NotificationsYou must be signed in to change notification settings
Fork180
Star1k

ci: add dependabot, with a note of keeping deps always up to date#486

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Jump to bottom

Closed

CosminPerRam wants to merge1 commit intorust-lang:mainfromCosminPerRam:feat/dependabot

Closed

ci: add dependabot, with a note of keeping deps always up to date#486

CosminPerRam wants to merge1 commit intorust-lang:mainfromCosminPerRam:feat/dependabot

Conversation

Copy link

Contributor

CosminPerRam commentedApr 28, 2025

Mentioned adding of dependabot in#485, but@jongiddy said that:

For a library crate, isn't the effect of these version updates simply to reduce the options available to dependent crates?
i.e. previously flate2 was compatible with any version of libz-sys >= 1.1.20, but now it requires at least 1.1.22. If, for any reason, a crate needs to keep libz-sys at 1.1.20, it now has a conflict.
I tend to update crate versions only when there is a security or bug fix reason to do so.

Should a dependency be updated as quick as possible? Or only if a user has a problem with one of them (or wants to) and requests to do so? A fixed schedule (i.e. once every 6 months)?

I personally consider that a project should always try to be up to date with the latest dependencies, but the points mentioned should be taken into consideration before merging of this PR.