Dependency resolution fails instead of duplicating dependency

[ranile]

Problem

Cargo fails to select a version for dependency because another package in the workspace causes a version conflicts.

Current Behavior

error: failed to select a version for `zeroize`.
    ... required by package `num-bigint-dig v0.8.2`
    ... which satisfies dependency `num-bigint = "^0.8.2"` of package `rsa v0.8.0`
    ... which satisfies dependency `rsa = "^0.8.0"` of package `sqlx-mysql v0.7.0-alpha.2`
    ... which satisfies dependency `sqlx-mysql = "=0.7.0-alpha.2"` of package `sqlx v0.7.0-alpha.2`
    ... which satisfies dependency `sqlx = "^0.7.0-alpha.2"` of package `crate-2 v0.1.0 (/home/hamza/code/tmp/cargo-issue/crates/crate-2)`
versions that meet the requirements `^1.5` are: 1.6.0, 1.5.7, 1.5.6, 1.5.5, 1.5.4, 1.5.3

all possible versions conflict with previously selected packages.

  previously selected package `zeroize v1.3.0`
    ... which satisfies dependency `zeroize = "=1.3"` of package `x25519-dalek v1.2.0`
    ... which satisfies dependency `x25519-dalek = "^1.2.0"` of package `vodozemac v0.3.0`
    ... which satisfies dependency `vodozemac = "^0.3.0"` of package `crate-1 v0.1.0 (/home/hamza/code/tmp/cargo-issue/crates/crate-1)`

failed to select a version for `zeroize` which could resolve this conflict

Expected behavior

Build works fine

Steps

1. Set up a project as detailed below
2. Run cargo check
3. Notice the failure

Details

$ exa -T
.
├── Cargo.toml
└── crates
   ├── crate-1
   │  ├── Cargo.toml
   │  └── src
   │     └── main.rs
   └── crate-2
      ├── Cargo.toml
      └── src
         └── main.rs

$ cat Cargo.toml
[workspace]
members = ["crates/*"]

resolver = "2"


$ cat crates/crate-1/Cargo.toml
[package]
name = "crate-1"
version = "0.1.0"
edition = "2021"

# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[dependencies]
vodozemac = { version = "0.3.0", default-features = true, features = ["js"] }


$ cat crates/crate-2/Cargo.toml
[package]
name = "crate-2"
version = "0.1.0"
edition = "2021"

# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html

[dependencies]
sqlx = { version = "0.7.0-alpha.2", features = [ "runtime-tokio", "postgres", "uuid", "chrono" ] }

Possible Solution(s)

Duplicate the dependency across packages. It is possible to build this workspace such that crate-1 depends on zeroize 1.3 and crate-2 depends on zeroize 1.6

Notes

No response

Version

cargo 1.71.0-nightly (26b73d15a 2023-05-09)
release: 1.71.0-nightly
commit-hash: 26b73d15a68fb94579f6d3590585ec0e9d81d3d5
commit-date: 2023-05-09
host: x86_64-unknown-linux-gnu
libgit2: 1.6.4 (sys:0.17.1 vendored)
libcurl: 8.0.1-DEV (sys:0.4.61+curl-8.0.1 vendored ssl:OpenSSL/1.1.1t)
ssl: OpenSSL 1.1.1t  7 Feb 2023
os: Arch Linux [64-bit]

[weihanglo]

Thanks for the report. Similar topics have been discussed a couple of times.

• Cargo resolver picks two versions of a crate, even when one is enough #10599
• Cargo is unable to resolve dependency versions #6584 (comment)

Highly recommend reading the second one. It's a summary from a Cargo team member.

I would also suggest posting an issue to the package that pins their dependency to an exact version. In the long-term pinning could bring more harm than benefit, making dependency stagnate and couldn't receive security patches.

Going to close this as it is unlikely to move forward without a strong RFC. Thanks!