enable GitHub Dependabot #457
Conversation
this ensures that the dependencies are kept up to date. see [the docs][] for further information. note that `cortex-m-rt/macros` isn't listed in the main `workspace` and also not in `cortex-m-rt`. thus it has been added here explicitly. [the docs]: https://docs.github.com/en/code-security/dependabot/dependabot-version-updates
|
I'm afk right now, but what are the advantages of dependabot for Rust projects? My third-hand experience has been a lot of email and PR noise, but it's not clear to me that always having the latest patch release in Cargo.toml really makes any difference. We don't currently use it anywhere in the rust-embedded org afaik. |
|
I would expect any dependencies' security updates to be non breaking changes, which users of this library will just pick up automatically, right? I wonder if dependabot is more useful for binary crates with a Cargo.lock file. |
|
my personal experience is that it helps with keeping track of updates: this way you'll get a PR whenever there's a new version of a dependency (where dependabot can do the update - it keeps track of its PRs and if too many of them fail it'll stop offering it to other repos; the docs go into more details on this). after enabling it for the first time it can indeed be that you get a bunch of PRs, but after that the rate should be pretty low - of course depending on how many dependencies you have and how often these release. most big projects i know (not necessarily rust projects) have dependabot enabled and are actively using it (presuming they're using a language which is supported by dependabot).
indeed you'll notice the biggest impact with binaries due to the lock file, but that doesn't mean that updating the |
|
If the change is non-breaking, then cargo should pick it up automatically when the user does a build. |
non-breaking here also means that even if according to semver it might be breaking it isn't. e.g. a crate going from 0.x to 0.y is often (but not always) non-breaking even though according to semver it can be breaking. dependabot will attempt this upgrade even if semver says that it might not work. |
For semver-compatible updates, this isn't true - Cargo will automatically use the newest compatible version when built, for all projects, so you shouldn't ever get duplicate versions that could have been automatically updated. Perhaps this is one way that Cargo means dependabot is less useful for Rust libraries than other projects, though I don't know about the version control for specific other languages.
Conversely, this doesn't seem good - those updates are breaking in some way or they wouldn't use a non-compatible version number, so it just means that either a) the break doesn't happen to affect us, or b) dependabot hasn't discovered how the break affects us. I'm not fully convinced of the utility here vs doing these rarer updates manually, but perhaps if dependabot is configured to only notify about semver-incompatible updates (which Cargo wouldn't automatically apply), it would be useful to just get notified of them, and should be much less noisy. |
|
FWIW I'm also not a fan. The noise/usefulness balance for Rust in general just isn't there. The only partial utility I can see is for Rust project with -sys crates since they tend to have more frequent vulnerabilities which require immediate action. |
what i've seen (and personally done) with 0.x releases is that you often bump the minor if you just add large new features - even if it's a non-breaking change (i.e. you treat it like a 1.x -> 1.y release even though it's a 0.x -> 0.y release and could thus also be 0.x.a -> 0.x.b). so these are non-breaking in reality but considered breaking by semver (and thus Cargo doesn't automatically pick these up). with proper CI infrastructure in place (which seems to be the case here) you'll notice immediately if such a bump was really breaking. but i'm also ok with not having dependabot here if you don't want it - i wanted to launch the discussion to see whether you'd be ok with it :) |
|
just as an addendum to maybe clarify something: for library crates dependabot doesn't create unnecessary bumps, e.g. my r2d2-oracle crate depends on so there's very little noise there and it helps with keeping track of dependency updates - i might not notice it otherwise (ok, as i'm the sole developer on that crate i can also watch the |
this ensures that the dependencies are kept up to date. see the docs for further information.
note that
cortex-m-rt/macrosisn't listed in the mainworkspaceand also not incortex-m-rt. thus it has been added here explicitly.