Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Set dependabot group and versioning-strategy #10

Merged
merged 1 commit into from
May 3, 2024

Conversation

apljungquist
Copy link
Contributor

Group dependency updates to reduce noise from pull requests. Major and security updates are left grouped so that they can be given careful and, in the case of security updates, expedited consideration.

Set the versioning strategy to "lockfile-only" because the default value, presumably "auto", would bump the required version of dependencies in the manifest(s) and in turn force these requirements onto our users.

One downside of this is that dependabot will not attempt to "widen" the versions specified in the manifest(s), which means we may forget to add support for new major versions. But as of writing the "cargo" package-ecosystem supports only "auto" and "lockfile-only".

Group dependency updates to reduce noise from pull requests.
Major and security updates are left grouped so that they can be given
careful and, in the case of security updates,  expedited consideration.

Set the versioning strategy to "lockfile-only" because the default
value, presumably "auto", would bump the required version of
dependencies in the manifest(s) and in turn force these requirements
onto our users.

One downside of this is that dependabot will not attempt to "widen"
the versions specified in the manifest(s), which means we may forget
to add support for new major versions. But as of writing the "cargo"
package-ecosystem supports only "auto" and "lockfile-only".
@apljungquist apljungquist requested a review from a team as a code owner April 30, 2024 21:48
@apljungquist apljungquist merged commit 802ca73 into main May 3, 2024
1 check passed
@apljungquist apljungquist deleted the dependabot_reconfiguration branch May 3, 2024 11:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants