v2.0.19: Release 2.0.19 - cargo-deny 0.19.7

Compare Source

Changed

• PR#860 updated crates, resolving krates#111.

v2.0.18: Release 2.0.18 - cargo-deny 0.19.5

Compare Source

Fixed

• PR#857 fixed a segfault reported in #​855.

v2.0.17: Release 2.0.17 - cargo-deny 0.19.2

Compare Source

Fixed

• PR#845 fixed structural issues with SARIF output, resolving #​818. Thanks @​KyleChamberlin!

v2.0.16: Release 2.0.16 - cargo-deny 0.19.1

Compare Source

Fixed

• PR#833 fixed an issue where the maximum advisory database staleness was over 14 years instead of the intended 90 days.
• PR#839 fixed an issue where unsound advisories would appear for transitive dependencies despite requesting them only for workspace dependencies, resolving #​829.
• PR#840 resolved #​797 by passing --filter-platform when collecting cargo metadata if only a single target was requested either in the config or via the command line.
• PR#841 fixed an issue where --frozen would not disable fetching of the advisory DB, resolving #​759.
• PR#842 and PR#844 updated crates. Notably krates was updated to resolve two issues with crates being pruned from the graph used when running checks. Resolving these two issues may mean that updating cargo-deny may highlight issues that were previously hidden.
  • EmbarkStudios/krates#106 would fail to pull in crates brought in via a feature if that crate had its lib target renamed by the package author.
  • EmbarkStudios/krates#109 would fail to bring in optional dependencies if they were brought in by a weak feature in a crate also brought in by a weak feature.

Changed

• PR#830 removed gix in favor of shelling out to git. This massively improves build times and eases maintenance as gix bumps minor versions quite frequently. If cargo-deny is used in an environment that for some reason allows internet access but doesn't have git available, the advisory database would need to be updated before calling cargo-deny.
• PR#838 removed rustsec in favor of manually implemented advisory parsing and checking, with a nightly cron job that checks that the implementation exactly matches rustsec on the official rustsec advisory db.

v2.0.15: Release 2.0.15 - cargo-deny 0.19.0

Compare Source

Changed

• PR#802 made relative paths passed to --config be resolved relative to the current working directory (rather than the resolved manifest path's directory).
• PR#825 updated gix, reqwest, and tame-index to newer versions. The reqwest 0.13 changes means it is no longer possible to choose the source of root certificates for gix, so that decision is now left to rustls-platform-verifier. The native-certs feature has thus been removed, and cargo-deny no longer defaults to using webpki-roots.

Fixed

• PR#802 fixed path handling of paths passed to --config, resolving #​748.
• PR#819 added locations to all SARIF results since that's mandatory for valid SARIF.
• PR#821 fixed compilation on an Alpine host.

Added

• PR#795 added [bans.allow-workspace] to allow workspace crates while denying all external crates.
• PR#800 added [licenses.include-build] to toggle whether build dependencies are included in the license check.
• PR#823 added [advisories.unused-ignored-advisory] to disable the warning when an advisory is ignored but not encountered in the crate graph.
• PR#826 added [advisories.unsound] to determine which crates can show unsound advisories, similarly to the unmaintained field. Defaults to workspace crates, ignoring unsound advisories for transitive dependencies, resolving #​824.

v2.0.14: Release 2.0.14 - cargo-deny 0.18.6

Compare Source

0.18.5

Changed

• PR#789 changed it so that release binaries are now built with LTO.
• PR#790 and PR#794 updated various crates.

Added

• PR#790 added SARIF as an output format, usable via --format sarif. The current output for this format is experimental and may change in future updates.

0.18.6

Fixed

• PR#805 updated rustsec to 0.31, resolving #​804.
• PR#810 resolved #​809 by printing the crate name and version when its manifest does not contain a license expression.

Added

• PR#807 added the unused-license-exception option to configure the lint level, resolving #​806.

Changed

• PR#808 updated gix to 0.75.

v2.0.13: Release 2.0.13 - cargo-deny 0.18.4

Compare Source

Added

• PR#779 added the --metadata-path argument to use a cargo metadata JSON file instead of calling cargo metadata, resolving #​777.
• PR#782 added sources.unused-allow-source to allow configuration of the lint level when a source is allowed but not used by any crate in the graph, closing #​781.

Changed

• PR#786 changed the license check output. / is no longer corrected to OR, and if the license expression is found in the package's manifest, that span is used in diagnostic messages instead of the synthesized manifest.

Fixed

• PR#786 resolved #​784 by updating spdx to a new version that forces all GNU licenses to be exactly equal when comparing license expressions to licensee expressions, which is incredibly pedantic, but means the license comparison is entirely in the hands of the user so that I no longer have to deal with GNU licenses.

v2.0.12: Release 2.0.12 - cargo-deny 0.18.3

Compare Source

Changed

• PR#773 changed cargo-deny's duplicate detection to automatically ignore versions whose only dependent is another version of the same crate.

v2.0.11

Compare Source

[0.18.2] - 2025-03-10

Added

• PR#753 resolved #​752 by adding back the advisories.unmaintained config option. See the docs for how it can be used. The default matches the current behavior, which is to error on any unmaintained advisory, but adding unmaintained = "workspace" to the [advisories] table will mean unmaintained advisories will only error if the crate is a direct dependency of your workspace.

