Add crates/* directories to Dependabot config#7687
Add crates/* directories to Dependabot config#7687fanninpm wants to merge 1 commit intoRustPython:mainfrom
crates/* directories to Dependabot config#7687Conversation
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Inline comments:
In @.github/dependabot.yml:
- Around line 5-7: The dependabot config currently lists directories: - "/" and
- "crates/*", which is redundant for a Cargo workspace; update the
dependabot.yml by removing the "crates/*" entry so only directories: - "/"
remains unless you intentionally need per-crate schedules or ignore rules;
locate the directories key in .github/dependabot.yml and delete the "crates/*"
line or replace the array with a single "directory: \"/\"" entry when
simplifying to root-only workspace discovery.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Path: .coderabbit.yml
Review profile: CHILL
Plan: Pro
Run ID: 48961f83-2f64-4656-986c-e13fe935f420
📒 Files selected for processing (1)
.github/dependabot.yml
| directories: | ||
| - "/" | ||
| - "crates/*" |
There was a problem hiding this comment.
🧩 Analysis chain
🏁 Script executed:
#!/bin/bash
# 1) Check whether a `crates/` parent directory exists and what it contains.
echo "=== crates/ tree ==="
fd -t d -d 2 . crates 2>/dev/null || echo "(no crates/ directory found)"
# 2) List all Cargo.toml files in the repo (excluding vendored/target dirs)
echo
echo "=== All Cargo.toml locations ==="
fd -H -t f '^Cargo\.toml$' -E target -E vendor
# 3) Inspect workspace members declared at the repo root
echo
echo "=== Root Cargo.toml [workspace] section ==="
sed -n '/\[workspace\]/,/^\[/p' Cargo.toml 2>/dev/null | head -n 80Repository: RustPython/RustPython
Length of output: 1720
🌐 Web query:
Dependabot config: does the directoriesfield support glob patterns likecrates/* for Cargo workspaces, and is it recommended to list workspace member directories separately from the workspace root?
💡 Result:
Yes, the directories field in Dependabot's dependabot.yml supports glob patterns like crates/* for Cargo workspaces. This feature was introduced in June 2024 and applies to the cargo package ecosystem. For Cargo workspaces, configuring directory: / at the root is typically sufficient because Dependabot automatically discovers and updates all workspace members (Cargo.toml files listed in the root workspace's members and related dependencies like workspace.dependencies). Listing workspace member directories separately (e.g., via crates/* or explicit paths) is possible with directories but not necessary or recommended for standard setups, as it may lead to redundant configurations or overlapping rules. Use the root configuration unless you need distinct schedules, groups, or ignores for specific subdirectories.
Citations:
- 1: https://github.blog/changelog/2024-06-25-simplified-dependabot-yml-configuration-with-multi-directory-key-directories-and-wildcard-glob-support/
- 2: https://docs.github.com/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file
- 3: https://help.github.com/en/code-security/dependabot/dependabot-version-updates/controlling-dependencies-updated
- 4: Rust: other crates in workspace are not updated dependabot/dependabot-core#1207
Consider simplifying to directory: "/" unless per-crate configurations are intentional.
The glob pattern crates/* does match workspace member directories; however, Dependabot's official guidance (as of June 2024) states that for Cargo workspaces, configuring directory: "/" alone is sufficient and recommended. Dependabot automatically discovers and updates all workspace members listed in the root workspace configuration. Adding member directories separately via the directories field may lead to redundant configurations and overlapping update rules.
If the intent is to apply distinct schedules, ignore rules, or version groups to specific crates, then explicit per-crate entries make sense. Otherwise, remove "crates/*" and rely on the root configuration.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.
In @.github/dependabot.yml around lines 5 - 7, The dependabot config currently
lists directories: - "/" and - "crates/*", which is redundant for a Cargo
workspace; update the dependabot.yml by removing the "crates/*" entry so only
directories: - "/" remains unless you intentionally need per-crate schedules or
ignore rules; locate the directories key in .github/dependabot.yml and delete
the "crates/*" line or replace the array with a single "directory: \"/\"" entry
when simplifying to root-only workspace discovery.
There was a problem hiding this comment.
The problem is that Dependabot was updating blake2 in /Cargo.toml (in the root directory) but simultaneously not updating blake2 in crates/stdlib/Cargo.toml. Is there any way to fix this?
There was a problem hiding this comment.
@fanninpm, that's a well-known pain point with Dependabot and Cargo workspaces — my earlier concern was unwarranted. When both the root Cargo.toml and a subdirectory crate (e.g. crates/stdlib/Cargo.toml) share a dependency, Dependabot historically opened a PR only for the root crate, leaving the subdirectory crate behind and causing version drift.
Adding "crates/*" via the directories glob is the correct fix here — it explicitly tells Dependabot to scan each subdirectory under crates/ for its own Cargo.toml and open update PRs for those manifests independently. The change is valid and the PR looks good as-is. Sorry for the noise!
✏️ Learnings added
Learnt from: fanninpm
Repo: RustPython/RustPython PR: 7687
File: .github/dependabot.yml:5-7
Timestamp: 2026-04-25T16:47:08.900Z
Learning: In RustPython/RustPython, Dependabot only updates the root `/Cargo.toml` when using `directory: "/"` for the Cargo ecosystem, but does NOT automatically update dependencies in workspace member crates under `crates/` (e.g. `crates/stdlib/Cargo.toml`). The correct fix is to use the `directories` field with both `"/"` and `"crates/*"` in `.github/dependabot.yml` so that Dependabot scans each crate subdirectory separately.
Note: Learnings are effective only in the context of similar code segments. To apply general coding guidelines, please configure review instructions. You can manage existing learnings in the app.
🧠 Learnings used
Learnt from: CR
Repo: RustPython/RustPython PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-02-06T05:30:53.056Z
Learning: Applies to **/*.rs : Follow the default rustfmt code style by running `cargo fmt` to format Rust code
|
Nothing wrong with this change. But I do think it's better to define all dependencies versions in the root Cargo.toml under workspace, and have |
What if the goal is to separate all the modules under |
2 participants
This allows dependabot to bump versions in all places we have
Cargo.toml, not just the root directory.Summary by CodeRabbit