Skip to content

Releases: EmbarkStudios/cargo-deny

0.20.2

Choose a tag to compare

@Jake-Shadle Jake-Shadle released this 09 Jul 17:58

Changed

  • PR#881 refactored the CLI, moving some duplicated options/flags into the root and removing several deprecated options/flags/values. See the PR for a full list of changes.

Added

  • PR#879 resolved #873 by adding a new bans.std-replacements lint which checks the graph for crates.io sourced crates that have been partially or fully replaced in std and/or core.

Fixed

  • PR#880 resolved #765 by respecting non-default build script paths in manifests.
  • PR#881 resolved #874 by cleaning up the CLI, deduplicating some options/flags that caused the bug in the list subcommand.

0.19.9

Choose a tag to compare

@Jake-Shadle Jake-Shadle released this 15 Jun 14:28

Added

Fixed

  • PR#870 resolved #868 by spawning scoped threads directly, allowing forward progress even on severely constrained thread pool counts.
  • PR#871 resolved #869 by ignoring wildcards on crates that depend on themselves.

0.19.8

Choose a tag to compare

@Jake-Shadle Jake-Shadle released this 28 May 08:13

Fixed

  • PR#864 fixed matching of ^ and ~ with on prerelease versions for when checking if a crate is affected by an advisory. As of the time of the PR, this literally affected none of published versions of any crate with an advisory, but this just ensures such a case will be handled in the future.

0.19.7

Choose a tag to compare

@Jake-Shadle Jake-Shadle released this 22 May 07:49

Changed

0.19.6

Choose a tag to compare

@Jake-Shadle Jake-Shadle released this 11 May 10:50

Fixed

  • PR#854 resolved #854 by removing environment variables that affect repo paths before cloning or fetching the advisory database.

0.19.5

Choose a tag to compare

@Jake-Shadle Jake-Shadle released this 09 May 12:13

Fixed

0.19.4

Choose a tag to compare

@Jake-Shadle Jake-Shadle released this 15 Apr 12:44

Fixed

  • PR#847 and PR#848 resolved #846, which was an advisory parsing bug that only affected Windows.

0.19.2

Choose a tag to compare

@Jake-Shadle Jake-Shadle released this 14 Apr 08:17

Fixed

0.19.1

Choose a tag to compare

@Jake-Shadle Jake-Shadle released this 10 Apr 11:06

Fixed

  • PR#833 fixed an issue where the maximum advisory database staleness was over 14 years instead of the intended 90 days.
  • PR#839 fixed an issue where unsound advisories would appear for transitive dependencies despite requesting them only for workspace dependencies, resolving #829.
  • PR#840 resolved #797 by passing --filter-platform when collecting cargo metadata if only a single target was requested either in the config or via the command line.
  • PR#841 fixed an issue where --frozen would not disable fetching of the advisory DB, resolving #759.
  • PR#842 and PR#844 updated crates. Notably krates was updated to resolve two issues with crates being pruned from the graph used when running checks. Resolving these two issues may mean that updating cargo-deny may highlight issues that were previously hidden.
    • EmbarkStudios/krates#106 would fail to pull in crates brought in via a feature if that crate had its lib target renamed by the package author.
    • EmbarkStudios/krates#109 would fail to bring in optional dependencies if they were brought in by a weak feature in a crate also brought in by a weak feature.

Changed

  • PR#830 removed gix in favor of shelling out to git. This massively improves build times and eases maintenance as gix bumps minor versions quite frequently. If cargo-deny is used in an environment that for some reason allows internet access but doesn't have git available, the advisory database would need to be updated before calling cargo-deny.
  • PR#838 removed rustsec in favor of manually implemented advisory parsing and checking, with a nightly cron job that checks that the implementation exactly matches rustsec on the official rustsec advisory db.

0.19.0

Choose a tag to compare

@Jake-Shadle Jake-Shadle released this 08 Jan 12:12

Changed

  • PR#802 made relative paths passed to --config be resolved relative to the current working directory (rather than the resolved manifest path's directory).
  • PR#825 updated gix, reqwest, and tame-index to newer versions. The reqwest 0.13 changes means it is no longer possible to choose the source of root certificates for gix, so that decision is now left to rustls-platform-verifier. The native-certs feature has thus been removed, and cargo-deny no longer defaults to using webpki-roots.

Fixed

  • PR#802 fixed path handling of paths passed to --config, resolving #748.
  • PR#819 added locations to all SARIF results since that's mandatory for valid SARIF.
  • PR#821 fixed compilation on an Alpine host.

Added

  • PR#795 added [bans.allow-workspace] to allow workspace crates while denying all external crates.
  • PR#800 added [licenses.include-build] to toggle whether build dependencies are included in the license check.
  • PR#823 added [advisories.unused-ignored-advisory] to disable the warning when an advisory is ignored but not encountered in the crate graph.
  • PR#826 added [advisories.unsound] to determine which crates can show unsound advisories, similarly to the unmaintained field. Defaults to workspace crates, ignoring unsound advisories for transitive dependencies, resolving #824.