Consider making the duplicate package check optional

[Darkspirit]

From my current understanding, I think the duplicate package check of servo tidy (#7133, #14695, #19306) is today rather a dark pattern that could prevent fixing regular and security bugs (#15989 (comment)). Dependabot removes duplicates by upgrading all dependencies step by step. I think this check should be changed into an optional command that can be run manually if one wants to notify external repositories like surfman and gfx-rs to keep their dependencies up to date - as long as they haven't adopted dependabot as well. It is used all across Mozilla and will become a built-in feature of GitHub: https://github.com/pulls?q=is%3Apr+author%3Aapp%2Fdependabot-preview+org%3Amozilla

[Darkspirit]

If the original intention has changed, it would be good to track what is needed to remove a duplicate instead of tracking what caused it.
My fear that caused me to file this issue is that the duplicate package check could cause daily annoyance and delay on dependabot's mission to upgrade everything at least once. If that's okay, it is fine to close this.

servo/servo-tidy.toml

Lines 28 to 56 in e69adfd

	# Ignored packages with duplicated versions
	packages = [
	"arrayvec",
	"base64",
	"cocoa",
	"dwrote",
	"gleam",
	"peek-poke",
	"peek-poke-derive",
	"wayland-sys",
	# https://github.com/servo/servo/pull/23288#issuecomment-494687746
	"gl_generator",
	# Lots of crates to update.
	"smallvec",
	# https://github.com/servo/servo/issues/24421
	"proc-macro2",
	"quote",
	"unicode-xid",
	# https://github.com/servo/servo/pull/25518
	"core-foundation",
	"core-foundation-sys",
	"core-graphics",
	"core-text",
	"lyon_geom",
	]

[Darkspirit]

To reduce confusion, please be aware that I suggested to have a manual check that could be run once a month to file upstream bugs. Current bureaucracy mainly serves instant visibility instead of upgrades. Dependencies are liabilities and if they are not sufficently maintained, they should be forked or removed. The worst stories of NPM craziness should not repeated with Cargo.

I ran cargo update --agressive on current master. It would cause 6 duplicates. I assume there may be temporarily additional duplicates due to incremental updates, but it would not be an explosion.

