feat: Add support for workspace.dependencies in cargo 1.64.0+

[poliorcetics]

I did not write tests because I don't know enough Ruby to do it, but I
will gladly accept directions on it.

Closes #5315

See the section on Cargo in https://github.com/rust-lang/rust/releases/tag/1.64.0 for more details about the workspace feature.

[poliorcetics]

Since Dependabot already handled dependencies like dep = { path = "path" } without a version, I expect that dependencies with workspace = true to work correctly out of the box. This makes this PR simply a matter of teaching Dependabot to look at [workspace.dependencies]

[Nishnha]

Hi @poliorcetics, thanks for this contribution!

I'm new to the Rust ecosystem, so I did some light reading on [workspace.dependencies] and it looks like the key is actually called [workspace.dependencies] so we should try matching on that instead of [workspace] and [dependencies] separately.

Dependabot will already include any dependencies under the [dependencies] key in cargo.toml files with https://github.com/dependabot/dependabot-core/blob/78afa00dbd274ed937d8ff70118d2d4335d39526/cargo/lib/dependabot/cargo/file_parser.rb#L64-L70

In order to get this merged in we will need to test that a project with [workspace.dependencies] in its cargo.toml has its dependencies parsed correctly.

Something similar to https://github.com/dependabot/dependabot-core/blob/78afa00dbd274ed937d8ff70118d2d4335d39526/cargo/spec/dependabot/cargo/file_parser_spec.rb#L123-L151

The manifest referenced in that file is at https://github.com/dependabot/dependabot-core/blob/78afa00dbd274ed937d8ff70118d2d4335d39526/cargo/spec/fixtures/manifests/repeated_dependency

[poliorcetics]

I'm new to the Rust ecosystem, so I did some light reading on [workspace.dependencies] and it looks like the key is actually called [workspace.dependencies] so we should try matching on that instead of [workspace] and [dependencies] separately.

This is not a single TOML key, This is a key and a subkey. The following samples are equivalent (Rust playground code for example)

[workspace.dependencies]
dep-name = "version"

[workspace]
dependencies = {  dep-name = "version"  }

workspace.dependencies = { dep-name = "version" }

So to parse [workspace.dependencies] in a Cargo.toml, I need to first look for workspace, then inside that, dependencies.

Thanks for the guidance on testing, I'll try to write one

[Nishnha]

This PR updates the version of Cargo we use in our Dockerfile since it introduces support for a new feature.

I thought about moving the check for workspace dependencies into our existing DEPENDENCY_TYPES.each loop in the file_parser, but it's more maintainable as it is and Cargo workspaces currently only support regular dependencies (as opposed to dev-dependencies and build-dependencies), so this is fine.

[poliorcetics]

Thanks for the help and fixing my mistakes @Nishnha, it was greatly appreciated 😄

[poliorcetics]

What's left to do ?

[jeffwidman]

I don't know a ton about Rust, but from what I understand this looks straightforward.

We follow a deploy-then-monitor-prod-then-merge strategy, so one of us will try to do that when we get a few spare cycles in the next few days.