Skip to content

[repo-health] Medium: 7 Dependabot PRs unmerged — includes major-version Action bumps and scraper jump #67

Description

@Liohtml

Summary

7 Dependabot PRs have been open without merging, including major-version bumps for actions/checkout (v4→v7), actions/cache (v4→v6), and a 5-minor-version jump for the scraper crate (0.22→0.27).

Category

Dependency

Severity

Medium

Location

Details

Open Dependabot PRs:

  • #55actions/checkout 4.2.2 → 7.0.0 (major; changes fork PR security behavior)
  • #56actions/cache 4.2.3 → 6.0.0 (major)
  • #57serde_json 1.0.149 → 1.0.150 (patch — safe)
  • #58tokio 1.52.2 → 1.52.3 (patch — safe)
  • #59cssparser 0.34 → 0.37 (minor)
  • #60scraper 0.22 → 0.27 (5 minor versions — review breaking changes)
  • #61regex 1.12.3 → 1.12.4 (patch — safe)

The actions/checkout v7 bump changes how fork PRs handle permissions — review release notes before merging. The scraper jump from 0.22→0.27 may include API changes that affect CSS selector handling.

Suggested Fix

  1. Review actions/checkout v7 release notes and merge if behavior is acceptable.
  2. Run cargo test after merging the scraper bump to catch any selector API changes.
  3. Merge the patch-level bumps immediately (serde_json, tokio, regex).

Effort Estimate

30 min


Automated finding by repo-health-agent v1.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions