Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ci: Add Dependabot #957

Merged
merged 1 commit into from
May 23, 2024
Merged

ci: Add Dependabot #957

merged 1 commit into from
May 23, 2024

Conversation

sjackman
Copy link
Contributor

Enable Dependabot to open PRs to update dependencies.

@caspermeijn
Copy link
Collaborator

What kind of changes will this propose?

Because prost is a library and we want to support a wide range of dependency version numbers, I don't want to always update the version numbers in Cargo.toml.

Can dependabot add a version range like in #1013?

@sjackman
Copy link
Contributor Author

sjackman commented May 7, 2024

Can dependabot add a version range like in #1013?

Yes, it will. Dependabot follows the existing form of the depenency. When the dependency is a range, like

multimap = { version = ">=0.8, <=0.10", default-features = false }

it will suggest increasing the upper range like so:

multimap = { version = ">=0.8, <=0.11", default-features = false }

Copy link
Collaborator

@caspermeijn caspermeijn left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have looked into it. I think the Dependabot version updates are useful for this project. The Dependabot alerts and Dependabot security updates seem less useful to me.

As I understand it, Dependabot version updates will open PRs for new library versions. That will at least notify us that a new version is available and probably a change we want to accept.

We can choose to ignore the PR and open new PR if the change is not what you want. We probably want to do a version range when possible to improve compatibility.

@caspermeijn caspermeijn added this pull request to the merge queue May 23, 2024
Merged via the queue into tokio-rs:master with commit 1ff42bf May 23, 2024
14 checks passed
@sjackman sjackman deleted the sj/dependabot branch May 30, 2024 17:21
@sjackman
Copy link
Contributor Author

👏 Excellent! Thank you, Casper!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants