Releases: EmbarkStudios/cargo-deny
Releases Β· EmbarkStudios/cargo-deny
Release list
0.20.2
Changed
- PR#881 refactored the CLI, moving some duplicated options/flags into the root and removing several deprecated options/flags/values. See the PR for a full list of changes.
Added
- PR#879 resolved #873 by adding a new
bans.std-replacementslint which checks the graph for crates.io sourced crates that have been partially or fully replaced instdand/orcore.
Fixed
0.19.9
0.19.8
Fixed
- PR#864 fixed matching of
^and~with on prerelease versions for when checking if a crate is affected by an advisory. As of the time of the PR, this literally affected none of published versions of any crate with an advisory, but this just ensures such a case will be handled in the future.
0.19.7
Changed
- PR#860 updated crates, resolving krates#111.
0.19.6
0.19.5
0.19.4
0.19.2
Fixed
- PR#845 fixed structural issues with SARIF output, resolving #818. Thanks @KyleChamberlin!
0.19.1
Fixed
- PR#833 fixed an issue where the maximum advisory database staleness was over 14 years instead of the intended 90 days.
- PR#839 fixed an issue where unsound advisories would appear for transitive dependencies despite requesting them only for workspace dependencies, resolving #829.
- PR#840 resolved #797 by passing
--filter-platformwhen collecting cargo metadata if only a single target was requested either in the config or via the command line. - PR#841 fixed an issue where
--frozenwould not disable fetching of the advisory DB, resolving #759. - PR#842 and PR#844 updated crates. Notably
krateswas updated to resolve two issues with crates being pruned from the graph used when running checks. Resolving these two issues may mean that updating cargo-deny may highlight issues that were previously hidden.- EmbarkStudios/krates#106 would fail to pull in crates brought in via a feature if that crate had its
libtarget renamed by the package author. - EmbarkStudios/krates#109 would fail to bring in optional dependencies if they were brought in by a weak feature in a crate also brought in by a weak feature.
- EmbarkStudios/krates#106 would fail to pull in crates brought in via a feature if that crate had its
Changed
- PR#830 removed
gixin favor of shelling out togit. This massively improves build times and eases maintenance asgixbumps minor versions quite frequently. If cargo-deny is used in an environment that for some reason allows internet access but doesn't havegitavailable, the advisory database would need to be updated before calling cargo-deny. - PR#838 removed
rustsecin favor of manually implemented advisory parsing and checking, with a nightly cron job that checks that the implementation exactly matches rustsec on the official rustsec advisory db.
0.19.0
Changed
- PR#802 made relative paths passed to
--configbe resolved relative to the current working directory (rather than the resolved manifest path's directory). - PR#825 updated
gix,reqwest, andtame-indexto newer versions. Thereqwest0.13 changes means it is no longer possible to choose the source of root certificates forgix, so that decision is now left torustls-platform-verifier. Thenative-certsfeature has thus been removed, andcargo-denyno longer defaults to usingwebpki-roots.
Fixed
- PR#802 fixed path handling of paths passed to
--config, resolving #748. - PR#819 added locations to all SARIF results since that's mandatory for valid SARIF.
- PR#821 fixed compilation on an Alpine host.
Added
- PR#795 added
[bans.allow-workspace]to allow workspace crates while denying all external crates. - PR#800 added
[licenses.include-build]to toggle whether build dependencies are included in the license check. - PR#823 added
[advisories.unused-ignored-advisory]to disable the warning when an advisory is ignored but not encountered in the crate graph. - PR#826 added
[advisories.unsound]to determine which crates can showunsoundadvisories, similarly to theunmaintainedfield. Defaults toworkspacecrates, ignoringunsoundadvisories for transitive dependencies, resolving #824.