Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump open from 2.1.1 to 2.1.2 #325

Merged
merged 1 commit into from
Apr 29, 2022
Merged

Bump open from 2.1.1 to 2.1.2 #325

merged 1 commit into from
Apr 29, 2022

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Apr 29, 2022
edited
Loading

Bumps open from 2.1.1 to 2.1.2.

Release notes

Sourced from open's releases.

v2.1.2

Other

  • add Heiku platform support

Commit Statistics

  • 2 commits contributed to the release.
  • 54 days passed between releases.
  • 1 commit where understood as conventional.
  • 0 issues like '(#ID)' where seen in commit messages

Commit Details

  • Uncategorized
    • update changelog (45e0388)
    • add platform support (85f4dfd)
Changelog

Sourced from open's changelog.

2.1.2 (2022-04-29)

Other

  • add Heiku platform support

Commit Statistics

  • 2 commits contributed to the release.
  • 54 days passed between releases.
  • 1 commit where understood as conventional.
  • 0 issues like '(#ID)' where seen in commit messages

Commit Details

  • Uncategorized
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot will merge this PR once it's up-to-date and CI passes on it, as requested by @kylewillmon.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

@dependabot dependabot bot requested a review from a team April 29, 2022 14:48
@dependabot dependabot bot requested a review from a team as a code owner April 29, 2022 14:48
@dependabot dependabot bot requested review from samtay and maxrake April 29, 2022 14:48
@dependabot dependabot bot added dependencies Pull requests that update a dependency file rust Pull requests that update Rust code labels Apr 29, 2022
@cd-work
Copy link
Contributor

cd-work commented Apr 29, 2022

Is dependabot just going to open a separate PR for every dependency?

@kylewillmon
Copy link
Contributor

Is dependabot just going to open a separate PR for every dependency?

Yes... Time will tell if this gets annoying...

@cd-work
Copy link
Contributor

cd-work commented Apr 29, 2022

Yes... Time will tell if this gets annoying...

I mean for me personally, it already has. Initially thought it was just for breaking changes, but if this is going to be the case for every dependency that's going to be a bit much. And pointlessly so because there really shouldn't be any reason to separate each dependency update into a separate PR.

Talking worst-case scenario, if the bot checks once a week and for some magical reason every dependency gets updated, that would be 260 PRs. Even though that's not going to happen picking a random number between 0-260 every week is not something that sounds enticing to me.

@kylewillmon
Copy link
Contributor

Initially thought it was just for breaking changes

There may be a way to do this if we can get Dependabot to look at Cargo.toml only and ignore Cargo.lock. But then we would need something else to ensure that we are regularly picking up non-breaking changes.

that would be 260 PRs.

Dependabot limits itself to no more than 5 open PRs by default (and gives us full control to change that number).

kylewillmon
kylewillmon previously approved these changes Apr 29, 2022
View reviewed changes
@kylewillmon
Copy link
Contributor

There may be a way to do this if we can get Dependabot to look at Cargo.toml only and ignore Cargo.lock. But then we would need something else to ensure that we are regularly picking up non-breaking changes.

I've found the ignore block used by other projects to limit this to major versions only.

    ignore:
      - dependency-name: "*"
        update-types: ["version-update:semver-minor", "version-update:semver-patch"]

The linked repo uses it for a different reason though. They simply object to modifying Cargo.toml when it isn't necessary because it risks duplicating a dependency to satisfy the version. We can keep an eye on the PRs to see if that happens.

@dependabot squash and merge

@dependabot dependabot bot force-pushed the dependabot/cargo/open-2.1.2 branch from 58c939d to 0280bbe Compare April 29, 2022 19:48
kylewillmon
kylewillmon previously approved these changes Apr 29, 2022
View reviewed changes
@dependabot
Bump open from 2.1.1 to 2.1.2
ffe6cce 
Bumps [open](https://github.com/Byron/open-rs) from 2.1.1 to 2.1.2.
- [Release notes](https://github.com/Byron/open-rs/releases)
- [Changelog](https://github.com/Byron/open-rs/blob/main/changelog.md)
- [Commits](Byron/open-rs@v2.1.1...v2.1.2)

---
updated-dependencies:
- dependency-name: open
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/cargo/open-2.1.2 branch from 0280bbe to ffe6cce Compare April 29, 2022 20:00
@cd-work
Copy link
Contributor

cd-work commented Apr 29, 2022

There may be a way to do this if we can get Dependabot to look at Cargo.toml only and ignore Cargo.lock. But then we would need something else to ensure that we are regularly picking up non-breaking changes.

Dependabot should never be changing the Cargo.toml in the first place for non-breaking version updates.

Dependabot limits itself to no more than 5 open PRs by default (and gives us full control to change that number).

So it will just stop opening PRs when it reaches this limit? I'd be surprised if there's less than 5 version updates each week.

The linked repo uses it for a different reason though. They simply object to modifying Cargo.toml when it isn't necessary because it risks duplicating a dependency to satisfy the version. We can keep an eye on the PRs to see if that happens.

I really don't see how anyone would have a different opinion on this. It's really the only approach that makes sense to me.

@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Apr 29, 2022

Dependabot tried to merge this PR, but received the following error from GitHub:

Waiting on code owner review from phylum-dev/integrations and/or phylum-dev/user-components.

@cd-work cd-work merged commit ed1bd36 into main Apr 29, 2022
@cd-work cd-work deleted the dependabot/cargo/open-2.1.2 branch April 29, 2022 20:19
kylewillmon added a commit that referenced this pull request Apr 29, 2022
@kylewillmon
Automatically run cargo update in a workflow
6e29df5 
This runs a basic `cargo update` in a Github Action and creates a PR
with any changes. Combined with disabling Dependabot for major version
updates, this should resolve concerns about too many PRs and being too
strict in our Cargo.toml files.

Ref: Discussion on #325
@kylewillmon kylewillmon mentioned this pull request Apr 29, 2022
Merged
kylewillmon added a commit that referenced this pull request Apr 29, 2022
@kylewillmon
Automatically run cargo update in a workflow
14679da 
This runs a basic `cargo update` in a Github Action and creates a PR
with any changes. Combined with limiting Dependabot to major version
updates, this should resolve concerns about too many PRs and being too
strict in our Cargo.toml files.

Ref: Discussion on #325
kylewillmon added a commit that referenced this pull request May 2, 2022
@kylewillmon
Automatically run cargo update in a workflow
5ae4ae4 
This runs a basic `cargo update` in a Github Action and creates a PR
with any changes. Combined with limiting Dependabot to major version
updates, this should resolve concerns about too many PRs and being too
strict in our Cargo.toml files.

Ref: Discussion on #325
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@cd-work cd-work cd-work approved these changes

@kylewillmon kylewillmon kylewillmon left review comments

@samtay samtay Awaiting requested review from samtay

@maxrake maxrake Awaiting requested review from maxrake maxrake is a code owner automatically assigned from phylum-dev/user-components

Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file rust Pull requests that update Rust code
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@cd-work @kylewillmon