From b77d156596249cbbe136e30d82d46b5a9dffb982 Mon Sep 17 00:00:00 2001 From: Eliah Kagan Date: Fri, 25 Apr 2025 00:50:56 -0400 Subject: [PATCH] Always let Dependabot propose `Cargo.lock` updates This fixes a bug in the `dependabot.yml` configuration since #1948, where we intend Dependabot to include the effect of `cargo update`, but this does not happen because `dependency-type: all` was not explicitly allowed. This does not make an analogous change to the Dependabot configuration for GitHub Actions, because `all` and `direct` currently have the same effect for them (and it is not obvious how it would work if that ever changes, or which we would prefer). For details on why this is needed for Dependabot to update most locked dependencies in `Cargo.lock` aside from the case where the update is done as part of updating a `Cargo.toml` dependency, see: - https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated#allowing-specific-dependencies-to-be-updated - https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#dependency-type-allow --- .github/dependabot.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/.github/dependabot.yml b/.github/dependabot.yml index f3c7773dbfe..9946b189a3f 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -7,9 +7,12 @@ updates: commit-message: # Avoid non-"purposeful" prefix due to Dependabot misdetecting style (see `DEVELOPMENT.md`). prefix: '' + allow: + - dependency-type: all groups: cargo: patterns: ['*'] + - package-ecosystem: github-actions directory: '/' schedule: