Problem
Suppose that I want to audit all (or some) code that I compile before I do so. This implies that if I am adding new dependencies, I want to know what they are, transitively. However, adding dependencies to Cargo.toml (whether via cargo add or manual editing) brings in transitive dependencies automatically on the next operation with no chance to review them.
Proposed Solution
Extend the behavior of cargo add --dry-run (or cargo add --dry-run --verbose, which currently seems to have no effect on simple cases, or a new option) so that in addition to printing information about the package requested, it prints what the lock file updates would be, similar to cargo update.
Notes
I am hoping that this is straightforward to implement and has little negative effect. I’ve looked at the code and it seems like the main cost would be that cargo add would have to perform resolution twice, whereas it does not at all now.
Problem
Suppose that I want to audit all (or some) code that I compile before I do so. This implies that if I am adding new dependencies, I want to know what they are, transitively. However, adding dependencies to
Cargo.toml(whether viacargo addor manual editing) brings in transitive dependencies automatically on the next operation with no chance to review them.Proposed Solution
Extend the behavior of
cargo add --dry-run(orcargo add --dry-run --verbose, which currently seems to have no effect on simple cases, or a new option) so that in addition to printing information about the package requested, it prints what the lock file updates would be, similar tocargo update.Notes
I am hoping that this is straightforward to implement and has little negative effect. I’ve looked at the code and it seems like the main cost would be that
cargo addwould have to perform resolution twice, whereas it does not at all now.