cargo-lock 9.0.0

Self-contained Cargo.lock parser with optional dependency graph analysis

RustSec: cargo-lock crate

Latest Version Docs Build Status Safety Dance MSRV Apache 2.0 OR MIT licensed Project Chat

Self-contained serde-powered Cargo.lock parser/serializer with support for the V1, V2 (merge-friendly) and V3 formats, as well as optional dependency tree analysis features. Used by RustSec.

When the dependency-tree feature of this crate is enabled, it supports computing a directed graph of the dependency tree, modeled using the petgraph crate, along with support for printing dependency trees ala the cargo-tree crate.


Minimum Supported Rust Version

Rust 1.60 or higher.

Minimum supported Rust version can be changed in the future, but it will be accompanied by a minor version bump.

SemVer Policy

  • MSRV is considered exempt from SemVer as noted above
  • The cargo lock CLI interface is not considered to have a stable interface and is also exempted from SemVer. We reserve the right to make substantial changes to it at any time (for now)
  • The dependency-tree feature depends on the pre-1.0 petgraph crate. We reserve the right to update petgraph, however when we do it will be accompanied by a minor version bump.

Command Line Interface

This crate provides a cargo lock subcommand which can be installed with:

$ cargo install cargo-lock --features=cli

It supports the following subcommands:

  • list: list packages in Cargo.lock
  • translate: translate Cargo.lock files between the V1 and V2 formats
  • tree: print a dependency tree from Cargo.lock alone

See the crate documentation for more detailed usage information.


Licensed under either of:

at your option.


Unless you explicitly state otherwise, any contribution intentionally submitted for inclusion in the work by you shall be dual licensed as above, without any additional terms or conditions.