Add dependency groups to dependabot.yml#7026
Conversation
📝 WalkthroughWalkthroughThis pull request modifies the Dependabot configuration file to introduce structured cargo update grouping with multiple named groups for different crate categories (cranelift, criterion, futures, num-*, serde, TLS, wasm-bindgen, wasmtime, and others), enabling more granular dependency update scopes alongside a minor formatting adjustment. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes Poem
🚥 Pre-merge checks | ✅ 3✅ Passed checks (3 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Fix all issues with AI agents
In @.github/dependabot.yml:
- Around line 83-87: The dependabot group currently lists "serde_core" which is
a transitive dependency (present in Cargo.lock but not in any Cargo.toml);
remove "serde_core" from the serde group in the dependabot.yml so only direct
packages ("serde", "serde_derive") are grouped, or if you intentionally need to
pin it, document why and add a direct dependency declaration to Cargo.toml;
search for the serde group entry and remove the "serde_core" pattern or replace
it with a comment explaining the intent.
🧹 Nitpick comments (1)
.github/dependabot.yml (1)
94-96: Thetime*pattern is fairly broad.This would match any crate starting with
time, which could inadvertently group unrelated crates (e.g.,timed,timeout,timestamp). Since Dependabot only considers crates actually in your dependency tree this is unlikely to be a problem in practice, but if you want to be precise,"time"and"time-*"as two separate patterns would be safer.Tighter pattern suggestion
time: patterns: - - "time*" + - "time" + - "time-*"
| serde: | ||
| patterns: | ||
| - "serde" | ||
| - "serde_core" | ||
| - "serde_derive" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# Check if serde_core appears in any Cargo.toml or Cargo.lock
echo "=== Checking Cargo.lock ==="
rg -n 'serde_core' Cargo.lock || echo "Not found in Cargo.lock"
echo ""
echo "=== Checking Cargo.toml files ==="
fd 'Cargo.toml' --exec rg -l 'serde_core' {} || echo "Not found in any Cargo.toml"Repository: RustPython/RustPython
Length of output: 373
Reconsider including serde_core in the groups section—it appears to be a transitive dependency, not a direct one.
serde_core is present in Cargo.lock but not declared in any Cargo.toml file, meaning it's a transitive dependency that will be pulled in by another package. Including transitive dependencies explicitly in Dependabot groups is usually unnecessary since they're updated indirectly through their parent packages. Consider removing it or investigating whether explicit grouping here serves a specific purpose you need to maintain.
🤖 Prompt for AI Agents
In @.github/dependabot.yml around lines 83 - 87, The dependabot group currently
lists "serde_core" which is a transitive dependency (present in Cargo.lock but
not in any Cargo.toml); remove "serde_core" from the serde group in the
dependabot.yml so only direct packages ("serde", "serde_derive") are grouped, or
if you intentionally need to pin it, document why and add a direct dependency
declaration to Cargo.toml; search for the serde group entry and remove the
"serde_core" pattern or replace it with a comment explaining the intent.
There was a problem hiding this comment.
How can we ensure that transitive dependencies are upgraded in lockstep with direct dependencies?
There was a problem hiding this comment.
@fanninpm Great question! In the Cargo ecosystem, transitive dependencies are automatically upgraded in lockstep with their direct dependencies when Dependabot (or cargo update) updates the Cargo.lock file. Here's how it works:
How Cargo Handles Transitive Dependencies
When Dependabot updates a direct dependency like serde:
- It runs
cargo updatefor that package - Cargo automatically resolves and updates all transitive dependencies (like
serde_core) to versions compatible with the new direct dependency version - The entire dependency tree is updated atomically in Cargo.lock
Dependabot Groups and Transitive Dependencies
You don't need to explicitly include transitive dependencies in Dependabot groups because:
- Dependabot respects Cargo's dependency resolution
- When
serdeis updated,serde_corewill automatically be updated to the version thatserderequires - Including
serde_coreexplicitly in the group pattern won't change this behavior since it's not in any Cargo.toml
Recommendation
For the serde group, you can safely keep just the direct dependencies:
serde:
patterns:
- "serde"
- "serde_derive"The transitive dependency serde_core will still be updated whenever serde is updated—the grouping just controls which direct dependency updates are batched together in a single PR. If serde_core isn't a direct dependency, the pattern won't match anything anyway, so including it is harmless but unnecessary.
If you have concerns about specific transitive dependency versions, you can make them direct dependencies by adding them to your Cargo.toml with explicit version requirements.
2 participants
This is so that Dependabot can automatically update, e.g., all of the
malachitedependencies in a single PR, rather than having to depend on opening multiple PRs.Summary by CodeRabbit