[feat] consider linting against duplicate dependencies in different versions

[thomaseizinger]

Describe the problem

Tauri is a big project and as a result, pulls in a fair few dependencies. Some of them are duplicates in different versions. For example, with the latest update to tauri 2.2.5, there are now two different versions of dirs being pulled in:

❯ cargo tree -i -p [email protected]
dirs v6.0.0
└── tauri v2.2.5
❯ cargo tree -i -p [email protected]
dirs v5.0.1
├── tauri-build v2.0.5
│   [build-dependencies]
│   └── tauri v2.2.5
│       ├── tauri-plugin-dialog v2.2.0
│       ├── tauri-plugin-fs v2.2.0
│       │   └── tauri-plugin-dialog v2.2.0 (*)
│       ├── tauri-plugin-notification v2.2.0
│       ├── tauri-plugin-opener v2.2.2
│       └── tauri-plugin-shell v2.2.0
└── tray-icon v0.19.1
    └── tauri v2.2.5 (*)

This increases compile times for all downstream users of tauri.

Describe the solution you'd like

Where possible, it would be nice if tauri could lint against duplicate dependencies (cargo deny does this quite well). I understand that this is difficult to do for plugins and the tauri CLI because they are in a different workspace. However, at least within the same workspace, it would be nice of e.g. tauri 2.2.5 wouldn't pull in dirs 5.0.1 via tray-icon and dirs 6.0.0 itself.

Also, across the latest version of all plugins, it would be nice to enforce a single version of a particular dependency (where possible).

Alternatives considered

No response

Additional context

No response

[thomaseizinger]

I am happy to send a PR with an initial cargo deny setup if you'd like.

[FabianLars]

Not a substitute for a lint but I'm actually keeping track of it manually and only merged dirs 6 because i'm in the process of upgrading it everywhere though admittedly I messed up the timing a bit (also didn't see that tauri-build wasn't released).