Dependabot-core: Please auto-merge pre-1.0 rust dependencies

Created on 5 Dec 2018  ·  7Comments  ·  Source: dependabot/dependabot-core

While semver itself allows any breaking changes in 0.x.y release, cargo treats 0.x.y as if x was the major version and y was the minor version. This means that in the rust ecosystem, 0.5.2 is considered to be compatible to 0.5.1.

Currently, pre-1.0 rust dependencies are not automatically merged, even though most crates are 0.x.y versions and behave according to the cargo semver rules. Please enable auto-merging for pre-1.0 crates.

picture konstin
👍3

Most helpful comment

FYI, we're planning to add this as a setting once we ship config files. I haven't forgotten about it!

picture greysteil on 19 Dec 2018
3

All 7 comments

Thanks for the feedback @konstin. Do you know if that setup is formally recorded anywhere? Other languages take the same approach informally, but I don't think that's enough for Dependabot to enable automerging - some authors might not be following that approach.

greysteil picture greysteil on 5 Dec 2018

I haven't found anything for the semver rules themselves, but this capter in the official cargo book say that 0.x.y is understood as ^0.x.y with e.g. ^1.2.3 := >=1.2.3 <2.0.0.

EDIT: It actually also says something about semver:

While SemVer says there is no compatibility before 1.0.0, Cargo considers 0.x.y to be compatible with 0.x.z, where y ≥ z and x > 0.

konstin picture konstin on 5 Dec 2018

FYI, we're planning to add this as a setting once we ship config files. I haven't forgotten about it!

greysteil picture greysteil on 19 Dec 2018
3

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within seven days. Thank you for your contributions.

stale[bot] picture stale[bot] on 23 Oct 2019

This issue is still relevant.

jonasbb picture jonasbb on 23 Oct 2019
👍1

Hello there 👋

(I'm commenting on this issue as I think is related, otherwise, I can move this to its dedicated one ☺️)

So, would it make sense to add a config, something like trust_dependencies under automerged_updates to allow pre-1.0 dependencies to me auto merged?

carusogabriel picture carusogabriel on 13 Jan 2020

Automerge is no longer supported in GitHub-native Dependabot, so closing this issue.

infin8x picture infin8x on 2 Jul 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

christoferolaison picture christoferolaison  ·  3Comments
glenn-jocher picture glenn-jocher  ·  3Comments
tjwallace picture tjwallace  ·  3Comments
kubawerlos picture kubawerlos  ·  3Comments
qnighy picture qnighy  ·  4Comments