darkspirit@darkspirit-laptop:~/github/servo$ git reset --hard && git clean -fd
HEAD ist jetzt bei 84fe99b1d5 Auto merge of #26253 - asajeffrey:script-dummy-content-editble, r=jdm
darkspirit@darkspirit-laptop:~/github/servo$ nano components/webgpu/Cargo.toml 
darkspirit@darkspirit-laptop:~/github/servo$ cargo update --aggressive        
    Updating git repository `https://github.com/MeFisto94/backtrace-rs`
    Updating git repository `https://github.com/servo/mio.git`
    Updating git repository `https://github.com/servo/spirv_cross`
    Updating git repository `https://github.com/servo/surfman`
    Updating git repository `https://github.com/asajeffrey/surfman-chains`
    Updating git repository `https://github.com/servo/winapi-rs`
    Updating crates.io index
    Updating git repository `https://github.com/servo/media`
    Updating git repository `https://github.com/servo/webxr`
    Updating git repository `https://github.com/servo/webrender`
    Updating git repository `https://github.com/servo/devices`
    Updating git repository `https://github.com/jrmuizel/raqote`
    Updating git repository `https://github.com/energymon/energymon-rust.git`
    Updating git repository `https://github.com/pcwalton/signpost.git`
    Updating git repository `https://github.com/gfx-rs/wgpu`
    Updating git repository `https://github.com/servo/fontsan`
    Updating git repository `https://github.com/servo/rust-mozjs`
    Updating git repository `https://github.com/energymon/energymon-sys.git`
    Updating git repository `https://github.com/servo/mozjs`
warning: Patch `backtrace v0.3.40 (https://github.com/MeFisto94/backtrace-rs?branch=fix-strtab-freeing-crash#91a0aa4a)` was not used in the crate graph.
Patch `mio v0.6.18 (https://github.com/servo/mio.git?branch=servo#846242c0)` was not used in the crate graph.
Patch `spirv_cross v0.16.0 (https://github.com/servo/spirv_cross?branch=wgpu-servo#636677ba)` was not used in the crate graph.
Check that the patched package version and available features are compatible
with the dependency requirements. If the patch has a different version from
what is locked in the Cargo.lock file, run `cargo update` to use the new
version. This may also occur with an optional dependency that is not enabled.
    Updating adler32 v1.0.3 -> v1.0.4
    Updating aho-corasick v0.7.9 -> v0.7.10
    Updating alloc-no-stdlib v2.0.0 -> v2.0.1
    Updating app_units v0.7.0 -> v0.7.1
    Updating approx v0.3.0 -> v0.3.2
    Updating arrayref v0.3.5 -> v0.3.6
    Updating arrayvec v0.4.6 -> v0.4.12
    Updating ascii v0.7.1 -> v0.9.3
    Updating ash v0.29.0 -> v0.30.0
    Updating atty v0.2.11 -> v0.2.14
    Removing backtrace v0.3.40 (https://github.com/MeFisto94/backtrace-rs?branch=fix-strtab-freeing-crash#91a0aa4a)
      Adding backtrace v0.3.46
    Removing backtrace-sys v0.1.32 (https://github.com/MeFisto94/backtrace-rs?branch=fix-strtab-freeing-crash#91a0aa4a)
      Adding backtrace-sys v0.1.36
    Updating bincode v1.0.0 -> v1.2.1
    Updating bindgen v0.53.1 -> v0.53.2
    Updating block-buffer v0.7.0 -> v0.7.3
    Updating block-padding v0.1.2 -> v0.1.5
    Updating blurmac v0.1.0 (https://github.com/servo/devices#cb28c472) -> #328014f5
    Updating boxfnonce v0.1.0 -> v0.1.1
    Updating brotli v3.1.5 -> v3.3.0
    Updating brotli-decompressor v2.1.3 -> v2.3.0
