Skip to content

Pin deps to their minor version#7473

Open
ShaharNaveh wants to merge 1 commit intoRustPython:mainfrom
ShaharNaveh:pin-lexopt
Open

Pin deps to their minor version#7473
ShaharNaveh wants to merge 1 commit intoRustPython:mainfrom
ShaharNaveh:pin-lexopt

Conversation

@ShaharNaveh
Copy link
Contributor

@ShaharNaveh ShaharNaveh commented Mar 20, 2026
edited by coderabbitai bot
Loading

When deps don't specify their minor version dependabot only update Cargo.lock (see #7470 for example).

This PR ensures that dependabot updates Cargo.toml as well.

Closes #7470

Summary by CodeRabbit

  • Chores
    • Updated project dependencies to latest stable versions for improved compatibility and performance.

@coderabbitai
Copy link
Contributor

coderabbitai bot commented Mar 20, 2026
edited
Loading

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yml

Review profile: CHILL

Plan: Pro

Run ID: 33bfd0e1-6973-4b1a-a3eb-ef206d78a958

📥 Commits

Reviewing files that changed from the base of the PR and between 247044a and 3e8b585.

⛔ Files ignored due to path filters (1)
  • Cargo.lock is excluded by !**/*.lock
📒 Files selected for processing (1)
  • Cargo.toml
📝 Walkthrough

Walkthrough

Multiple dependency versions in Cargo.toml are updated to newer patch levels, including lexopt, dirs-next, env_logger, and approximately 20 other crates. Feature configurations and control flow structures remain unchanged; only version specifiers are modified.

Changes

Cohort / File(s) Summary
Dependency Version Updates
Cargo.toml		 Bumped 25+ crate versions to newer patch releases, including lexopt (0.3.1 → 0.3.2), dirs-next, env_logger, rand, syn, and others. Feature flags and dependencies structure preserved.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Suggested reviewers

  • youknowone

Poem

🐰 Dependencies march in a happy line,
Each version bumped to something fine,
Lexopt and rand now fresh and new,
No breaking changes to break you through,
The rabbit hops with glee—upgrades complete! ✨

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately describes the main change: pinning dependencies to their minor versions in Cargo.toml to ensure Dependabot updates the manifest file properly.
Linked Issues check ✅ Passed The PR successfully addresses issue #7470 by pinning lexopt and other dependencies to their minor versions, ensuring Dependabot updates Cargo.toml in addition to Cargo.lock.
Out of Scope Changes check ✅ Passed All changes are limited to dependency version pinning in Cargo.toml, directly addressing the objective to pin dependencies to their minor version.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
📝 Coding Plan
  • Generate coding plan for human review comments

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

moreal
moreal previously approved these changes Mar 20, 2026
View reviewed changes
@youknowone
Copy link
Member

youknowone commented Mar 20, 2026

RustPython is a binary and a library. Library user uses Cargo.toml and application uses uses Cargo.lock. Specifying the latest version is good for application users, but not for library users

@ShaharNaveh
Copy link
Contributor Author

ShaharNaveh commented Mar 20, 2026

RustPython is a binary and a library. Library user uses Cargo.toml and application uses uses Cargo.lock. Specifying the latest version is good for application users, but not for library users

That's a good point.
I believe consistency is good, which way should we choose?

@moreal moreal requested review from moreal and removed request for moreal March 22, 2026 11:03
@moreal
Copy link
Contributor

moreal commented Mar 22, 2026

When I originally gave the approval, I hadn't considered the library users. Thinking back on it, it's actually normal behavior for Dependabot to only update Cargo.lock in that regard. For the sake of library users, we need to use the most generous (lowest) version possible, as long as it doesn't affect functionality.

So, honestly, I'm leaning toward sticking with the current approach. In the case of something like bstr = "1", it originally allowed versions like 1.0.x to be used, but now it requires 1.12.1 or higher.

@moreal moreal dismissed their stale review March 22, 2026 11:08

I didn't think in RustPython-as-library side when I approved.

@youknowone
Copy link
Member

youknowone commented Mar 22, 2026

@ShaharNaveh choosing tight versions for Cargo.lock and loose versions for Cargo.toml is a good trade-off and consistent. If we have to really upgrade incompatible, they are being upgraded together.
One of caveat of this approach is we accidently can specify too low version of dependnecy for Cargo.toml. Everything other is good.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@moreal moreal Awaiting requested review from moreal

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ShaharNaveh @youknowone @moreal