Summary
7 Dependabot PRs have been open without merging, including major-version bumps for actions/checkout (v4→v7), actions/cache (v4→v6), and a 5-minor-version jump for the scraper crate (0.22→0.27).
Category
Dependency
Severity
Medium
Location
Details
Open Dependabot PRs:
#55 — actions/checkout 4.2.2 → 7.0.0 (major; changes fork PR security behavior)
#56 — actions/cache 4.2.3 → 6.0.0 (major)
#57 — serde_json 1.0.149 → 1.0.150 (patch — safe)
#58 — tokio 1.52.2 → 1.52.3 (patch — safe)
#59 — cssparser 0.34 → 0.37 (minor)
#60 — scraper 0.22 → 0.27 (5 minor versions — review breaking changes)
#61 — regex 1.12.3 → 1.12.4 (patch — safe)
The actions/checkout v7 bump changes how fork PRs handle permissions — review release notes before merging. The scraper jump from 0.22→0.27 may include API changes that affect CSS selector handling.
Suggested Fix
- Review
actions/checkout v7 release notes and merge if behavior is acceptable.
- Run
cargo test after merging the scraper bump to catch any selector API changes.
- Merge the patch-level bumps immediately (serde_json, tokio, regex).
Effort Estimate
30 min
Automated finding by repo-health-agent v1.0
Summary
7 Dependabot PRs have been open without merging, including major-version bumps for
actions/checkout(v4→v7),actions/cache(v4→v6), and a 5-minor-version jump for thescrapercrate (0.22→0.27).Category
Dependency
Severity
Medium
Location
.github/workflows/ci.ymlDetails
Open Dependabot PRs:
#55—actions/checkout4.2.2 → 7.0.0 (major; changes fork PR security behavior)#56—actions/cache4.2.3 → 6.0.0 (major)#57—serde_json1.0.149 → 1.0.150 (patch — safe)#58—tokio1.52.2 → 1.52.3 (patch — safe)#59—cssparser0.34 → 0.37 (minor)#60—scraper0.22 → 0.27 (5 minor versions — review breaking changes)#61—regex1.12.3 → 1.12.4 (patch — safe)The
actions/checkoutv7 bump changes how fork PRs handle permissions — review release notes before merging. Thescraperjump from 0.22→0.27 may include API changes that affect CSS selector handling.Suggested Fix
actions/checkoutv7 release notes and merge if behavior is acceptable.cargo testafter merging thescraperbump to catch any selector API changes.Effort Estimate
30 min
Automated finding by repo-health-agent v1.0