Transitive dependencies can be imported #1037
Description
This is an easy way to accidentally create a fragile dependency, as you can link to crates which are "implementation details" of other crates, and use their public API, without ever declaring a version which you depend on. That is, a violation of the guarantee that semver is supposed to give you.
Example:
cargo-repro
├── bar
│ ├── Cargo.toml
│ └── src
│ └── main.rs
└── foo
├── Cargo.toml
└── src
└── lib.rs
4 directories, 4 files
# bar/Cargo.toml
[package]
name = "bar"
version = "0.0.1"
authors = []
[dependencies.foo]
path = "../foo"// bar/src/lib.rs
extern crate foo;
extern crate time; // Bad!
fn main() {
foo::foo();
println!("{}", time::now());
}# foo/Cargo.toml
[package]
name = "foo"
version = "0.0.1"
authors = []
[dependencies]
time = "0.1.1"// foo/src/lib.rs
extern crate time;
pub fn foo() { }[19:03:59]/tmp/cargo-repro/bar> cargo run
Updating registry `https://github.com/rust-lang/crates.io-index`
Compiling gcc v0.1.1
Compiling time v0.1.1
Compiling foo v0.0.1 (file:///tmp/cargo-repro/bar)
Compiling bar v0.0.1 (file:///tmp/cargo-repro/bar)
Running `target/bar`
Tm { tm_sec: 4, tm_min: 4, tm_hour: 19, tm_mday: 11, tm_mon: 11, tm_year: 114, tm_wday: 4, tm_yday: 344, tm_isdst: 0, tm_utcoff: -18000, tm_nsec: 474668923 }