Lock 0.x dependencies to semver-compatible versions

[FliegendeWurst]

Specifying dependencies as = "0" is almost exactly like "specifying" = "*" for crates >= 1.x. I realize there is a lockfile, but it still seems reckless.

[matze]

I realize there is a lockfile, but it still seems reckless.

Can you explain the discrepancy I see? Since this is an application I don't see anything reckless about it. Updates have to be done deliberately to have any effect on the resulting dependency graph.

[FliegendeWurst]

The discrepancy is that dep = "0" will allow 0.1 / 0.2 / 0.x, which are all defined as potentially semver-incompatible.

In constrast, dep = "2" will only allow 2.x, which are semver compatible. To achieve the same result (semver-incompatible changes allowed) we would need to set dep = "*".

[matze]

My question is related to "I realize there is a lockfile". The lockfile determines the exact dependency versions and if there are semver-incompatible updates (which have to be triggered by hand), we'd notice right away. I'm not against that change per se but my practice tells me that this is more of a concern for libraries than applications. But whatever.