[kstrauser]

A counterargument would be that Rust+Cargo pins specific versions already. If you’re writing Rust, you should rarely need to vendor anything unless you’re maintaining a patched version or something.

Vendoring also bypasses the package cache and build cache. If 2 apps depend on foo-1.2.3, they can normally share the cached package and its build artifacts.

Basically, Cargo goes a long way toward ensuring you rarely need to bother with adding someone else’s code to your repo.

[steveklabnik]

Cargo does a per-project build cache, not a shared one.

[kstrauser]

Oh, guess it does. I've been using sccache so long that I'd forgotten that.

Do you know off-hand why it doesn't, though? If 2 packages use foo 1.2 with the same features and, say, the default build settings, why not share them by default?

[steveklabnik]

I think at the time Cargo was made it was just far simpler to implement. It's not just that, it's also rustc version, sometimes environment variables... much less likely to cause problems by keeping it per project. Of course that stuff still needs to be kept track of, but like, "to get a clean build, kill this directory" seems easier. Not sure if there is an explicit justification written down anywhere from 11 years ago.