      Adding bumpalo v3.2.1
    Updating byte-tools v0.3.0 -> v0.3.1
    Updating bzip2-sys v0.1.7 -> v0.1.8+1.0.8
    Removing c2-chacha v0.2.2
    Updating cc v1.0.45 -> v1.0.51
    Updating cexpr v0.3.6 -> v0.4.0
    Updating chrono v0.4.9 -> v0.4.11
    Updating clang-sys v0.28.0 -> v0.29.3
    Updating clap v2.32.0 -> v2.33.0
    Updating clipboard-win v2.1.1 -> v2.2.0
    Updating cmake v0.1.41 -> v0.1.42
    Removing cocoa v0.18.4
      Adding cocoa v0.18.5
      Adding cocoa v0.20.0
    Updating color_quant v1.0.0 -> v1.0.1
    Removing colorful v0.2.1
    Updating combine v3.5.2 -> v3.8.1
    Removing cookie v0.11.0
      Adding cookie v0.11.2
      Adding cookie v0.12.0
    Updating core-text v13.2.0 -> v13.3.2
    Updating crossbeam-channel v0.4.0 -> v0.4.2
    Updating crossbeam-deque v0.7.2 -> v0.7.3
    Updating darling v0.10.1 -> v0.10.2
    Updating darling_core v0.10.1 -> v0.10.2
    Updating darling_macro v0.10.1 -> v0.10.2
    Updating dbus v0.6.3 -> v0.6.5
    Removing deflate v0.7.19
      Adding deflate v0.7.20
      Adding deflate v0.8.4
    Updating derive_more v0.99.2 -> v0.99.5
    Updating device v0.0.1 (https://github.com/servo/devices#cb28c472) -> #328014f5
    Updating digest v0.8.0 -> v0.8.1
    Updating downcast-rs v1.0.3 -> v1.1.1
    Updating dtoa v0.4.1 -> v0.4.5
    Updating dtoa-short v0.3.0 -> v0.3.2
    Updating either v1.5.2 -> v1.5.3
    Updating energy-monitor v0.2.0 -> v0.2.1
    Updating energymon v0.3.0 (https://github.com/energymon/energymon-rust.git#89daf8f3) -> #961a4506
    Updating energymon-builder v0.3.0 (https://github.com/energymon/energymon-sys.git#f8d77ea2) -> #821dcf28
    Updating energymon-default-sys v0.3.0 (https://github.com/energymon/energymon-sys.git#f8d77ea2) -> #821dcf28
    Updating energymon-sys v0.3.0 (https://github.com/energymon/energymon-sys.git#f8d77ea2) -> #821dcf28
    Updating error-chain v0.12.0 -> v0.12.2
    Updating flate2 v1.0.12 -> v1.0.14
    Updating futures v0.1.28 -> v0.1.29
    Removing gcc v0.3.55
    Updating generic-array v0.12.0 -> v0.12.3
    Updating getopts v0.2.17 -> v0.2.21
    Updating getrandom v0.1.12 -> v0.1.14
    Updating gfx-auxil v0.1.0 -> v0.3.0
    Updating gfx-backend-dx11 v0.4.2 -> v0.5.0
    Updating gfx-backend-dx12 v0.4.1 -> v0.5.0
    Updating gfx-backend-empty v0.4.0 -> v0.5.0
    Updating gfx-backend-metal v0.4.0 -> v0.5.1
    Updating gfx-backend-vulkan v0.4.0 -> v0.5.2
      Adding gfx-descriptor v0.1.0
    Updating gfx-hal v0.4.1 -> v0.5.0
      Adding gfx-memory v0.1.3
    Updating gif v0.10.0 -> v0.10.3
      Adding gleam v0.11.0
    Updating glob v0.2.11 -> v0.3.0
    Updating gstreamer v0.15.3 -> v0.15.4
    Updating gstreamer-app v0.15.3 -> v0.15.4
    Updating gstreamer-app-sys v0.8.0 -> v0.8.1
    Updating gstreamer-audio-sys v0.8.0 -> v0.8.1
    Updating gstreamer-base v0.15.3 -> v0.15.4
    Updating gstreamer-base-sys v0.8.0 -> v0.8.1
    Updating gstreamer-gl-sys v0.8.0 -> v0.8.1
    Updating gstreamer-player-sys v0.8.0 -> v0.8.1
    Updating gstreamer-sdp-sys v0.8.0 -> v0.8.1
    Updating gstreamer-sys v0.8.0 -> v0.8.1
    Updating gstreamer-video-sys v0.8.0 -> v0.8.1
    Updating gstreamer-webrtc-sys v0.8.0 -> v0.8.1
    Updating gvr-sys v0.7.0 -> v0.7.2
    Updating half v1.0.0 -> v1.5.0
    Updating harfbuzz-sys v0.3.3 -> v0.3.4
