Skip to content

ci: Add Dependabot#1503

Closed
sjackman wants to merge 1 commit intorust-ndarray:masterfrom
sjackman:sj/dependabot
Closed

ci: Add Dependabot#1503
sjackman wants to merge 1 commit intorust-ndarray:masterfrom
sjackman:sj/dependabot

Conversation

@sjackman
Copy link

@sjackman sjackman commented Apr 10, 2025
edited
Loading

Enable Dependabot to open PRs to update dependencies.

Related PR

@sjackman
ci: Add Dependabot
05fe2ea 
Enable [Dependabot](https://docs.github.com/en/code-security/dependabot) to open PRs to update dependencies.
@sjackman sjackman mentioned this pull request Apr 10, 2025
Open
@akern40
Copy link
Collaborator

akern40 commented Apr 10, 2025

@sjackman would you mind making a related issue that explains what you see to be the benefits of Dependabot? I'm familiar with its security scanning, but I'm not sure what you mean by "open PRs to update dependencies".

@sjackman
Copy link
Author

sjackman commented Apr 16, 2025

I'm not sure what you mean by "open PRs to update dependencies".

https://docs.github.com/en/code-security/dependabot/dependabot-version-updates

Keeping your dependencies updated automatically with Dependabot version updates
You can use Dependabot to automatically keep the dependencies and packages used in your repository updated to the latest version, even when they don’t have any known vulnerabilities.

Dependabot will open PRs against your repo to keep your dependencies up to date. See for example this PR that @dependabot opened in rust-bio to update petgraph:

@akern40
Copy link
Collaborator

akern40 commented May 22, 2025

Thank you for bringing this to my attention! I've looked into this and learned a few things. First, that we do have Dependabot set up. Second, that I should be making sure to pay closer attention to it. And third, that Dependabot PRs would probably be more noise than signal. I say that because they take the approach of directly pinning the offending dependencies. But for ndarray, our security vulnerability alerts are a) mostly in dependencies of dependencies or b) in our workspace test crates, which I'm not sure that Dependabot will handle correctly.

My opinion here is that pinning every offending dependency directly in ndarray is a recipe for a laundry list of pins that aren't true dependencies. Personally, I think it would be much better for the downstream dependencies to do the pinning of their direct dependencies - as we should (and will) do for our direct dependencies.

Does this seem like a reasonable policy?

@akern40
Copy link
Collaborator

akern40 commented Jan 18, 2026

Closing since right now this would be more signal than noise, and it's already turned on to give me alerts.

@akern40 akern40 closed this Jan 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@sjackman @akern40