the registry index. While this is useful for some non-normal workflows that requires to assemble packages having unpublished dependencies. It is recommended to use `-Zpackage-workspace` to package the entire workspace, instead of opting out lockfile.
|
@rfcbot fcp merge See the PR description for what is proposed to merge. People may want to bikeshed on the flag name, though. |
|
Team member @weihanglo has proposed to merge this. The next step is review by the rest of the tagged team members: No concerns currently listed. Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! See this document for info about what commands tagged team members can give me. |
rfcbot
added
proposed-final-comment-period
|
🔔 This is now entering its final comment period, as per the review above. 🔔 |
rfcbot
added
finished-final-comment-period
|
The final comment period, with a disposition to merge, as per the review above, is now complete. As the automated representative of the governance process, I would like to thank the author for their work and everyone else who contributed. This will be merged soon. |
Update cargo 15 commits in ab1463d632528e39daf35f263e10c14cbe590ce8..6cf8267012570f63d6b86e85a2ae5627de52df9e 2025-03-08 01:45:05 +0000 to 2025-03-14 15:25:36 +0000 - feat(package): add --exclude-lockfile flag (rust-lang/cargo#15234) - Redox OS is part of the unix family (rust-lang/cargo#15307) - docs(ref): Mention `x.y.*` as a kind of version requirement to avoid. (rust-lang/cargo#15310) - fix(run): Disambiguate bins from different packages that share a name (rust-lang/cargo#15298) - cargo vendor: Add context which workspace failed to resolve (rust-lang/cargo#15297) - docs(ref): Note that target-edition is deprecated (rust-lang/cargo#15292) - refactor(toml): Centralize target descriptions (rust-lang/cargo#15291) - docs(refs): Add `unsafe` to `extern` while using build scripts in Cargo Book (rust-lang/cargo#15294) - Replace unmaintained humantime crate with jiff (rust-lang/cargo#15290) - Add terminal integration via ANSI OSC 9;4 sequences (rust-lang/cargo#14615) - feat: add completions for add --path (rust-lang/cargo#15288) - Allow `term.progress.when` to default (rust-lang/cargo#15287) - docs: spelling and grammar fixes (rust-lang/cargo#15284) - chore(deps): update cargo-semver-checks to v0.40.0 (rust-lang/cargo#15282) - Typo fixes (rust-lang/cargo#15280) r? ghost
What does this PR try to resolve?
Fixes #15059
Fixes #15159
This provides an escape hatch
--exclude-lockfilefor uncommon workflowsthat don't verify (
--no-verifyis passed) the build with their unpublished packagesIn effect, this takes the heuristic removed in #14815 and replaces it with a flag
When
--exclude-lockfileis enabled,cargo packagewill not verify the lock file if present,nor will it generate a new one if absent.
Cargo.lock will not be included in the resulting tarball.
Together with
--no-verify,this flag decouples packaging from checking the registry index.
While this is useful for some non-normal workflows that requires
to assemble packages having unpublished dependencies.
It is recommended to use
-Zpackage-workspaceto package the entireworkspace, instead of opting out lockfile.
How should we test and review this PR?
The first commit was stolen from NoisyCoil@1a104b5 (credit to @NoisyCoil!)
The second added two failing cases we observed in #15059.
Additional information