0.x dependencies are never updated

Open kylewillmon opened this issue 3 years ago • 2 comments

We have a weekly cargo update for minor version updates and weekly Dependabot run for major version updates. However, it turns out that neither of these handles bumping dependencies from 0.x to 0.x+1

Originally posted by @kylewillmon in https://github.com/phylum-dev/cli/issues/707#issuecomment-1265607742

Oct 07 '22 15:10 kylewillmon

Thanks to #889, we now know that Dependabot will update these minor versions if there is a security alert on the package.

This issue remains relevant, but that is at least a little bit of comfort.

Jan 03 '23 17:01 kylewillmon