dependabot
When multiple of the same cargo package are used, dependabot doesn't try to update all of them
Repo: https://github.com/alex/ct-tools
If you look at Cargo.lock, you'll see that bytes is depended on multiple times (one at 0.4.12 and the other at 0.5.2).
However, looking at the update log from dependabot (https://app.dependabot.com/accounts/alex/update-logs/18434808) you can see that it only checks for an update for bytes 0.4.12, not 0.5.2.
You can see the same pattern with smallvec in the same repository.
Reading DependencySet::<<, it looks like it's logic is to simply track the lowest version of all those depended on. This is correct from a "finding if there's a newer version" perspective, however it's not correct from a "seeing if you can update to that version" perspective.
As far as I know, this is still an issue. I don't believe closing this would be appropriate.
Has any progress been made on this? Having multiple crate versions in a project is fairly common due to the overall dependency tree.
👋 Sorry for the slow follow-up.
The last comments on this ticket are 2.5 years old, and we've shipped a lot of fixes / improvements since then.
Is this still a reproducible issue or should this be closed?
I was able to reproduce this with the given repo at https://github.com/alex/ct-tools/commits/b8df336. That revision has indeed two versions of bytes locked, 0.5.6 and 1.0.0.
Dependabot gives this:
$ bin/dry-run.rb cargo alex/ct-tools --commit b8df336 --dep bytes
=> fetching dependency files
=> dumping fetched dependency files: ./dry-run/alex/ct-tools/
=> parsing dependency files
=> updating 1 dependencies: bytes
=== bytes (0.5.6)
=> checking for updates 1/1
🌍 --> GET https://crates.io/api/v1/crates/bytes
🌍 <-- 200 https://crates.io/api/v1/crates/bytes
=> latest available version is 1.4.0
=> latest allowed version is 0.5.6
=> requirements to unlock: update_not_possible
=> requirements update strategy: bump_versions
(no update possible 🙅♀️)
🌍 Total requests made: '1'
However, with native cargo, I learnt the following and was able to update cargo 1.0.0 to 1.4.0:
$ cargo update -p bytes
error: There are multiple `bytes` packages in your project, and the specification `bytes` is ambiguous.
Please re-run this command with `-p <spec>` where `<spec>` is one of the following:
[email protected]
[email protected]
$ cargo update -p [email protected] -p [email protected]
Updating crates.io index
Updating bytes v1.0.0 -> v1.4.0
Kudos to cargo by the way for great CLI output clarify, both on error and success.
Here's an example from March 2024:
[[package]]
name = "regex-syntax"
version = "0.6.29"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f162c6dd7b008981e4d40210aca20b4bd0f9b60ca9271061b07f78537722f2e1"
[[package]]
name = "regex-syntax"
version = "0.8.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c08c74e62047bb2de4ff487b251e4a92e24f48745648451635cec7d591162d9f"
Dependabot run:
updater | 2024/03/29 15:18:08 INFO <job_807284237> Checking if regex-syntax 0.6.29 needs updating
proxy | 2024/03/29 15:18:08 [021] GET [https://crates.io:443/api/v1/crates/regex-syntax](https://crates.io/api/v1/crates/regex-syntax)
proxy | 2024/03/29 15:18:09 [021] 200 [https://crates.io:443/api/v1/crates/regex-syntax](https://crates.io/api/v1/crates/regex-syntax)
updater | 2024/03/29 15:18:09 INFO <job_807284237> Latest version is 0.8.3
Does not create PR from 0.8.2 to 0.8.3. The issue is that dependabot checks the first, lower version, which effectively disables dependabot for any crate that is pinned to a lower version.
