Dependency management guidelines for Jarvy - crate selection criteria, feature flag best practices, version management, security auditing with cargo-audit and cargo-deny.
This skill provides guidance for managing Rust dependencies in the Jarvy project.
Before adding external crates, verify stdlib cannot handle the need:
// PREFER: stdlib for simple operations
use std::fs;
use std::path::PathBuf;
use std::process::Command;
// AVOID: Adding crates for trivial functionality
When considering a new dependency:
| Need | Use Existing |
|---|---|
| JSON | serde_json |
| YAML | serde_yaml |
| TOML | toml |
| Error types | thiserror |
| HTTP | ureq |
| Logging | tracing |
| CLI args | clap with derive |
| Interactive prompts | inquire |
| Unique IDs | uuid v7 |
| Platform dirs | dirs |
# GOOD: Explicit minimal features
clap = { version = "4.5", features = ["derive"] }
uuid = { version = "1.10", features = ["v7"] }
serde = { version = "1.0", features = ["derive"] }
ureq = { version = "3.1", features = ["json"] }
# BAD: Enabling all features
# clap = { version = "4.5", features = ["full"] }
# v7 provides time-ordered UUIDs for telemetry event ordering
uuid = { version = "1.10", features = ["v7"] }
some-crate = { version = "1.0", default-features = false, features = ["needed"] }
# Standard: Allow patch and minor updates
serde = "1.0"
# Specific: Pin only when necessary
opentelemetry-otlp = "0.31.0"
# Update all dependencies
cargo update
# Update specific dependency
cargo update -p serde
# Check for outdated dependencies
cargo outdated
Cargo.lock: This is an application, not a library# Install audit tools
cargo install cargo-audit
cargo install cargo-deny
# Run security advisory check
cargo audit
# Comprehensive check (security, licenses, duplicates)
cargo deny check
Create deny.toml:
[advisories]
vulnerability = "deny"
unmaintained = "warn"
yanked = "deny"
[licenses]
unlicensed = "deny"
allow = ["MIT", "Apache-2.0", "BSD-2-Clause", "BSD-3-Clause", "ISC", "Zlib"]
[bans]
multiple-versions = "warn"
wildcards = "deny"
[sources]
unknown-registry = "deny"
unknown-git = "deny"
cargo audit locallycargo deny check on every PRcargo audit after adding## New Dependency: `crate-name`
**Purpose**: [What functionality?]
**Alternatives Considered**:
- stdlib: [Why not sufficient?]
**Metrics**:
- Transitive dependencies: [count]
- Build time impact: [minimal/moderate/significant]
- Last updated: [date]
**Features Enabled**: [list and why]
[build]
rustc-wrapper = "sccache"
jobs = 16
[profile.dev]
opt-level = 1
[profile.release]
lto = "thin"
# Measure build time
cargo build --timings
# Generate HTML report
cargo build --timings=html
[target.'cfg(target_os = "macos")'.dependencies]
macos-crate = "1.0"
[target.'cfg(target_os = "windows")'.dependencies]
windows-crate = "1.0"
Verify cross-platform compilation:
cargo check --target x86_64-unknown-linux-gnu
cargo check --target x86_64-apple-darwin
cargo check --target x86_64-pc-windows-msvc
| Crate | Version | Purpose |
|---|---|---|
| clap | 4.5.6 | CLI parsing |
| serde | 1.0.204 | Serialization |
| toml | 0.9.5 | Config parsing |
| thiserror | 2.0.16 | Error types |
| tracing | 0.1.40 | Logging |
| ureq | 3.1.2 | HTTP client |
| inquire | 0.9.1 | Interactive prompts |
| dirs | 6.0.0 | Platform directories |
| uuid | 1.10.0 | Unique IDs |
| machineid-rs | 1.2 | Machine fingerprint |
| Crate | Version | Purpose |
|---|---|---|
| tempfile | 3.20.0 | Temp file handling |
| assert_cmd | 2.0.17 | CLI testing |
cargo audit after adding