Dependabot-core: Rust: other crates in workspace are not updated

Hmm, Dependabot should already be dealing with Rust workspaces just fine - can you tag @dependabot in a PR which has this issue? It's hard to debug in the abstract.

@greysteil I've just tagged @dependabot in the PR. It's in a private repo, I assume that shouldn't be an issue for you to be able to check it?

Great, thanks - I’ll check it out.

I've just taken a look at the files Dependabot is processing from that repo. It looks like you have a [workspace] line in the top-level Cargo.toml, but you don't specify any members of that workspace. Then you specify a bunch of path dependencies, which I think you want to have as members of the workspace, but because they're not Dependabot treats them as though they were being vendored.

You can fix the above by adding a members = [...] line to your top-level Cargo.toml. There are some docs here on how that works.

Does the above make sense? I'll mark this as resolved if so.

@greysteil, thanks for looking into it!

Yeah, I thought the problem would be with [workspace] too.
The thing is that cargo automatically treats all the path dependencies as workspace members, so you don't have to specify them manually. I think that dependabot should do it as well, if it sees the [workspace] section. Is it possible to implement the same functionality for it? That seems to be the right way to do it.

And in order to bring the full support for the manifest file, exclude has to be taken into account as well...

Here's the full documentation in The Cargo Book: https://doc.rust-lang.org/cargo/reference/manifest.html#the-workspace-section

Oh.. And another thing: I have all the workspace members specified in the .dependabot/config.yml. It doesn't seem to be completely ignored.. Though for some dependencies I receive PRs for workspace members, and for others I do not. My first assumption is that I will not receive PRs for members if the same dependency is specified in the root Cargo.toml.

The thing is that cargo automatically treats all the path dependencies as workspace members, so you don't have to specify them manually.

Oh interesting, we should definitely do that! I'll get that fixed.

Fixed in https://github.com/dependabot/dependabot-core/commit/9a08f39c12e20c1bcf73ea88a79b93492f508b6b which I'll deploy now. You'll want to remove the config file entries for everything other than the top-level Cargo.toml, as everything else will now be picked up automatically.

@greysteil That's not a general fix. I have a Cargo.toml like this:

[package]
# ...
[workspace]
members = ["not-a-path-dependency"]
[dependencies]
workspace-member = { path = "path-dependency" }

Both not-a-path-dependency and path-dependency should be workspace member, but path-dependency/Cargo.toml is not monitored (not shown in the "Monitored dependency files" list). (I'm using GitHub-native Dependabot.)

Thanks for the report @hyd-dev. I don't work on Dependabot directly anymore, but if you or anyone else is up for submitting a pull request I'm sure the team would be delighted. GitHub-native Dependabot uses this library under the hood, so you're in the right place! :octocat:

I wish to submit a PR but I don't know Ruby at all. However the logic is simple: just appending path_dependency_paths_from_file(file) to the Cargo.toml array unconditionally.