1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
version: 2
updates:
# Cargo dependency updates.
- package-ecosystem: "cargo"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
# Group minor + patch updates so the per-cycle PR count stays
# manageable. Major bumps still get their own PR per crate so
# breaking changes aren't hidden inside a group.
groups:
cargo-minor-and-patch:
applies-to: "version-updates"
update-types:
- "minor"
- "patch"
# Ignore major bumps that require source-level migration. They
# come back as candidates for the next minor release (tracked
# in `.dev/ROADMAP.md`), not as auto-applied PRs.
ignore:
# `rand 0.10` renamed `thread_rng()` to `rng()` and shifted
# `Rng::gen_range` signature. Migration is intentional — see
# ROADMAP §1.x backlog.
- dependency-name: "rand"
update-types:
# `thiserror 2.0` is a major bump scheduled for a future
# minor release after audit.
- dependency-name: "thiserror"
update-types:
# `syn 2.0` requires reworking the derive crate's `Meta`
# parsing. Scheduled for a future minor release.
- dependency-name: "syn"
update-types:
# GitHub Actions ecosystem updates. Same grouping discipline.
- package-ecosystem: "github-actions"
directory: "/"
schedule:
interval: "weekly"
day: "monday"
open-pull-requests-limit: 5
groups:
actions-official-minor-and-patch:
applies-to: "version-updates"
patterns:
- "actions/*"
update-types:
- "minor"
- "patch"
actions-third-party-minor-and-patch:
applies-to: "version-updates"
exclude-patterns:
- "actions/*"
update-types:
- "minor"
- "patch"
ignore:
# `dtolnay/rust-toolchain` uses Rust version numbers as tags
# (e.g. `@1.81.0` in the MSRV job). Dependabot mistakes them
# for action versions and proposes bumps to non-existent
# toolchains. The MSRV pin must track `Cargo.toml`'s
# `rust-version` field manually.
- dependency-name: "dtolnay/rust-toolchain"