Is there an existing issue for this?
Package ecosystem
Cargo
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
https://github.com/divviup/divviup-api/blob/b3d1430f447ae01ce8dd1b4c82b07aa10c94fb2b/Cargo.toml
dependabot.yml content
https://github.com/divviup/divviup-api/blob/b3d1430f447ae01ce8dd1b4c82b07aa10c94fb2b/.github/dependabot.yml
Updated dependency
tower-http, from 0.6.11 to 0.7.0
What you expected to see, versus what you actually saw
I have been using Dependabot with a Cargo workspace containing a root package. The root package's manifest includes both a dependencies table and a workspace.dependencies table. I noticed that Dependabot has not been touching the version requirements in the dependencies table of that manifest for about 11 months. It has only been updating the lockfile and manifests of other packages. As a result, we have accumulated version skew between dependencies of different package manifests. (Compare https://github.com/divviup/divviup-api/blob/b3d1430f447ae01ce8dd1b4c82b07aa10c94fb2b/Cargo.toml#L48 and https://github.com/divviup/divviup-api/blob/b3d1430f447ae01ce8dd1b4c82b07aa10c94fb2b/client/Cargo.toml#L27) I noticed the issue because Dependabot just opened a PR with a breaking change upgrade to the lockfile, and no change to Cargo.toml. This lockfile change got reversed when running Cargo again, since it didn't match the dependency requirement.
Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
divviup/divviup-api#2320
Smallest manifest that reproduces the issue
No response
Is there an existing issue for this?
Package ecosystem
Cargo
Package manager version
No response
Language version
No response
Manifest location and content before the Dependabot update
https://github.com/divviup/divviup-api/blob/b3d1430f447ae01ce8dd1b4c82b07aa10c94fb2b/Cargo.toml
dependabot.yml content
https://github.com/divviup/divviup-api/blob/b3d1430f447ae01ce8dd1b4c82b07aa10c94fb2b/.github/dependabot.yml
Updated dependency
tower-http, from 0.6.11 to 0.7.0
What you expected to see, versus what you actually saw
I have been using Dependabot with a Cargo workspace containing a root package. The root package's manifest includes both a
dependenciestable and aworkspace.dependenciestable. I noticed that Dependabot has not been touching the version requirements in thedependenciestable of that manifest for about 11 months. It has only been updating the lockfile and manifests of other packages. As a result, we have accumulated version skew between dependencies of different package manifests. (Compare https://github.com/divviup/divviup-api/blob/b3d1430f447ae01ce8dd1b4c82b07aa10c94fb2b/Cargo.toml#L48 and https://github.com/divviup/divviup-api/blob/b3d1430f447ae01ce8dd1b4c82b07aa10c94fb2b/client/Cargo.toml#L27) I noticed the issue because Dependabot just opened a PR with a breaking change upgrade to the lockfile, and no change toCargo.toml. This lockfile change got reversed when running Cargo again, since it didn't match the dependency requirement.Native package manager behavior
No response
Images of the diff or a link to the PR, issue, or logs
divviup/divviup-api#2320
Smallest manifest that reproduces the issue
No response