alamb commented on PR #14069: URL: https://github.com/apache/datafusion/pull/14069#issuecomment-2582555840
> > I think the reason we don't have a Cargo.lock is that datafusion is meant to be used as a libary and thus we wanted to give downstream crates the flexibility for most dependent library versions > > The `Cargo.lock` file of library crates is always ignored by dependent crates: > > > However, this determinism can give a false sense of security because Cargo.lock does not affect the consumers of your package, only Cargo.toml does that. For example: > > > > * [cargo install](https://doc.rust-lang.org/cargo/commands/cargo-install.html) will select the latest dependencies unless [--locked](https://doc.rust-lang.org/cargo/commands/cargo.html#option-cargo---locked) is passed in. > > * New dependencies, like those added with [cargo add](https://doc.rust-lang.org/cargo/commands/cargo-add.html), will be locked to the latest version I tried to document the rationale as I understand it here: https://github.com/apache/datafusion/pull/14071. Perhaps we can discuss potential changes there as well -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: github-unsubscr...@datafusion.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: github-unsubscr...@datafusion.apache.org For additional commands, e-mail: github-h...@datafusion.apache.org