Why does this library auto-bump patch versions in dependencies?

[faern]

What is the motivation behind commits like 7e0519cd352793b17143349df0d29675b16d4fbe ?

There is no point in libraries always pointing to the latest version of dependencies. If they aim to do that it will just create infinite churn for every library to always bump all their deps.

What this does is just telling downstream application developers that "this library needs at least version 1.0.200 of serde". While in reality it probably works with waaay older 1.0 releases. This constrains application developers in an unnecessary way.

I'm not sure if there is a written API/library guideline about this for Rust. But in my opinion, the sane thing to do is to spec your semver dependencies to the lowest version that your library work with. Keeping the range of possible versions as large as possible. Downstream application developers can then narrow it if they need for various reasons, such as needing a new feature, or wanting to avoid a certain CVE etc.

[achanda]

Makes sense, I have disabled renovate.

[faern]

Awesome :) Thank you