No actionable comments were generated in the recent review. 🎉

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

RustPython is a binary and a library. Library user uses Cargo.toml and application uses uses Cargo.lock. Specifying the latest version is good for application users, but not for library users

RustPython is a binary and a library. Library user uses Cargo.toml and application uses uses Cargo.lock. Specifying the latest version is good for application users, but not for library users

That's a good point.
I believe consistency is good, which way should we choose?

When I originally gave the approval, I hadn't considered the library users. Thinking back on it, it's actually normal behavior for Dependabot to only update Cargo.lock in that regard. For the sake of library users, we need to use the most generous (lowest) version possible, as long as it doesn't affect functionality.

So, honestly, I'm leaning toward sticking with the current approach. In the case of something like bstr = "1", it originally allowed versions like 1.0.x to be used, but now it requires 1.12.1 or higher.

@ShaharNaveh choosing tight versions for Cargo.lock and loose versions for Cargo.toml is a good trade-off and consistent. If we have to really upgrade incompatible, they are being upgraded together.
One of caveat of this approach is we accidently can specify too low version of dependnecy for Cargo.toml. Everything other is good.