Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Automatic bumping of dependency version (using e.g. Dependabot) best practices #21

Open
killercup opened this issue Jul 23, 2018 · 3 comments
Open

Automatic bumping of dependency version (using e.g. Dependabot) best practices #21

killercup opened this issue Jul 23, 2018 · 3 comments
Labels
question T-docs

Comments

@killercup
Copy link

killercup commented Jul 23, 2018
edited
Loading

With dependabot we've recently gained a nice bot that can automatically open pull requests on Rust repositories and bump versions.

I'm currently of the opinion that this is best used on crates that mainly produce binaries, and only update the lockfile. Since this is also way to get notified about security updates in crates, it's may become an important tool for crates in "maintenance mode".

We should come up with a set of best practices around this.

Relevant discussion in cargo-edit: killercup/cargo-edit#224 (comment)
@epage
Copy link
Contributor

epage commented Jul 23, 2018

I have some initial dependabot documentation and practices

Since then

  • I've changed my default update schedule to once a month from once a week (too many serde releases)

I'm currently of the opinion that this is best used on crates that mainly produce binaries, and only update the lockfile. Since this is also way to get notified about security updates in crates, it's may become an important tool for crates in "maintenance mode".

There is a flag to set this but I tend to like having it handle "breaking" changes for me

  • Helps me to know that one is available
  • Not all breaking changes break everyone, sometimes the upgrade is free

Caveats for using this feature:

  • accidentally upgrading rustc version: I've already documented the importance of verifying your oldest supported rustc version.
  • Accidentally approving a breaking change if you have another crate in your API.

Any other caveats or concerns we should document or change our default recommendation?

@epage
Copy link
Contributor

epage commented Jul 23, 2018

@killercup

a lot of projects might not appreciate pro-active version bumps that only end up being PRs that don't build and go stale/get closed

We should

  • Ensure people know about the feature not to modify Cargo.toml and let people know of trade offs
  • Ensure people know about the flag for non-root Cargo.toml
  • Deviate bin/lib recommendations as needed

We should also see what works and doesn't with workspaces.

@killercup
Copy link
Author

killercup commented Jul 23, 2018
edited
Loading

Link to discussion on Gitter (summarized by @epage above)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question T-docs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@killercup @epage