Skip to content

Add dependency groups to dependabot.yml #7026

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
youknowone merged 1 commit into from
Feb 6, 2026
Merged

Add dependency groups to dependabot.yml #7026

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
119 changes: 118 additions & 1 deletion .github/dependabot.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,14 +1,131 @@
# cspell:ignore manyhow tinyvec zeroize
version: 2
updates:
- package-ecosystem: cargo
directory: /
schedule:
interval: weekly
groups:
cranelift:
patterns:
- "cranelift*"
criterion:
patterns:
- "criterion*"
futures:
patterns:
- "futures*"
get-size2:
patterns:
- "get-size*2"
iana-time-zone:
patterns:
- "iana-time-zone*"
jiff:
patterns:
- "jiff*"
lexical:
patterns:
- "lexical*"
libffi:
patterns:
- "libffi*"
malachite:
patterns:
- "malachite*"
manyhow:
patterns:
- "manyhow*"
num:
patterns:
- "num-bigint"
- "num-complex"
- "num-integer"
- "num-iter"
- "num-rational"
- "num-traits"
num_enum:
patterns:
- "num_enum*"
openssl:
patterns:
- "openssl*"
parking_lot:
patterns:
- "parking_lot*"
phf:
patterns:
- "phf*"
plotters:
patterns:
- "plotters*"
portable-atomic:
patterns:
- "portable-atomic*"
pyo3:
patterns:
- "pyo3*"
quote-use:
patterns:
- "quote-use*"
rayon:
patterns:
- "rayon*"
regex:
patterns:
- "regex*"
result-like:
patterns:
- "result-like*"
security-framework:
patterns:
- "security-framework*"
serde:
patterns:
- "serde"
- "serde_core"
- "serde_derive"
Comment on lines +83 to +87

@coderabbitai coderabbitai Bot Feb 6, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check if serde_core appears in any Cargo.toml or Cargo.lock
echo "=== Checking Cargo.lock ==="
rg -n 'serde_core' Cargo.lock || echo "Not found in Cargo.lock"

echo ""
echo "=== Checking Cargo.toml files ==="
fd 'Cargo.toml' --exec rg -l 'serde_core' {} || echo "Not found in any Cargo.toml"

Repository: RustPython/RustPython

Length of output: 373

Reconsider including serde_core in the groups section—it appears to be a transitive dependency, not a direct one.

serde_core is present in Cargo.lock but not declared in any Cargo.toml file, meaning it's a transitive dependency that will be pulled in by another package. Including transitive dependencies explicitly in Dependabot groups is usually unnecessary since they're updated indirectly through their parent packages. Consider removing it or investigating whether explicit grouping here serves a specific purpose you need to maintain.

🤖 Prompt for AI Agents 
In @.github/dependabot.yml around lines 83 - 87, The dependabot group currently
lists "serde_core" which is a transitive dependency (present in Cargo.lock but
not in any Cargo.toml); remove "serde_core" from the serde group in the
dependabot.yml so only direct packages ("serde", "serde_derive") are grouped, or
if you intentionally need to pin it, document why and add a direct dependency
declaration to Cargo.toml; search for the serde group entry and remove the
"serde_core" pattern or replace it with a comment explaining the intent.

@fanninpm fanninpm Feb 6, 2026

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How can we ensure that transitive dependencies are upgraded in lockstep with direct dependencies?

@coderabbitai coderabbitai Bot Feb 6, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fanninpm Great question! In the Cargo ecosystem, transitive dependencies are automatically upgraded in lockstep with their direct dependencies when Dependabot (or cargo update) updates the Cargo.lock file. Here's how it works:

How Cargo Handles Transitive Dependencies

When Dependabot updates a direct dependency like serde:

  1. It runs cargo update for that package
  2. Cargo automatically resolves and updates all transitive dependencies (like serde_core) to versions compatible with the new direct dependency version
  3. The entire dependency tree is updated atomically in Cargo.lock

Dependabot Groups and Transitive Dependencies

You don't need to explicitly include transitive dependencies in Dependabot groups because:

  • Dependabot respects Cargo's dependency resolution
  • When serde is updated, serde_core will automatically be updated to the version that serde requires
  • Including serde_core explicitly in the group pattern won't change this behavior since it's not in any Cargo.toml

Recommendation

For the serde group, you can safely keep just the direct dependencies:

serde:
  patterns:
    - "serde"
    - "serde_derive"

The transitive dependency serde_core will still be updated whenever serde is updated—the grouping just controls which direct dependency updates are batched together in a single PR. If serde_core isn't a direct dependency, the pattern won't match anything anyway, so including it is harmless but unnecessary.

If you have concerns about specific transitive dependency versions, you can make them direct dependencies by adding them to your Cargo.toml with explicit version requirements.

system-configuration:
patterns:
- "system-configuration*"
thiserror:
patterns:
- "thiserror*"
time:
patterns:
- "time*"
tinyvec:
patterns:
- "tinyvec*"
tls_codec:
patterns:
- "tls_codec*"
toml:
patterns:
- "toml*"
wasm-bindgen:
patterns:
- "wasm-bindgen*"
wasmtime:
patterns:
- "wasmtime*"
webpki-root:
patterns:
- "webpki-root*"
windows:
patterns:
- "windows*"
zerocopy:
patterns:
- "zerocopy*"
zeroize:
patterns:
- "zeroize*"
ignore:
# TODO: Remove when we use ruff from crates.io
# for some reason dependabot only updates the Cargo.lock file when dealing
# with git dependencies. i.e. not updating the version in Cargo.toml
- dependency-name: "ruff_*"
- dependency-name: "ruff_*"
- package-ecosystem: github-actions
directory: /
schedule:
Expand Down
Loading