chore: suppress Dependabot minor/patch version bump PRs for Cargo deps#349
chore: suppress Dependabot minor/patch version bump PRs for Cargo deps#349sandersaares wants to merge 2 commits intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR reduces Dependabot noise for Rust (Cargo) dependencies by ignoring semver-compatible (minor and patch) version bump PRs while still allowing major updates and security update PRs.
Changes:
- Updated Cargo Dependabot ignore rules to suppress both
semver-minorandsemver-patchupdates via a wildcard rule. - Removed the now-redundant
tokio-specific ignore rule. - Documented a branching convention in
AGENTS.md(don’t commit directly tomain).
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
AGENTS.md |
Adds a “Branching” section documenting the repository workflow expectation. |
.github/dependabot.yml |
Expands Cargo ignore rules to suppress minor+patch PRs (while keeping majors/security unaffected). |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - dependency-name: "*" | ||
| update-types: ["version-update:semver-patch"] | ||
| update-types: | ||
| - "version-update:semver-minor" |
There was a problem hiding this comment.
how does it work with 0.x.y versions? that's probably 90% of our deps
There was a problem hiding this comment.
It will not bump 0.x versions. Ideally dependabot would be Cargo-smart about it but it seems not to be. But noisy systems that spam us will quickly be ignored so we cannot tolerate it - better to miss upgrade PRs than to have pointless ones generated.
There was a problem hiding this comment.
can you estimate how much noise it actually creates?
There was a problem hiding this comment.
44% of our dependencies are within the "would cause bad PRs" bucket. It is not only the noise but also the fact that engineers have to know that these are bad PRs. Terrible developer experience and bound to cause misfires.
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## main #349 +/- ##
=======================================
Coverage 100.0% 100.0%
=======================================
Files 212 212
Lines 15551 15551
=======================================
Hits 15551 15551 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
|
personally, I don't see a problem in closing PRs with |
|
Hmmm there is actually |
sandersaares
force-pushed
the
chore/dependabot-ignore-minor-bumps
branch
from
1738390 to
9f530e2
Compare
sandersaares
changed the title
Ignore semver-minor and semver-patch Cargo dependency updates. Only major version bumps and security fixes will create PRs. Includes a comment linking to dependabot-core#4009 — if Cargo gains support for increase-if-necessary, the ignore rules can be replaced with that strategy for better 0.x handling. Also documents the feature branch workflow convention in AGENTS.md. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
sandersaares
force-pushed
the
chore/dependabot-ignore-minor-bumps
branch
from
9f530e2 to
4bd05c7
Compare
sandersaares
changed the title
|
|
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| versions: ["1.x"] | ||
| # ignore patch updates for all dependencies | ||
| # Ignore all minor and patch updates — security updates are handled separately | ||
| # by Dependabot security alerts and are not affected by these ignore rules. |
There was a problem hiding this comment.
The comment mentions "Dependabot security alerts" being unaffected by ignore rules; alerts and security update PRs are different features. Consider rewording to "Dependabot security updates (if enabled)" to avoid implying that alerts alone will produce PRs.
| # by Dependabot security alerts and are not affected by these ignore rules. | |
| # by Dependabot security updates (if enabled) and are not affected by these ignore rules. |
Problem
Dependabot creates noisy PRs for non-major version bumps of Cargo dependencies. For example, PR #347 bumped
uuidfrom 1.22.0 to 1.23.0 — a minor version bump where the existing caret range"1.21"(meaning>=1.21.0, <2.0.0) already covers 1.23.0. There is no reason for Dependabot to modifyCargo.tomlin this case.Solution
Ignore all
semver-minorandsemver-patchCargo dependency updates. Only major version bumps and security vulnerability fixes will create PRs.What still creates PRs
1.x→2.0,0.x→1.0)ignorerules and will continue to create PRs for any dependency with a known vulnerability.Known limitation: 0.x breaking changes are also suppressed
In Rust,
0.1.x→0.2.xis a breaking change, but Dependabot classifies it assemver-minor. There is no way to configure Dependabot to understand Rust's 0.x convention.This is a real tradeoff — 39 of 70 external dependencies (56%) are at 0.x versions. The ideal solution would be
versioning-strategy: increase-if-necessary, which would only modifyCargo.tomlwhen the current caret range doesn't cover the new version (naturally respecting Cargo's 0.x semantics). However, Cargo only supportsautoandlockfile-onlyforversioning-strategy— see dependabot-core#4009.A comment is left in
dependabot.ymllinking to that issue so a future maintainer can switch toincrease-if-necessaryif/when it becomes available.Why we accept this tradeoff
semver-minorthrough means every minor bump for all 70 deps creates a PR — the exact problem we're solving.0.x→1.0bump issemver-majorand still creates a PR.Other changes
tokio-specific ignore rule — now covered by the wildcard.AGENTS.md: never commit directly to main.Testing
Configuration-only change. No code or tests affected.