Cargo publish --locked doesn't use the lock file

[Ben3056]

Problem

The "--locked" parameter for cargo publish doesn't seem to work. It still just pulls the latest versions of packages, seemingly ignoring the cargo.lock file

Steps

1. cargo build: respects the cargo.lock file
2. cargo publish --locked: seemingly ignores the cargo.lock file

Possible Solution(s)

No response

Notes

No response

Version

cargo 1.81.0 (2dbb1af80 2024-08-20)

[epage]

--locked just says that the lockfile should remain unchanged,erroring if it will.

#14815 changed it so Cargo.lock is always included. This was shipped in Cargo 1.84.

Going to go ahead and close this. If there is a reason we should re-evaluate, let us know!

[Ben3056]

I want to publish my crate using the versions in the lock file. Isn't that what https://doc.rust-lang.org/cargo/commands/cargo-publish.html states it's trying to do?

[weihanglo]

Could you provide a reproducible example of what went wrong? Using --dry-run should be sufficient to avoid really publishing something.

[Ben3056]

Well if you specify you want version 1.1.2 of a crate in your cargo.lock file but 1.1.3 is available, cargo build will pull version 1.1.2. But cargo publish --locked will pull version 1.1.3. I think the intention of --locked is to pull the version in the lock file, in this instance, version 1.1.2

[weihanglo]

I noticed you're using 1.81. With Rust 1.84+ Cargo should respect your lockfile, as Ed has mentioned earlier. Hence it is kinda fixed.

Here is the minimal reproducible steps:

# Using Rust toolchain 1.84+
cargo new foo --lib
cd foo
cargo add serde@1
cargo update serde --precise 1.0.100
grep 1.0.100 Cargo.lock
cargo publish --locked --allow-dirty --dry-run
grep 1.0.100 target/package/foo-0.1.0/Cargo.lock
# expected to find `version = "1.0.100"`