rustls is not enabled for dependabot #80
Comments
|
It gets automatically 0.23.10 as it's SemVer compatible there is no need to bump given it's not pinned. Basically any version = X.Y.Z is just "minimum" or ^ given SemVer compat range Typically binaries only do locked builds and even then it needs to explicitly add --locked to build as non-locked is default. Pinning libraries isn't advisable as it can cause duplicates in dep tree. Also what comes to testing in CI - I think it would be nice to have a "cron" workflow to periodically check it as well. But yeah dependabot pinging it always as it does and then updating the .lock as it tests them out even if not used elsewhere is the way we use it typically to ensure it works across patch releases (or minor bumps on stable vers) .... EDIT: Oh it's been ignored for 0.23 before this was bumped: |
|
It turns out it's hard to un-ignore a dependency with dependabot: dependabot/dependabot-core#1384 But I can try... |
|
Okay, #82 is open, although I'm not sure why it wen to Anyway, closing this. |
As of right now, rustls released 0.23.10 but we are still staggering in 0.23.0. Despite the API changes shouldn't be that breaking, it is always good to keep an eye out of the latest release and let CI do its thing.
The text was updated successfully, but these errors were encountered: