Lint on non-semver upper bound version requirements

[epage]

What it does

Regardless of version requirement used, we should call out when it doesn't align with a semver upper bound

If someone wants to pin a dependency, they should use Cargo.lock

Advantage

This causes incompatibilities within the ecosystem, see https://doc.rust-lang.org/nightly/cargo/reference/specifying-dependencies.html#version-metadata

Drawbacks

There are valid use cases for = for exact versions, including

• depending on a derive (alternatives starting to come about)
• depending on a pre-release (each one can be a breaking change)
• non-published packages (can just disable the lint completely)

Example

# from `clap`
clap_derive = { path = "./clap_derive", version = "=4.5.49", optional = true }
# From older versions of `time`
serde = { version = ">= 1.0.126, <= 1.0.171", default-features = false }
# from https://crates.io/crates/postcard
serde = { version = "1.0.*", default-features = false }

Could be written as:

# no change
clap_derive = { path = "./clap_derive", version = "=4.5.49", optional = true }
# switch to `^`
serde = { version = "1.0.126", default-features = false }
# switch to `^`
serde = { version = "1.0.0", default-features = false }

[epage]

My main question is how to deal with the exceptions

• Do we detect?
• Have an allow list?
• Something else?