feat: Add support for workspace.dependencies in cargo 1.64.0+

[poliorcetics]

I did not write tests because I don't know enough Ruby to do it, but I
will gladly accept directions on it.

Closes #5315

See the section on Cargo in https://github.com/rust-lang/rust/releases/tag/1.64.0 for more details about the workspace feature.

[poliorcetics]

Since Dependabot already handled dependencies like dep = { path = "path" } without a version, I expect that dependencies with workspace = true to work correctly out of the box. This makes this PR simply a matter of teaching Dependabot to look at [workspace.dependencies]

[Nishnha]

Hi @poliorcetics, thanks for this contribution!

I'm new to the Rust ecosystem, so I did some light reading on [workspace.dependencies] and it looks like the key is actually called [workspace.dependencies] so we should try matching on that instead of [workspace] and [dependencies] separately.

Dependabot will already include any dependencies under the [dependencies] key in cargo.toml files with

dependabot-core/cargo/lib/dependabot/cargo/file_parser.rb

Lines 64 to 70 in 78afa00

	DEPENDENCY_TYPES.each do |type|
	parsed_file(file).fetch(type, {}).each do |name, requirement|
	next unless name == name_from_declaration(name, requirement)
	next if lockfile && !version_from_lockfile(name, requirement)
	dependency_set << build_dependency(name, requirement, type, file)
	end

In order to get this merged in we will need to test that a project with [workspace.dependencies] in its cargo.toml has its dependencies parsed correctly.

Something similar to

dependabot-core/cargo/spec/dependabot/cargo/file_parser_spec.rb

Lines 123 to 151 in 78afa00

	context "with declarations in dependencies and build-dependencies" do
	let(:manifest_fixture_name) { "repeated_dependency" }
	describe "the last dependency" do
	subject(:dependency) { dependencies.last }
	it "has the right details" do
	expect(dependency).to be_a(Dependabot::Dependency)
	expect(dependency.name).to eq("time")
	expect(dependency.version).to be_nil
	expect(dependency.requirements).to eq(
	[
	{
	requirement: "0.1.12",
	file: "Cargo.toml",
	groups: ["dependencies"],
	source: nil
	},
	{
	requirement: "0.1.13",
	file: "Cargo.toml",
	groups: ["build-dependencies"],
	source: nil
	}
	]
	)
	end
	end
	end

The manifest referenced in that file is at https://github.com/dependabot/dependabot-core/blob/78afa00dbd274ed937d8ff70118d2d4335d39526/cargo/spec/fixtures/manifests/repeated_dependency

[poliorcetics]

I'm new to the Rust ecosystem, so I did some light reading on [workspace.dependencies] and it looks like the key is actually called [workspace.dependencies] so we should try matching on that instead of [workspace] and [dependencies] separately.

This is not a single TOML key, This is a key and a subkey. The following samples are equivalent (Rust playground code for example)

[workspace.dependencies]
dep-name = "version"

[workspace]
dependencies = {  dep-name = "version"  }

workspace.dependencies = { dep-name = "version" }

So to parse [workspace.dependencies] in a Cargo.toml, I need to first look for workspace, then inside that, dependencies.

Thanks for the guidance on testing, I'll try to write one

[Nishnha]

This PR updates the version of Cargo we use in our Dockerfile since it introduces support for a new feature.

I thought about moving the check for workspace dependencies into our existing DEPENDENCY_TYPES.each loop in the file_parser, but it's more maintainable as it is and Cargo workspaces currently only support regular dependencies (as opposed to dev-dependencies and build-dependencies), so this is fine.

[poliorcetics]

Thanks for the help and fixing my mistakes @Nishnha, it was greatly appreciated 😄

[poliorcetics]

What's left to do ?

[jeffwidman]

I don't know a ton about Rust, but from what I understand this looks straightforward.

We follow a deploy-then-monitor-prod-then-merge strategy, so one of us will try to do that when we get a few spare cycles in the next few days.