Audit, update, clean up, and secure Rust (Cargo) dependencies. Use when the user asks to groom, audit, update, clean, or review dependencies, or mentions outdated crates, unused deps, dependency security, or supply-chain safety.
Comprehensive dependency grooming workflow for Rust/Cargo projects. Runs through six phases: outdated check, update, build & test, unused removal, alternative suggestions, and security audit.
Ensure the following cargo subcommands are available. Install any that are missing before proceeding:
| Tool | Install | Purpose |
|---|---|---|
cargo-outdated | cargo install cargo-outdated | List outdated crates |
cargo-audit | cargo install cargo-audit | Security vulnerability scan (RustSec DB) |
cargo-machete | cargo install cargo-machete | Detect unused dependencies |
cargo-deny | cargo install cargo-deny | License & advisory checks (optional, enhances security phase) |
Check which are installed by running:
command -v cargo-outdated && command -v cargo-audit && command -v cargo-machete
Install any missing tools before continuing. Do not skip phases because a tool is missing—install it first.
Use the TodoWrite tool to track progress through these phases:
- [ ] Phase 1: Check outdated dependencies
- [ ] Phase 2: Update dependencies
- [ ] Phase 3: Build & test
- [ ] Phase 4: Remove unused dependencies
- [ ] Phase 5: Suggest alternatives
- [ ] Phase 6: Security audit
- [ ] Phase 7: Final report
Run:
cargo outdated --root-deps-only
Capture the full output. Note every crate where Latest differs from Project version. Classify updates:
If all dependencies are current, note "all deps up to date" and move on.
For patch/minor updates:
cargo update
This respects semver constraints in Cargo.toml and only bumps Cargo.lock.
For major updates that cargo update won't cover:
Cargo.toml to bump the version constraint for each crate.After making changes, run cargo check to catch compile errors early before the full build in Phase 3.
git add -A && git commit -m "chore(deps): update dependencies (groom phase 2)"
cargo build 2>&1
cargo test 2>&1
If either fails:
Do not proceed to Phase 4 until build and tests are green.
cargo machete
cargo-machete reports crates listed in Cargo.toml that don't appear to be used in source code.
For each flagged crate:
Cargo.toml.cargo build && cargo test after each removal to confirm nothing breaks.If any dependencies were removed, commit:
git add -A && git commit -m "chore(deps): remove unused dependencies (groom phase 4)"
Review the dependency list in Cargo.toml and suggest better alternatives when:
chrono vs time, reqwest vs ureq for different use cases).std::sync::LazyLock instead of once_cell on recent MSRV).For each suggestion, provide:
Do not automatically apply these changes—present them in the final report for the user to decide.
cargo audit
If cargo-deny is installed, also run:
cargo deny check advisories
cargo deny check licenses
For each advisory found:
If any security-related changes were made (version bumps, patches), commit:
git add -A && git commit -m "chore(deps): fix security advisories (groom phase 6)"
Present a concise summary to the user using this template:
# Dependency Grooming Report
## Updates Applied
| Crate | Old Version | New Version | Update Type |
|-------|-------------|-------------|-------------|
| ... | ... | ... | patch/minor/major |
## Unused Dependencies Removed
- `crate_name` — reason it was unused
## Suggested Alternatives
| Current | Suggested | Effort | Reason |
|---------|-----------|--------|--------|
| ... | ... | trivial/moderate/significant | ... |
## Security
| Advisory | Crate | Severity | Status |
|----------|-------|----------|--------|
| RUSTSEC-... | ... | low/medium/high/critical | fixed / no fix available / risk accepted |
## Summary
- X dependencies updated (Y patch, Z minor, W major)
- X unused dependencies removed
- X alternative suggestions
- X security advisories (X fixed, X remaining)
If a section has no items, include it with "None" to confirm it was checked.