Skip to content

Commit

Permalink
Use lockfile-only for cargo dependabot (#461)
Browse files Browse the repository at this point in the history
Previously the dependabot for cargo was using `auto` which would update
both the manifest, `Cargo.toml` files and the `Cargo.lock` file. Since
this repository is for library crates, we only want to update the lock
file that people develop with. We don't want to update the manifest file
and force consumers to update unnecessarily.

See
https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy
in particularly notice that cargo only supports `auto, lockfile-only`.
Ideally we'd use `increase-if-necessary`. An alternative may be to look
into rennovate bot, it appears it may support a better option,
https://docs.renovatebot.com/configuration-options/#rangestrategy
  • Loading branch information
nick-mobilecoin authored Jan 2, 2024
2 parents 228a3c0 + d289b28 commit 943f0e3
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions .github/dependabot.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,7 @@ updates:
open-pull-requests-limit: 25
commit-message:
prefix: "chore(deps)"
versioning-strategy: lockfile-only

- package-ecosystem: github-actions
directory: "/"
Expand Down

0 comments on commit 943f0e3

Please sign in to comment.