Skip to content

Automated Dependency Updates for Cargo

Categories: rust

Renovate supports updating Cargo dependencies.

File Matching

By default, Renovate will check any files matching the following regular expression: (^|/)Cargo\.toml$.

For details on how to extend a manager's fileMatch value, please follow this link.

Supported datasources

This manager supports extracting the following datasources: crate.

Default config

  "commitMessageTopic": "Rust crate {{depName}}",
  "fileMatch": [
  "versioning": "cargo"

Additional Information

Extracts dependencies from Cargo.toml files, and also updates Cargo.lock files too if found.

When using the default rangeStrategy=auto:

  • If a "less than" instruction is found (e.g. <2) then rangeStrategy=widen will be selected,
  • Otherwise, rangeStrategy=update-lockfile will be selected.

The update-lockfile default means that most upgrades will update Cargo.lock files without the need to change the value in Cargo.toml.

Private Modules Authentication

Before running the cargo commands to update the cargo.lock, Renovate exports git insteadOf directives in environment variables.

Renovate uses this logic before it updates any "artifacts":

The token from the hostRules entry matching hostType=github and is added as the default authentication for For those running against, this token will be the default platform token.

Next, all hostRules with both a token or username/password and matchHost will be fetched, except for any one from above.

Rules from this list are converted to environment variable directives if they match any of these characteristics:

  • No hostType is defined, or
  • hostType is cargo, or
  • hostType is a platform (github, gitlab, azure, etc.)

Open items

The below list of features were current when this page was generated on May 26, 2024.

Feature requests

  • feat(manager/cargo): support for git dependencies #26531
  • Extract rust-version as rust constraint from cargo.toml if present #26314
  • New postUpdateOption - cargoUpdate #23971