Update on recursive changes

[jo-so]

A bug (e.g. a securitry issue) might be in a dependency used by a package. Is it possible for cargo-update to detect newer versions of depending packages and rebuild the software with this new version?

[nabijaczleweli]

I don't feel like potentially reimplementing Cargo's package resolution and I'm not quite sure that this is entirely in scope, so send a patch if you want this.

[damymetzke]

In my opinion this feature would significantly increase security if implemented. I'm willing to write a patch if I can, although I'm not sure if I'm up to the task just yet. I'll provide an update when I know more.

[damymetzke]

Based on my research this isn't possible to detect. When installing using cargo install it doesn't create any lock file. So the exact versions cannot be retrieved by normal means. I can think of only 2 reasonable ways to do this. One would be to take over the responsibility for installing from how Cargo does it, which I'm assuming is far outside the scope of the project. Not to mention that this would likely cause many more issues once you start taking binstall into account. The second would be to reconstruct the most likely set of dependencies based on the installation time. I don't think Cargo gives enough guarantees on dependency resolution where this can be safely done, but someone may correct me on that. And even if it works, changes in Cargo can easily invalidate the logic in the future. Personally I wouldn't consider a solution like that.

I should note that my understanding of Cargo is somewhat limited, however in my opinion this issue can be closed as there is no reasonable way to implement it without changing the nature and scope of the project completely. If any users are concerned about security issues in transitive dependencies, they should periodically run updates with the --force flag.