    Updating heartbeats-simple v0.4.0 -> v0.4.1
    Updating heartbeats-simple-sys v0.4.1 -> v0.4.3
      Adding hermit-abi v0.1.11
    Updating hibitset v0.6.2 -> v0.6.3
    Updating histogram v0.6.8 -> v0.6.9
    Updating http v0.1.20 -> v0.1.21
    Updating httparse v1.3.2 -> v1.3.4
    Updating ident_case v1.0.0 -> v1.0.1
    Updating image v0.23.0 -> v0.23.4
    Updating indexmap v1.0.2 -> v1.3.2
    Updating inflate v0.4.3 -> v0.4.5
    Updating influent v0.5.2 -> v0.5.3
    Updating itertools v0.8.0 -> v0.8.2
    Updating itoa v0.4.1 -> v0.4.5
    Updating jobserver v0.1.17 -> v0.1.21
    Updating jpeg-decoder v0.1.14 -> v0.1.18
      Adding js-sys v0.3.37
      Adding kernel32-sys v0.2.2
    Updating libc v0.2.62 -> v0.2.69
    Updating libdbus-sys v0.1.4 -> v0.2.1
    Updating libflate v0.1.26 -> v0.1.27
    Updating linked-hash-map v0.5.1 -> v0.5.2
    Updating lock_api v0.3.1 -> v0.3.4
    Removing lyon_geom v0.14.0
    Removing lyon_geom v0.15.0
      Adding lyon_geom v0.14.1
      Adding lyon_geom v0.15.2
    Updating memoffset v0.5.1 -> v0.5.4
    Updating metal v0.17.0 -> v0.18.0
    Updating mime_guess v2.0.1 -> v2.0.3
    Updating miniz-sys v0.1.10 -> v0.1.12
    Updating miniz_oxide v0.3.5 -> v0.3.6
    Removing mio v0.6.18 (https://github.com/servo/mio.git?branch=servo#846242c0)
      Adding mio v0.6.21
    Updating mio-extras v2.0.5 -> v2.0.6
    Updating miow v0.3.3 -> v0.2.1
    Updating mozjs v0.13.0 (https://github.com/servo/rust-mozjs#ea10bed2) -> #e3c545a7
      Adding mozjs_sys v0.68.1 (https://github.com/servo/mozjs?rev=288c49b19b5bc56125de4096c7059db0a92c524e#288c49b1)
    Removing mozjs_sys v0.68.1 (https://github.com/servo/mozjs?rev=d4370798ee17ad16d52ff2e83c9055d19a98b26f#d4370798)
    Updating muldiv v0.2.0 -> v0.2.1
    Updating new_debug_unreachable v1.0.1 -> v1.0.4
    Updating nodrop v0.1.12 -> v0.1.14
    Updating nom v4.1.1 -> v5.1.1
    Updating num-integer v0.1.38 -> v0.1.42
    Updating num-iter v0.1.37 -> v0.1.40
    Updating num-rational v0.2.1 -> v0.2.4
    Updating num_cpus v1.10.1 -> v1.13.0
    Updating objc v0.2.6 -> v0.2.7
    Updating objc_exception v0.1.1 -> v0.1.2
    Updating objc_id v0.1.0 -> v0.1.1
    Updating opaque-debug v0.2.1 -> v0.2.3
    Updating openssl v0.10.26 -> v0.10.29
    Updating ordered-float v1.0.0 -> v1.0.2
    Updating owning_ref v0.4.0 -> v0.4.1
      Adding parking_lot v0.10.2
      Adding parking_lot_core v0.7.2
    Updating paste v0.1.6 -> v0.1.10
    Updating paste-impl v0.1.6 -> v0.1.10
    Updating peek-poke v0.2.0 (https://github.com/servo/webrender#4ba17a61) -> #72e0a418
    Removing peek-poke v0.2.0 (https://github.com/kvark/peek-poke?rev=969bd7fe2be1a83f87916dc8b388c63cfd457075#969bd7fe)
      Adding peek-poke v0.2.0
    Updating peek-poke-derive v0.2.1 (https://github.com/servo/webrender#4ba17a61) -> #72e0a418
    Removing peek-poke-derive v0.2.0 (https://github.com/kvark/peek-poke?rev=969bd7fe2be1a83f87916dc8b388c63cfd457075#969bd7fe)
      Adding peek-poke-derive v0.2.1
    Updating pin-utils v0.1.0-alpha.4 -> v0.1.0
    Updating pkg-config v0.3.14 -> v0.3.17
      Adding png v0.16.3
    Updating ppv-lite86 v0.2.5 -> v0.2.6
    Updating proc-macro-hack v0.5.9 -> v0.5.15
    Updating proc-macro-nested v0.1.3 -> v0.1.4
    Removing proc-macro2 v0.4.26
    Removing proc-macro2 v1.0.1
      Adding proc-macro2 v0.4.30
