search

rust-itertools / itertools

Extra iterator adaptors, iterator methods, free functions, and macros.
https://docs.rs/itertools/
Apache License 2.0
2.64k stars 299 forks source link

update dependabot config #874

Closed danieleades closed 5 months ago

danieleades commented 5 months ago

adds dependabot config for bumping cargo dependencies

this should generate PRs for criterion, quickcheck, and rand.

the quickcheck PR will fail CI since there are breaking changes, likely blocked on https://github.com/BurntSushi/quickcheck/issues/267

codecov[bot] commented 5 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Comparison is base (6814180) 94.38% compared to head (9c114bd) 94.25%. Report is 4 commits behind head on master.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## master #874 +/- ## ========================================== - Coverage 94.38% 94.25% -0.14% ========================================== Files 48 48 Lines 6665 6666 +1 ========================================== - Hits 6291 6283 -8 - Misses 374 383 +9 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

jswrenn commented 5 months ago

What's the advantage of actively bumping dev-dependencies? Why shouldn't we specify the minimum version we actually need, and let the cargo resolver do its job?

Philippe-Cholet commented 5 months ago

Just read our "Cargo.toml" and saw either is "1.0" when the latest version is "1.10.0". Maybe we should update it to "1" or "1.10" as dependency trees might have it in multiple versions. About dev-dependencies, maybe it's not that important though? EDIT: My bad, I forgot this interesting page.

jswrenn commented 5 months ago

Maybe we should update it to "1" or "1.10" as dependency trees might have it in multiple versions.

either = "1" is a shorthand for either >= "1" (well, technically, either = "^1.0.0"). Cargo will only resolve a single version per major-version train, so there's no risk here of applications getting compiled with both "1" and "1.10".

jswrenn commented 5 months ago

See https://github.com/tokio-rs/tokio/pull/6335#issuecomment-1937061448, which sets a similar policy for tokio-rs. Unless we have good reason to change our current policy, I'd like to stick with it.

Philippe-Cholet commented 5 months ago

There is nothing urgent about updating dev-dependencies. And while I think dependabot could in general be helpful about semver-major updates for our dependencies, we don't expect either (our only dependency) to ever go to "2.0". And either = "1.0" actually means either = ">=1.0.0, <2.0.0" (cf link) which I forgot.

Philippe-Cholet commented 5 months ago

Your help on improving CI is very much appreciated, thanks! However, it seems that this (and #875) should be closed. I'd promptly reopen if needed.