Meta: Don't update Cargo.toml when updating semver-compatible dependencies

[rami3l]

IMO we should not merge Cargo.toml changes that bump the semver requirement.

Originally posted by @djc in #3540 (comment)

cc killercup/cargo-edit#552

[rami3l]

I did the research and found out that we can actually set rangeStrategy to update-lockfile in .github/renovate.json, like in this example.

However, I'm not sure if this supports cargo or not. The docs page only says bundler, composer, npm, yarn, terraform and poetry are supported.

What I suggest if we want to get this fixed is:

• Verify the option's cargo compatibility. If needed, file an issue and wait for its implementation. Wait until Support rangeStrategy=update-lockfile for Cargo renovatebot/renovate#22820 gets closed.
• Update the renovate.json as specified above.
• Revert Cargo.toml changes made in Update Rust crate termcolor to 1.4 #3532 and Update Rust crate url to 2.5 #3540.

@djc Does that sound okay to you?

[djc]

Sounds good to me!

[rami3l]

Looks like the WIP that this issue will depend on (at renovatebot/renovate#23968) has been closed.

I'm not that familiar with TypeScript but I guess I could possibly give it a try in December or so.
Or, if anyone else wants to work on it, please go ahead!

[rbtcollins]

Yah, its a missing feature in renovate :/.

What I do here is just close pr's that are within the existing semver range except if they are security patches where we want to force the newer dep always.

[rami3l]

The patch I picked up (renovatebot/renovate#25983) has been successfully merged!

[djc]

Great! Do we need to modify your configuration or can this issue be closed?

[rami3l]

@djc We need to modify the config (I've changed #3541 (comment) to a to-do list). However I'll be very busy today, maybe later?

[rami3l]

Reopening due to the concern raised in #3569 (comment).

[rami3l]

    // NOTE: Partial versions like '1.2' don't get converted to '^1.2'
    // because isVersion('1.2') === false
    // In cargo and in npm 1.2 is equivalent to 1.2.* so it is correct behavior.

It seems suspect? I don't know how isVersion() is used exactly. 1.2 in Cargo should be treated as ^1.2.0.

Originally posted by @djc in #3569 (comment)

@djc I think isVersion means "is a valid semver string", for more examples you can refer to https://www.npmjs.com/package/semver.

For our specific case, on https://npm.runkit.com/semver you can see:

> var semver = require("semver")
> !!semver.valid('1.2')
false

[rami3l]

renovatebot/renovate#26263 has been created.

Update: The PR has been merged. Closing this issue hopefully for the one last time.