Tell Dependabot to keep expectrl and getrandom back for now
#2201
Conversation
This allows them to have patch version updates but not major and minor version updates. Becuase they are not yet at 1.0.0, this has the effect of allowing SemVer-compatible but not SemVer-breaking updates to them via Dependabot version update PRs. This may be temporary and, in the case of `getrandom`, is intended to be temporary. For details, see comments in `dependabot.yml`, and: - GitoxideLabs#2200 (comment) - GitoxideLabs#2093 (comment) This also expands the comment for holding back `imara-diff` (all referenced PRs in the file now have full URLs, not just numbers). The effect of keeping back `expectrl` was tested and verified to be the only new hold needed to allow version updates to work, in: #111
There was a problem hiding this comment.
It's a bit annoying that the automatic CI job GitHub provides to check that dependabot.yml is valid doesn't usually run on PRs. After this merges, that check will be done, revealing whether or not I've made a mistake here.
(Sometimes I merge these in my own fork first to test their effects, but in this case that wasn't necessary to test whether version updates would be able to proceed with no other changes we can't easily adapt to. Also, it's time-consuming to merge these into my own fork, test them, and force-push back, partly because of the time to do it and the way it interferes with other work in my fork when done, but more so because Dependabot version update scans take a very long time very time they're run, both here and in my fork. The less imporant of the changes here--keeping back getrandom--will hopefully help somewhat with that, but I don't know how much.)
By running `cargo update`. (It looks like holding back `getrandom`, as included in #2201, does not enable Dependabot to cover all the transitive dependencies that `cargo update` can update in its PRs.)
No worries at all. I am totally OK with 'risking' minor breakage in the main repository if this saves a lot of hassle, while being easy to fix once it's clear if it's breaking or not. |
This allows them to have patch version updates but not major and minor version updates. Becuase they are not yet at 1.0.0, this has the effect of allowing SemVer-compatible but not SemVer-breaking updates to them via Dependabot version update PRs.
This may be temporary and, in the case of
getrandom, is intended to be temporary. For details, see comments independabot.yml, and:getrandomdependency ofgix-diff#2093 (comment)This also expands the comment for holding back
imara-diff(all referenced PRs in the file now have full URLs, not just numbers).The effect of keeping back
expectrlwas tested and verified to be the only new hold needed to allow version updates to work, in: EliahKagan#111