Friendship ended with Dependabot

Two things have driven me away from dependabot, and I don't think there is any movement with fixing these issues. Maybe renovate fixes these issues but I have yet to try it out! * Dependabot will bump the Cargo.toml version of a dependacy, but it never needs to unless a non-patch version was updated! This limits the libraries a user _could_ use downstream, for no reason. All that needs to happen is that the Cargo.lock changes so I can verify my library with a _set_ of libraries that _could_ end up in the users stream. * Dependabot *never* will update recursive depends, Ever! This is a huge problem for my own testing and benchmarks, as unless I rememeber that dependabot does this I will never update build-dependencies of downstream projects, such as cc! This leads to wildly different testing of downstream projects, since they will use the most up-to-date.
wcampbell0x2a · Jan 4, 2025 · 3485453 · 3485453
1 parent 681c8ff
commit 3485453
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 54 deletions.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
diff --git a/.github/workflows/pull_request.yml b/.github/workflows/pull_request.yml
diff --git a/RELEASE.md b/RELEASE.md
@@ -1,5 +1,17 @@
 # Release
 
+## Update breaking depends
+Note these in the changelog.
+```
+$ cargo +nightly -Z unstable-options update --breaking
+```
+
+## Update recursive depends
+Some of these could end up in the changelog.
+```
+$ cargo update --recursive
+```
+
 ## Bump Versions
 ```
 $ cargo release version [LEVEL] -p backhand -p backhand-cli --execute