Skip to content

chore: update dependencies#36

Open
reneleonhardt wants to merge 1 commit intomullvad:mainfrom
reneleonhardt:chore/update-dependencies
Open

chore: update dependencies#36
reneleonhardt wants to merge 1 commit intomullvad:mainfrom
reneleonhardt:chore/update-dependencies

Conversation

@reneleonhardt
Copy link

@reneleonhardt reneleonhardt commented Dec 22, 2025
edited by faern
Loading

Chores

  • Update dependencies and GitHub Actions (including SHA pinning to improve security)
  • Update Android NDK r25c to r27d
  • Let Dependabot update cargo and github-actions

This change is Reviewable

@reneleonhardt
Copy link
Author

reneleonhardt commented Dec 22, 2025

Notes

  • Technical debt is high, but at least some upgrades were easy.
  • Is the README up-to-date? Only aarch64-apple-darwin (macos-latest) is tested but the matrix states that only x86_64-apple-darwin is supported, it would be better if releases and binaries would be published.

@MarkusPettersson98
Copy link
Contributor

MarkusPettersson98 commented Dec 23, 2025

Hi @reneleonhardt, thanks for wanting to contribute!

We are a bit reluctant to accept PRs before having a more refined review process and better CI set up. This will unfortunately have to wait until holidays have passed.

Just a tip for future contributions: Please split your changes in as atomic commits as possible. That way we can accept some changes more easily, instead of having to reject the entire PR because of minor things. As an example in this case, we could likely accept the dependency bumps outright, but the dependabot CI will require some discussion.

@reneleonhardt
Copy link
Author

reneleonhardt commented Dec 23, 2025

No stress from my side, enjoy your holidays 😄

I could split the commit and force-push them if it's important.
Keep in mind that there is no CONTRIBUTING.md with such micro-management rules 😉
In addition, maintainers are allowed to change any line in any commit (you could comment/rename dependabot.yaml or adjust some of hundreds of options for example if you don't want to wait for the first updates).

But it's hard to explain from my point of view to wait months and years for contributions instead of just merging dependabot PRs whenever you're ready, it doesn't get much easier.
With renovatebot you could even update the Android NDK version automatically for example.

@MarkusPettersson98
Copy link
Contributor

MarkusPettersson98 commented Dec 23, 2025

Keep in mind that there is no CONTRIBUTING.md with such micro-management rules 😉

Yeah, this is what I mean with "having a more refined review process". We have to make it obvious and easy for a third-party to contribute, but we have not gotten around to that yet. Soon.. 😄

I appreciate that you took the time to open and comment on this PR. Unfortunately, I think we'll have to discuss internally before I can go ahead with this PR.

Happy holidays! 🌟

@faern
Copy link
Member

faern commented Jan 13, 2026

IMO dependabot makes no sense on Rust crates. We do not have it on any other repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@reneleonhardt @MarkusPettersson98 @faern