Dependabot doesn't run cargo update

[arnavb]

I recently added dependabot to my Rust project and I got a PR from the bot which updates rand from 0.6.1 to 0.6.5. However, when rand was updated, none of its subdependencies (AFAICT) were updated. As a result, the build broke (see here). To fix this, I fetched the PR contents into a local branch (with a different name) and ran cargo update, which resolved the dependencies properly. Unfortunately, I was unable to push to the PR directly (due to the presence of slashes in the name) and used the online commit feature in Github.

So mainly 2 things:

• Dependabot should run cargo update for Rust projects before submitting a PR.
• Dependabot should not use branch names with a slash in them (unless there is a way for me to checkout and push to the branch that I couldn't find).

[greysteil]

That’s really surprising - under the hood Dependabot does run cargo update. Let me take a look.

[greysteil]

OK, digging into this.

On the update:

• Dependabot does indeed run cargo update. The code is here. We specify the dependency that's being updated, so that unrelated dependencies aren't updated however
• In this case, it looks like the latest version of rand relies on versions of rand_chacha and rand_pcg that are greater that the requirements if specifies. That's a bug in rand. As a result, they needed to be updated too in order not to break your build, but there's no way of cargo knowing that
• Dependabot has basically done the right thing here - the problem is that rand has incorrectly specified dependencies

On the branch name:

• There's an option in Dependabot (under account settings) to not use slashes in branch names
• Generally speaking, slashes are best practice. This is called branch namespacing. We offer the option not to use them because some tools don't support them - is there a particular tool you're using that can't handle them?

[arnavb]

Well, it's probably just that I don't know how to checkout a branch with slashes locally because whatever I try doesn't work.

Also, then how did cargo update on my computer resolve the dependencies?

[greysteil]

Running cargo update means "update all of my dependencies", which in this case just happened to fix things. Dependabot runs cargo update -p rand which means "update only rand and its sub-dependencies".

For checking out branches with slashes locally you can just use git checkout dependabot/cargo/rand-0.6.5 (for this example). I do it all the time - let me know if you have any trouble!

[greysteil]

(Thanks for the feedback btw - it's always really useful to hear from users, and whilst in this case it looks like Dependabot was doing the right thing and the problem was with rand it could easily have been a problem on our side. Always keen to hear if you ever run into problems.)

[arnavb]

Thanks for the clarification and quick response!