Patch and Replace Package Dependencies for Cargo Audit in Cargo.toml

⚓ Rust 📅 2026-06-15 👤 surdeus 👁️ 1

Info

This post is auto-generated from RSS feed The Rust Programming Language Forum - Latest topics. Source: Patch and Replace Package Dependencies for Cargo Audit in Cargo.toml

A library I depend on depends on yaml-rust which has been without a maintainer, so cargo audit complains about it. yaml-rust2 is a drop-in replacement, so the book describes patching and it sounds like it should be possible to drop it in, however, I can't find a way to make it possible.

If I try to override the package name and fetch from crates.io, it complains:

[workspace.dependencies]
bat = "0.26"

[patch.crates-io]
yaml-rust = { package = "yaml-rust2", version = "0.11.0" }

patch for yaml-rust2 points to the same source, but patches must point to different sources

If I try to set it to use Git, that also doesn't work:

[patch.crates-io]
yaml-rust = { git = "https://github.com/Ethiraric/yaml-rust2.git", tag = "v0.11.0", version = "0.4.5" }

patch location contains version '0.11.0', but patch definition requires '0.4.5'

Is there a way to replace a crates.io dependency in my graph with a separate package altogether in the way I'm seeking? Or is this not possible?

1 post - 1 participant

Read full topic

🏷️ Rust_feed

👍 󠁮󠁮󠁮󠁮 👎 󠁮󠁮󠁮󠁮