      Adding proc-macro2 v1.0.10
    Updating quick-error v1.2.1 -> v1.2.3
    Removing quote v0.6.12
    Removing quote v1.0.2
      Adding quote v0.6.13
      Adding quote v1.0.3
    Updating rand v0.7.2 -> v0.7.3
    Updating rand_chacha v0.2.1 -> v0.2.2
    Updating raqote v0.7.15-alpha.0 (https://github.com/jrmuizel/raqote#ca350170) -> #007c748d
    Updating raw-window-handle v0.3.1 -> v0.3.3
    Updating redox_syscall v0.1.17 -> v0.1.56
    Removing redox_termios v0.1.1
    Updating ref_slice v1.1.1 -> v1.2.0
    Updating regex v1.3.4 -> v1.3.7
    Updating regex-syntax v0.6.16 -> v0.6.17
    Removing relevant v0.4.2
    Removing rendy-descriptor v0.5.1
    Removing rendy-memory v0.5.2
    Updating rustc-demangle v0.1.4 -> v0.1.16
    Updating rustc-hash v1.0.1 -> v1.1.0
    Removing rusttype v0.7.2
      Adding rusttype v0.7.9
      Adding rusttype v0.8.3
      Adding ryu v1.0.3
    Updating same-file v1.0.2 -> v1.0.6
    Updating scoped_threadpool v0.1.7 -> v0.1.9
    Updating scopeguard v1.0.0 -> v1.1.0
    Updating serde v1.0.103 -> v1.0.106
    Updating serde_bytes v0.11.2 -> v0.11.3
    Updating serde_derive v1.0.103 -> v1.0.106
    Updating serde_json v1.0.13 -> v1.0.51
    Updating servo-freetype-sys v4.0.4 -> v4.0.5
    Updating sha-1 v0.8.1 -> v0.8.2
    Updating sha2 v0.8.0 -> v0.8.1
    Removing shared_library v0.1.9
    Updating siphasher v0.3.1 -> v0.3.2
    Updating slab v0.4.1 -> v0.4.2
    Updating smallbitvec v2.3.0 -> v2.4.0
    Updating smallvec v1.2.0 -> v1.3.0
    Removing socket2 v0.3.5
    Removing spirv_cross v0.16.0 (https://github.com/servo/spirv_cross?branch=wgpu-servo#636677ba)
      Adding spirv_cross v0.18.0
    Updating stable_deref_trait v1.0.0 -> v1.1.1
    Updating stb_truetype v0.2.4 -> v0.3.1
    Updating strsim v0.7.0 -> v0.8.0
    Updating surfman v0.2.0 (https://github.com/servo/surfman#41ac1ee6) -> #fde88984
    Updating svg_fmt v0.4.0 -> v0.4.1
    Updating sw-composite v0.7.7 -> v0.7.8
    Updating syn v1.0.3 -> v1.0.17
    Updating synstructure v0.12.1 -> v0.12.3
    Updating termcolor v1.0.4 -> v1.1.0
    Removing termion v1.5.1
    Updating textwrap v0.10.0 -> v0.11.0
    Removing thread_profiler v0.1.3
    Updating time v0.1.42 -> v0.1.43
    Updating tokio-codec v0.1.0 -> v0.1.2
    Updating tokio-current-thread v0.1.6 -> v0.1.7
    Updating tokio-fs v0.1.6 -> v0.1.7
    Updating tokio-io v0.1.8 -> v0.1.13
    Updating tokio-reactor v0.1.3 -> v0.1.12
    Updating tokio-sync v0.1.6 -> v0.1.8
    Updating tokio-tcp v0.1.1 -> v0.1.4
    Updating tokio-udp v0.1.2 -> v0.1.6
    Updating tokio-uds v0.2.5 -> v0.2.6
    Updating toml v0.5.1 -> v0.5.6
      Adding tracy-rs v0.1.0
    Updating truetype v0.26.0 -> v0.26.2
    Updating typenum v1.10.0 -> v1.12.0
    Updating unicase v2.4.0 -> v2.6.0
    Updating unicode-normalization v0.1.5 -> v0.1.12
    Updating unicode-segmentation v1.2.0 -> v1.6.0
    Updating unicode-width v0.1.4 -> v0.1.7
    Updating url v2.1.0 -> v2.1.1
    Updating uuid v0.8.0 -> v0.8.1
    Updating vec_map v0.8.0 -> v0.8.1
    Updating version_check v0.1.4 -> v0.9.1
    Updating walkdir v2.2.7 -> v2.3.1
    Updating warp v0.1.19 -> v0.1.22
    Updating wasi v0.7.0 -> v0.9.0+wasi-snapshot-preview1
      Adding wasm-bindgen v0.2.60
      Adding wasm-bindgen-backend v0.2.60
      Adding wasm-bindgen-macro v0.2.60
