"see N unchanged dependencies behind latest" sometimes seems to show the wrong number

[RalfJung]

Problem

I just ran cargo update on Miri, and the output I got is:

    Updating crates.io index
     Locking 78 packages to latest compatible versions
    Updating annotate-snippets v0.11.4 -> v0.11.5
    Updating anstyle v1.0.8 -> v1.0.10
    Updating anyhow v1.0.86 -> v1.0.97
    Updating autocfg v1.3.0 -> v1.4.0
    Updating bitflags v2.6.0 -> v2.9.0
    Updating bstr v1.10.0 -> v1.11.3
      Adding bumpalo v3.17.0
    Removing byteorder v1.5.0
    Updating camino v1.1.7 -> v1.1.9
    Updating cargo-platform v0.1.8 -> v0.1.9
    Updating cc v1.1.22 -> v1.2.17
    Updating chrono v0.4.38 -> v0.4.40
    Updating chrono-tz v0.10.0 -> v0.10.3
    Updating chrono-tz-build v0.4.0 -> v0.4.1
    Updating colored v2.1.0 -> v2.2.0 (available: v3.0.0)
    Updating console v0.15.8 -> v0.15.11
    Updating cpufeatures v0.2.12 -> v0.2.17
    Updating crossbeam-channel v0.5.13 -> v0.5.14
    Updating crossbeam-utils v0.8.20 -> v0.8.21
    Updating encode_unicode v0.3.6 -> v1.0.0
    Updating errno v0.3.9 -> v0.3.11
    Updating fastrand v2.1.0 -> v2.3.0
    Updating getrandom v0.3.1 -> v0.3.2
    Updating indicatif v0.17.8 -> v0.17.11
    Updating inout v0.1.3 -> v0.1.4
    Removing instant v0.1.13
    Updating itoa v1.0.11 -> v1.0.15
      Adding js-sys v0.3.77
    Updating libc v0.2.155 -> v0.2.171
    Updating libloading v0.8.5 -> v0.8.6
    Updating linux-raw-sys v0.4.14 -> v0.9.3
    Updating log v0.4.22 -> v0.4.27
    Updating once_cell v1.19.0 -> v1.21.3
    Updating phf v0.11.2 -> v0.11.3
    Updating phf_codegen v0.11.2 -> v0.11.3
    Updating phf_generator v0.11.2 -> v0.11.3
    Updating phf_shared v0.11.2 -> v0.11.3
    Updating pin-project-lite v0.2.14 -> v0.2.16
    Updating portable-atomic v1.7.0 -> v1.11.0
    Updating ppv-lite86 v0.2.20 -> v0.2.21
    Updating quote v1.0.36 -> v1.0.40
      Adding r-efi v5.2.0
    Updating rand_core v0.9.0 -> v0.9.3
    Updating redox_syscall v0.5.3 -> v0.5.10
    Updating regex v1.10.6 -> v1.11.1
    Updating regex-automata v0.4.7 -> v0.4.9
    Updating regex-syntax v0.8.4 -> v0.8.5
    Updating rustc_version v0.4.0 -> v0.4.1
    Updating rustfix v0.8.5 -> v0.8.7
    Updating rustix v0.38.34 -> v1.0.5
    Updating ryu v1.0.18 -> v1.0.20
    Updating semver v1.0.23 -> v1.0.26
    Updating serde v1.0.204 -> v1.0.219
    Updating serde_derive v1.0.204 -> v1.0.219
    Updating serde_json v1.0.122 -> v1.0.140
    Updating siphasher v0.3.11 -> v1.0.1
    Updating smallvec v1.13.2 -> v1.14.0
    Updating tempfile v3.11.0 -> v3.19.1
    Updating thiserror v1.0.63 -> v1.0.69
    Updating thiserror-impl v1.0.63 -> v1.0.69
    Updating tracing v0.1.40 -> v0.1.41
    Updating tracing-core v0.1.32 -> v0.1.33
    Updating tracing-error v0.2.0 -> v0.2.1
    Updating tracing-subscriber v0.3.18 -> v0.3.19
    Updating typenum v1.17.0 -> v1.18.0
    Updating ui_test v0.29.1 -> v0.29.2
    Updating unicode-ident v1.0.12 -> v1.0.18
    Removing unicode-width v0.1.13
      Adding unicode-width v0.1.14
      Adding unicode-width v0.2.0
    Updating valuable v0.1.0 -> v0.1.1
    Updating wasi v0.13.3+wasi-0.2.2 -> v0.14.2+wasi-0.2.4
      Adding wasm-bindgen v0.2.100
      Adding wasm-bindgen-backend v0.2.100
      Adding wasm-bindgen-macro v0.2.100
      Adding wasm-bindgen-macro-support v0.2.100
      Adding wasm-bindgen-shared v0.2.100
      Adding web-time v1.1.0
    Removing windows-sys v0.48.0
    Removing windows-sys v0.52.0
    Removing windows-targets v0.48.5
    Removing windows_aarch64_gnullvm v0.48.5
    Removing windows_aarch64_msvc v0.48.5
    Removing windows_i686_gnu v0.48.5
    Removing windows_i686_msvc v0.48.5
    Removing windows_x86_64_gnu v0.48.5
    Removing windows_x86_64_gnullvm v0.48.5
    Removing windows_x86_64_msvc v0.48.5
    Updating wit-bindgen-rt v0.33.0 -> v0.39.0
    Removing zerocopy v0.7.35
    Removing zerocopy v0.8.14
      Adding zerocopy v0.8.24
    Removing zerocopy-derive v0.7.35
    Removing zerocopy-derive v0.8.14
      Adding zerocopy-derive v0.8.24
note: pass `--verbose` to see 1 unchanged dependencies behind latest

