Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

update dependabot config #874

Closed
wants to merge 1 commit into from
Closed

update dependabot config #874

wants to merge 1 commit into from

Conversation

danieleades
Copy link
Contributor

adds dependabot config for bumping cargo dependencies

this should generate PRs for criterion, quickcheck, and rand.

the quickcheck PR will fail CI since there are breaking changes, likely blocked on BurntSushi/quickcheck#267

@codecov Codecov
Copy link

codecov bot commented Feb 10, 2024

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (6814180) 94.38% compared to head (9c114bd) 94.25%.
Report is 4 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master     #874      +/-   ##
==========================================
- Coverage   94.38%   94.25%   -0.14%     
==========================================
  Files          48       48              
  Lines        6665     6666       +1     
==========================================
- Hits         6291     6283       -8     
- Misses        374      383       +9

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@danieleades danieleades mentioned this pull request Feb 10, 2024
Closed
@jswrenn
Copy link
Member

jswrenn commented Feb 10, 2024

What's the advantage of actively bumping dev-dependencies? Why shouldn't we specify the minimum version we actually need, and let the cargo resolver do its job?

@Philippe-Cholet
Copy link
Member

Philippe-Cholet commented Feb 10, 2024
edited
Loading

Just read our "Cargo.toml" and saw either is "1.0" when the latest version is "1.10.0". Maybe we should update it to "1" or "1.10" as dependency trees might have it in multiple versions.
About dev-dependencies, maybe it's not that important though?
EDIT: My bad, I forgot this interesting page.

@jswrenn
Copy link
Member

jswrenn commented Feb 10, 2024
edited
Loading

Maybe we should update it to "1" or "1.10" as dependency trees might have it in multiple versions.

either = "1" is a shorthand for either >= "1" (well, technically, either = "^1.0.0"). Cargo will only resolve a single version per major-version train, so there's no risk here of applications getting compiled with both "1" and "1.10".

@jswrenn
Copy link
Member

jswrenn commented Feb 10, 2024

See tokio-rs/tokio#6335 (comment), which sets a similar policy for tokio-rs. Unless we have good reason to change our current policy, I'd like to stick with it.

@Philippe-Cholet
Copy link
Member

There is nothing urgent about updating dev-dependencies.
And while I think dependabot could in general be helpful about semver-major updates for our dependencies, we don't expect either (our only dependency) to ever go to "2.0".
And either = "1.0" actually means either = ">=1.0.0, <2.0.0" (cf link) which I forgot.

@Philippe-Cholet
Copy link
Member

Your help on improving CI is very much appreciated, thanks!
However, it seems that this (and #875) should be closed. I'd promptly reopen if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Philippe-Cholet Philippe-Cholet Philippe-Cholet approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@danieleades @jswrenn @Philippe-Cholet