How to Use Dependabot/Renovate for Rust Dependencies

Use Dependabot or Renovate to automatically create pull requests that update your Cargo.toml and Cargo.lock files when new dependency versions are released. Create a .github/dependabot.yml file in your repository root to configure the bot to scan your cargo ecosystem weekly and group updates by type.

version: 2
updates:
  - package-ecosystem: "cargo"
    directory: "/"
    schedule:
      interval: "weekly"
      day: "friday"
      time: "06:00"
      timezone: "Europe/Berlin"
    open-pull-requests-limit: 2
    rebase-strategy: "auto"
    groups:
      rust-patch-updates:
        patterns: ["*"]
        update-types: ["patch"]
      rust-minor-updates:
        patterns: ["*"]
        update-types: ["minor"]

Alternatively, configure Renovate by adding a .github/renovatebot.json5 file to your repository root to manage updates based on your MSRV policy comments like # MSRV:N.

Dependabot and Renovate are automated tools that watch your project's dependency list and open pull requests when updates are available. This keeps your Rust project secure and up-to-date without you needing to manually check for new versions every week. Think of them as an automated librarian who notifies you whenever a new edition of a book you use is published.