Relax dependency update frequency to ease load on downstream

[iSaluki]

Is your feature request related to a problem? Please describe.

This project seems to be using extremely up to date dependencies and requiring the latest versions, even when they are not expressedly required by the code written.

For people such as myself trying to package this for downstream Linux distributions, Fedora in my case, it becomes difficult to coordinate updating all dependencies frequently.

If I want to package this, every time you release an update I would need to request multiple maintainers to perform dependency updates. Whilst once or twice this is no problem and is simply part of the job of a maintainer, when all dependencies are updated every other day it becomes near impossible to keep everything in sync.

Describe the solution you'd like

Well, I'm not a Rust developer, so I'll let you decide.

However, I can think of 2 possible solutions that might work.

• Your dependabot config seems incorrect, you're updating dependencies frequently without any specific reason. Changing this to a slower cycle, or only updating dependencies when you need a new version or there is a security fix could resolve this.

• Or relaxing the constraints in your Cargo.toml file to allow older versions of dependencies to be built with kmon.

Describe alternatives you've considered

• There aren't any viable alternatives that come to mind.
• If some solution isn't implemented, it will probably not be possible for me to package this for Fedora.

Additional context

• Nothing specific.
• If you want to discuss this at all, please just drop a line on this issue and I'll be more than happy to get back to you.

[orhun]

Hello, thanks for reporting!

kmon has not a lot of dependencies (120~) compared to other Rust projects and it should be fine to keep them up-to-date. The most important dependency ratatui which is constantly adding improvements and fixes and I would like to update it whenever it is possible. On top of that, there isn't frequent releases of the project itself anyways.

Or relaxing the constraints in your Cargo.toml file to allow older versions of dependencies to be built with kmon.

Not sure how that would be possible but I'm open to suggestions/PR.

I understand your concern (as a fellow distro packager) but I'm not sure how I can help here :/ Just let me know what's needed to get this on Fedora!

[orhun]

One thing which is interesting is maybe we can distribute RPM binaries via cargo-generate-rpm.

[decathorpe]

Requiring a new version just for the sake of "it existing" is making it a bit difficult for Linux Distributions to keep up.

There are dependabot configuration options that could help here:
https://docs.github.com/en/code-security/dependabot/dependabot-version-updates/configuration-options-for-the-dependabot.yml-file#versioning-strategy

For example, setting the versioning-strategy to increase-if-necessary would not bump dependencies from something like 1.2.3 to 1.2.4, because the former is still considered compatible with the latter. Only an update to 2.0.0 would cause dependabot to file a PR in this configuration, which sounds like what you want?

[orhun]

Yeah, sounds great. Would you be interested in submitting a PR for adding that option?