Now that cargo.lock has been added, Dependabot now alerts about minor and patch version updates as well as major version updates. However, these pull requests come too frequently, distracting us from more important work.
There are a few options on how to fix this:
Given the scope of Hypermine, a security vulnerability in an existing package is unlikely to result in danger to anyone playing Hypermine, and I could imagine that a more important security risk is that the private key of one of our dependencies' maintainers gets compromised, causing a malicious patch version for a trusted package to be uploaded to cargo. Such packages would be yanked very quickly, but if we are quicker, we could be affected. To keep this project low-maintenance, being slow about updating packages seems like the right move.
Now that cargo.lock has been added, Dependabot now alerts about minor and patch version updates as well as major version updates. However, these pull requests come too frequently, distracting us from more important work.
There are a few options on how to fix this:
Given the scope of Hypermine, a security vulnerability in an existing package is unlikely to result in danger to anyone playing Hypermine, and I could imagine that a more important security risk is that the private key of one of our dependencies' maintainers gets compromised, causing a malicious patch version for a trusted package to be uploaded to cargo. Such packages would be yanked very quickly, but if we are quicker, we could be affected. To keep this project low-maintenance, being slow about updating packages seems like the right move.