alamb opened a new issue, #14135: URL: https://github.com/apache/datafusion/issues/14135
### Is your feature request related to a problem or challenge? Broken out of a discussion on a PR here: - https://github.com/apache/datafusion/pull/14071#discussion_r1910286465 As described in https://github.com/apache/datafusion?tab=readme-ov-file#dependencies-and-a-cargolock DataFusion currently does not check in `Cargo.lock` which was the recommendation for earlier versions of Rust @mbrobbel has a good point here https://github.com/apache/datafusion/pull/14069#issuecomment-2582533271 that the guidance for Cargo.lock and library files has changed See https://blog.rust-lang.org/2023/08/29/committing-lockfiles.html ### Describe the solution you'd like TLDR it sounds like the rust team now suggests always committing Cargo.lock and letting dependabot handle updates. That seems like a good idea to me @gatesn suggested > Just my two cents, but I have found Renovate to be much more configurable. Here's an example of a lock file maintenance PR: https://github.com/spiraldb/vortex/pull/1818 Though One thing we have to be aware of in DataFusion is that as part of the Apache security posture, only certain third party actions are allowed -- we would have to double check Rennovate ### Describe alternatives you've considered _No response_ ### Additional context _No response_ -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: github-unsubscr...@datafusion.apache.org.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: github-unsubscr...@datafusion.apache.org For additional commands, e-mail: github-h...@datafusion.apache.org
