close
Skip to content

internal: Allow only security updates for Dependabot#22076

Open
ChayimFriedman2 wants to merge 1 commit intorust-lang:masterfrom
ChayimFriedman2:dependabot-security-only
Open

internal: Allow only security updates for Dependabot#22076
ChayimFriedman2 wants to merge 1 commit intorust-lang:masterfrom
ChayimFriedman2:dependabot-security-only

Conversation

@ChayimFriedman2
Copy link
Copy Markdown
Contributor

@ChayimFriedman2 ChayimFriedman2 commented Apr 17, 2026

No description provided.

@rustbot rustbot added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Apr 17, 2026
@joshka
Copy link
Copy Markdown
Contributor

joshka commented Apr 20, 2026

I'm assuming this is to reduce noise - have you considered tuning this to be less frequent instead?
(i.e. weekly / monthly with a cooldown setting).

For rust updates it can be useful to use the new increase-if-necessary versioning-strategy, which allows you to set a proper minimal manifest version and only update it when there's an actual requirement that gets updated.

@ChayimFriedman2
Copy link
Copy Markdown
Contributor Author

ChayimFriedman2 commented Apr 20, 2026

My main reason is that I don't think it's a good idea to bump minor versions unless you have a specific reason.

@Veykril Veykril added this pull request to the merge queue Apr 20, 2026
@lnicola
Copy link
Copy Markdown
Member

lnicola commented Apr 20, 2026
edited
Loading

I quite like the dependabot PRs because they have a handy link to the diff view, especially with increase-if-necessary. Unfortunately, what's on GitHub doesn't have to match what we pull from crates.io.

@Veykril Veykril removed this pull request from the merge queue due to a manual request Apr 20, 2026
@lnicola
Copy link
Copy Markdown
Member

lnicola commented Apr 20, 2026

I mean, it's fine if y'all feel like it's not worth upgrading all the time, I'm not completely against merging this.

Veykril
Veykril reviewed Apr 20, 2026
View reviewed changes
Comment thread .github/dependabot.yml
version: 2
updates:
- package-ecosystem: "npm"
# Disable version updates for npm dependencies
Copy link
Copy Markdown
Member

@Veykril Veykril Apr 20, 2026
edited by rustbot
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actually, will this prevent security updates from happening? The docs don't really talk about this I think.

View changes since the review

Copy link
Copy Markdown
Contributor Author

@ChayimFriedman2 ChayimFriedman2 Apr 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It will not. GitHub explicitly says that in the example.

@Veykril
Copy link
Copy Markdown
Member

Veykril commented Apr 20, 2026

Imo I'd be fine with just setting the general cadence up to 2 weeks or something like that

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Veykril Veykril Veykril approved these changes

Assignees

No one assigned

Labels

S-waiting-on-review Status: Awaiting review from the assignee but also interested parties.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ChayimFriedman2 @joshka @lnicola @Veykril @rustbot