Should we check in Cargo.lock and use something like dependabot?

[psychon]

Basically: I just came across https://blog.rust-lang.org/2023/08/29/committing-lockfiles.html and wondered the above.

Personally, I "feel" like x11rb doesn't have many dependencies and thus this is not a large problem. Sure, the output of cargo tree is long, but most of that is for "example things" that do not get released (cairo-example produces 227 lines of output from cargo tree). On the other hand, x11rb-async does produce 58 lines of output...

[notgull]

I don't think committing Cargo.lock is really necessary. MSRV and feature-wise, all of our dependencies are generally stable. rustix and smol both have a strict Debian Stable MSRV policy. The only real squeaky wheel is once-cell, which has been known to make liberal MSRV bumps.

I'd be fine with Dependabot, but it should only make PRs for breaking changes. Otherwise it's kind of pointless as without a pinned Cargo.lock, Cargo will just automatically bump the deps.