However, if I do as I am told and run with -v, I get:

    Updating crates.io index
     Locking 0 packages to latest compatible versions
   Unchanged backtrace v0.3.71 (available: v0.3.74)
   Unchanged colored v2.2.0 (available: v3.0.0)
note: to see how you depend on a package, run `cargo tree --invert --package <dep>@<ver>`

Note there are 2 unchanged dependencies, not just one.
If I now run cargo update again, I get:

    Updating crates.io index
     Locking 0 packages to latest compatible versions
note: pass `--verbose` to see 2 unchanged dependencies behind latest

IOW, now the count is correct.

You can probably reproduce this by checking out https://github.com/rust-lang/miri/ at commit 0e359e330465c9330ba68518eed030c1f097a420.

Version

cargo 1.88.0-nightly (a6c604d1b 2025-03-26)
release: 1.88.0-nightly
commit-hash: a6c604d1b8a2f2a8ff1f3ba6092f9fda42f4b7e9
commit-date: 2025-03-26
host: x86_64-unknown-linux-gnu
libgit2: 1.9.0 (sys:0.20.0 vendored)
libcurl: 8.12.1-DEV (sys:0.4.80+curl-8.12.1 vendored ssl:OpenSSL/3.4.1)
ssl: OpenSSL 3.4.1 11 Feb 2025
os: Debian n/a (trixie) [64-bit]

[weihanglo]

Thanks for reporting this!

I believe that is because colored was not unchanged during the first run of cargo update. However, during the subsequent run of cargo update it was considered unchanged, as it already bumped from 2.1.0 to 2.2.0 in the first run. And the latest version of it on crates.io is 3.0.0.

Not sure how to improve this, maybe we should have a file written something, and you can get the report via cargo report last-update-run (that doesn't sound interesting though).

[RalfJung]

Ah, so the emphasis is on unchanged dependencies behind latest.

Does that make sense? Shouldn't it always report all dependencies behind latest? Otherwise I always have to run it twice to really know whether there's anything outdated left in my dependency tree.

[RalfJung]

Oh I guess the point is that for colored we already have

    Updating colored v2.1.0 -> v2.2.0 (available: v3.0.0)

But this is very easy to miss in the long list.

IMO ideally cargo would print both numbers at the end: how many changed dependencies are still "behind latest", and how many more are behind latest that haven't been changed at all.

[epage]

IMO ideally cargo would print both numbers at the end: how many changed dependencies are still "behind latest", and how many more are behind latest that haven't been changed at all.

The current framing of the message is that "there are hidden items, pass the flag to see them" and not "summary of whats behind" so if we did that, we'd need to adjust that framing.

I wonder if there is a good framing for adjusting the number to be whats still behind after the performed operation (keeping in mind --dry-run).

But this is very easy to miss in the long list.

For the parenthetical text, we sometimes color it to draw extra attention to it

• Red if the new version is not compatible with your MSRV
• Yellow if the new version is behind and compatible with your MSRV
• Default if the new version is behind and incompatible with your MSRV

Maybe the MSRV-incompatible should also be yellow?

[RalfJung]

The current framing of the message is that "there are hidden items, pass the flag to see them"

Yeah, but that's not quite accurate since when I pass the flag, it's too late -- the action that triggered the hidden items already happened, and with the flag it's now going to be different hidden items.

For the parenthetical text, we sometimes color it to draw extra attention to it

I did see the color, but when it scrolls beyond the top of the screen that doesn't help that much.