Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Subdependecy source is referring to crates.io when vendored alternative registry #15323

Open
koxu1996 opened this issue Mar 18, 2025 · 1 comment
Open

Subdependecy source is referring to crates.io when vendored alternative registry #15323

koxu1996 opened this issue Mar 18, 2025 · 1 comment
Labels
C-bug Category: bug S-triage Status: This issue is waiting on initial triage.

Comments

@koxu1996
Copy link

koxu1996 commented Mar 18, 2025
edited
Loading

Problem

It seems mirror-registry source URL is not preserved for subdependencies when using replace-with with a local sources.

Steps

Part 1. Prepare project with alternative registry

  1. Create hello world project:
cargo new --bin my-app && cd ./my-app
  1. Define alternative registry:
mkdir .cargo
cat << EOF > ./.cargo/config.toml
[registries.devpeek]
index = "sparse+http://crates.devpeek.io/api/v1/cratesio/"
EOF
  1. Include some basic dependency from mirror registry:
cargo add --registry devpeek [email protected]
  1. Make sure that app can be compiled without issues:
cargo build --locked

At this point Cargo.lock will be like this:

# This file is automatically @generated by Cargo.
# It is not intended for manual editing.
version = 4

[[package]]
name = "my-app"
version = "0.1.0"
dependencies = [
 "proc-macro2",
]

[[package]]
name = "proc-macro2"
version = "1.0.94"
source = "sparse+http://crates.devpeek.io/api/v1/cratesio/"
checksum = "a31971752e70b8b2686d7e46ec17fb38dad4051d94024c88df49b667caea9c84"
dependencies = [
 "unicode-ident",
]

[[package]]
name = "unicode-ident"
version = "1.0.18"
source = "sparse+http://crates.devpeek.io/api/v1/cratesio/"
checksum = "5a5f39404a5da50712a4c1eecf25e90dd62b613502b7e925fd4e4d19b5c96512"

ℹ Notice that sparse+http://crates.devpeek.io/api/v1/cratesio/ was used as source for both proc-macro2 and its subdependency unicode-ident. So far so good.

Part 2. Use local directory as a replacement for registry

  1. Get local copy of packages, the easiest way is running cargo vendor --frozen:
   Vendoring proc-macro2 v1.0.94 (registry `devpeek`) (/home/andrew/.cargo/registry/src/crates.devpeek.io-6824091174475719/proc-macro2-1.0.94) to vendor/proc-macro2
   Vendoring unicode-ident v1.0.18 (registry `devpeek`) (/home/andrew/.cargo/registry/src/crates.devpeek.io-6824091174475719/unicode-ident-1.0.18) to vendor/unicode-ident
To use vendored sources, add this to your .cargo/config.toml for this project:

[source."sparse+http://crates.devpeek.io/api/v1/cratesio/"]
registry = "sparse+http://crates.devpeek.io/api/v1/cratesio/"
replace-with = "vendored-sources"

[source.vendored-sources]
directory = "vendor"
  1. Use local directory as a replacement:
cat << EOF >> ./.cargo/config.toml
[source."sparse+http://crates.devpeek.io/api/v1/cratesio/"]
registry = "sparse+http://crates.devpeek.io/api/v1/cratesio/"
replace-with = "vendored-sources"

[source.vendored-sources]
directory = "vendor"
EOF

❗ At this point you are not longer able to cargo build --locked, as it fails with:

error: the lock file /tmp/my-app/Cargo.lock needs to be updated but --locked was passed to prevent this
If you want to try to generate the lock file without accessing the network, remove the --locked flag and use --offline instead.

By running cargo build we can see that Cargo.lock was modified - subdependency source is incorrectly referring to crates.io:

diff --git a/Cargo.lock b/Cargo.lock
index 6d5f89f..4f02712 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -21,5 +21,5 @@ dependencies = [
 [[package]]
 name = "unicode-ident"
 version = "1.0.18"
-source = "sparse+http://crates.devpeek.io/api/v1/cratesio/"
+source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "5a5f39404a5da50712a4c1eecf25e90dd62b613502b7e925fd4e4d19b5c96512"

Notice that first level dependency proc-macro2 was not touched.

Possible Solution(s)

No response

Notes

No response

Version

cargo 1.84.1 (66221abde 2024-11-19)
release: 1.84.1
commit-hash: 66221abdeca2002d318fde6efff516aab091df0e
commit-date: 2024-11-19
host: x86_64-unknown-linux-gnu
libgit2: 1.8.1 (sys:0.19.0 vendored)
libcurl: 8.9.0-DEV (sys:0.4.74+curl-8.9.0 vendored ssl:OpenSSL/1.1.1w)
ssl: OpenSSL 1.1.1w  11 Sep 2023
os: NixOS 25.5.0 [64-bit]
@koxu1996 koxu1996 added C-bug Category: bug S-triage Status: This issue is waiting on initial triage. labels Mar 18, 2025
@koxu1996 koxu1996 mentioned this issue Mar 18, 2025
Closed
@hcldan
Copy link

hcldan commented Mar 27, 2025

I'm seeing this too... I'm not getting errors in the build per-se... But I'm trying to use a git repo that uses tokio. I have a dependecy on tokio too, and I end up with multiple versions of tokio in my cargo.lock, as everything I install adds my registry to dep. But the deps from the git repo are all coming from index.crates.io

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C-bug Category: bug S-triage Status: This issue is waiting on initial triage.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hcldan @koxu1996