      Adding wasm-bindgen-macro-support v0.2.60
      Adding wasm-bindgen-shared v0.2.60
    Updating wayland-protocols v0.21.4 -> v0.21.13
    Updating wayland-sys v0.24.0 -> v0.24.1
    Updating webdriver v0.40.1 -> v0.40.2
    Updating webrender v0.61.0 (https://github.com/servo/webrender#4ba17a61) -> #72e0a418
    Updating webrender_api v0.61.0 (https://github.com/servo/webrender#4ba17a61) -> #72e0a418
    Updating webrender_build v0.0.1 (https://github.com/servo/webrender#4ba17a61) -> #72e0a418
    Updating wgpu-core v0.1.0 (https://github.com/gfx-rs/wgpu#4f937c04) -> #5c172dd4
      Adding wgpu-types v0.5.0 (https://github.com/gfx-rs/wgpu#5c172dd4)
    Updating which v3.0.0 -> v3.1.1
      Adding winapi v0.2.8
      Adding winapi-build v0.1.1
    Updating winapi-util v0.1.1 -> v0.1.5
    Removing wincolor v1.0.1
    Updating wr_malloc_size_of v0.0.1 (https://github.com/servo/webrender#4ba17a61) -> #72e0a418
      Adding ws2_32-sys v0.2.1
    Updating x11 v2.17.3 -> v2.18.2
    Updating x11-clipboard v0.3.0 -> v0.3.3
    Updating xdg v2.1.0 -> v2.2.0
    Updating xml-rs v0.8.0 -> v0.8.2
darkspirit@darkspirit-laptop:~/github/servo$ ./mach test-tidy
 0:03.35 INFO Diffing old and new manifests /home/darkspirit/github/servo/tests/wpt/webgl/meta/MANIFEST.json
 0:03.89 INFO Diffing old and new manifests /home/darkspirit/github/servo/tests/wpt/mozilla/meta/MANIFEST.json
 0:04.03 INFO Diffing old and new manifests /home/darkspirit/github/servo/tests/wpt/metadata/MANIFEST.json
Checking the config file...
Checking the wpt manifest file...
Checking directories for correct file extensions...
Checking files for tidiness...
./Cargo.lock:1: duplicate versions for package `winapi`
        The following packages depend on version 0.2.8 from 'crates.io':
        The following packages depend on version 0.3.8 from 'https://github.com/servo/winapi-rs?branch=patch-1':
./Cargo.lock:1: duplicate versions for package `cookie`
        The following packages depend on version 0.11.2 from 'crates.io':
        The following packages depend on version 0.12.0 from 'crates.io':
./Cargo.lock:1: duplicate versions for package `parking_lot_core`
        The following packages depend on version 0.6.2 from 'crates.io':
        The following packages depend on version 0.7.2 from 'crates.io':
./Cargo.lock:1: duplicate versions for package `png`
        The following packages depend on version 0.15.3 from 'crates.io':
        The following packages depend on version 0.16.3 from 'crates.io':
./Cargo.lock:1: duplicate versions for package `deflate`
        The following packages depend on version 0.7.20 from 'crates.io':
        The following packages depend on version 0.8.4 from 'crates.io':
./Cargo.lock:1: duplicate versions for package `rusttype`
        The following packages depend on version 0.7.9 from 'crates.io':
        The following packages depend on version 0.8.3 from 'crates.io':
./Cargo.lock:1: duplicate versions for package `parking_lot`
        The following packages depend on version 0.10.2 from 'crates.io':
        The following packages depend on version 0.9.0 from 'crates.io':

[nox]

I'm -100 on removing that check.

You say those duplicates are temporary, but most often they aren't.

[nox]

Also don't go around calling things "dark patterns", that's a bit out of place, IMO.