chore: update dependencies #92
Conversation
| - package-ecosystem: cargo | ||
| directory: / | ||
| schedule: | ||
| interval: weekly |
There was a problem hiding this comment.
This will presumably make Cargo manage the dependencies for all crates. This is not desirable, as most are generated from templates that Dependabot can't update.
There was a problem hiding this comment.
I'm not sure what you mean, dependabot can't manage external crates outside of this repository by creating pull requests inside your repository 😄
directory: / will update all workspace members.
As they are not submodules, they are managed and committed in this repository.
For example, when you bump pqcrypto-traits to 0.3.6, one week later dependabot will create a pull request to update all dependent crates you forgot to update.
But of course it would be much easier if no versions would be declared anyway as all dependencies are using path = already, without version = every crate would always use the latest version of all other crates.
I can't see any reason, but if you really want to exclude some workspace members from being updated, then instead of directory: / (which updates all members) you could explicitly list the members to be updated:
directories:
- pqcrypto
- pqcrypto-classicmceliece
- pqcrypto-falcon
- pqcrypto-hqc
- pqcrypto-internals
- pqcrypto-mldsa
- pqcrypto-mlkem
- pqcrypto-sphincsplus
- pqcrypto-traitsThere was a problem hiding this comment.
none of those folders (excepting -traits and -internals) can be managed by Dependabot, because they'd be overwriten by the code in Cargo.toml.j2 from the pqcrypto-template folders.
There was a problem hiding this comment.
Maybe there is your answer 😄
Remove version from the template and only let dependabot "manage" non-templated crates?
Or maybe don't let dependabot update any crates because no external dependencies are being used anywhere?
2 participants
Chores