[0.18.1] - 2025-02-27

Fixed

• PR#749 updated krates to pull in the fix for EmbarkStudios/krates#100.

v2.0.10

Compare Source

• PR#96 resolved #​94 by switching to the directory the manifest path is located in and doing rustup toolchain install if rustup show failed due to any reason

v2.0.9: Release 2.0.9 - cargo-deny 0.18.0

Compare Source

• d8395c1 removed the rustup update.

v2.0.8

Compare Source

• PR#93 pins to a hash instead of tag, avoiding future breakage from eg. rustup changes.

v2.0.7: Release 2.0.7 - cargo-deny 0.18.0

Compare Source

• PR#92 fixed an issue introduced by the latest rustup release.

v2.0.6: Release 2.0.6 - cargo-deny 0.18.0

Compare Source

Changed

• PR#746 changed the directory naming of advisory databases, again, so the name uses the last path component and a different, but also stable, hashing algorithm. Eg. the default https://github.com/rustsec/advisory-db will now be placed in $CARGO_HOME/advisory-dbs/advisory-db-3157b0e258782691.
• PR#746 changed the MSRV to 1.85.0 and uses edition 2024.

Fixed

• PR#746 fixes an issue when using cargo 1.85.0 where source urls were not being properly assigned to crates.io due to the constant being used no longer matching the new path used in cargo 1.85.0 causing eg. workspace dependency checks to fail.

v2.0.5: Release 2.0.5 - cargo-deny 0.17.0

Compare Source

Changed

• PR#745 updated tame-index to 0.18.0 so that cargo 1.85.0 is transparently supported along with older cargo versions.
• PR#745 now uses the same stable hashing as cargo 1.85.0 for the advisory databases, which changes their path, but will notably now be the same across all host platforms.

v2.0.4: Release 2.0.4 - cargo-deny 0.16.3

Compare Source

• Update base image to rust 1.83.0 so that version 4 lockfiles are supported with no config changes

v2.0.3: Release 2.0.3 - cargo-deny 0.16.3

Compare Source

Changed

• PR#721 updated rust-version to 1.81.0 to accurately reflect the minimum rust version required to compile, resolving #​720.
• PR#722 updated the SPDX license list to 3.25.0.

Fixed

• PR#726 resolved #​725 by adding the unnecessary-skip diagnostic, emitted when there is a skip configured for a crate that only has one version in the graph.

v2.0.2: Release 2.0.2 - cargo-deny 0.16.2

Compare Source

Fixed

• PR#703 resolved #​696 by no longer emitting errors when failing to deserialize deprecated fields, and removed some lingering documentation that wasn't removed in PR#611.
• PR#719 updated to krates -> 0.17.5, fixing an issue where cargo-deny could panic due to incorrectly resolving features for different versions of the same crate referenced by a single crate.
• PR#719 resolved #​706 by removing a warning issued when users use ignored scheme modifiers for source urls.
• PR#719 resolved #​718 by updating the book with missing arguments.

Added

• PR#715 resolved #​714 by adding support for Edition 2024. Thanks @​kpcyrd!
• PR#710 resolved #​708 by allowing for unpublished workspace crates to be excluded from the dependency graph that checks are run against, either via the --exclude-unpublished CLI argument or the graph.exclude-unpublished config field. Thanks @​Tastaturtaste!

Changed

• PR#711 updated goblin -> 0.9.2
• PR#713 updated various crates, notably rustsec -> 0.30.

v2.0.1: Release 2.0.1 - cargo-deny 0.16.1

Compare Source

Fixed

• PR#691 fixed an issue where workspace dependencies that used the current dir '.' path component would incorrectly trigger the unused-workspace-dependency lint.

v2.0.0: Release 2.0.0 - cargo-deny 0.16.0

Compare Source

Action

Added

• PR#78 added SSH support, thanks @​nagua!

Changed

• This release includes breaking changes in cargo-deny, so this release begins the v2 tag, using v1 will be stable but not follow future cargo-deny releases.

cargo-deny

Removed

• PR#681 finished the deprecation introduced in PR#611, making the usage of the deprecated fields into errors.

[advisories]

The following fields have all been removed in favor of denying all advisories by default. To ignore an advisory the ignore field can be used as before.

• vulnerability - Vulnerability advisories are now deny by default
• unmaintained - Unmaintained advisories are now deny by default
• unsound - Unsound advisories are now deny by default
• notice - Notice advisories are now deny by default
• severity-threshold - The severity of vulnerabilities is now irrelevant

[licenses]

The following fields have all been removed in favor of denying all licenses that are not explicitly allowed via either allow or exceptions.

• unlicensed - Crates whose license(s) cannot be confidently determined are now always errors. The clarify field can be used to help cargo-deny determine the license.
• allow-osi-fsf-free - The OSI/FSF Free attributes are now irrelevant, only whether it is explicitly allowed.
• copyleft - The copyleft attribute is now irrelevant, only whether it is explicitly allowed.
• default - The default is now deny.
• deny - All licenses are now denied by default, this field added nothing.

Changed

• PR#685 follows up on PR#673, moving the fields that were added to their own separate bans.workspace-dependencies section. This is an unannounced breaking change but is fairly minor and 0.15.0 was never released on github actions so the amount of people affected by this will be (hopefully) small. This also makes the workspace duplicate detection off by default since the field is optional, but makes it so that if not specified workspace duplicates are now deny instead of warn.

Fixed

• PR#685 resolved #​682 by adding the include-path-dependencies field, allowing path dependencies to be ignored if it is false.

v2

Compare Source

v1.6.3: Release 1.6.3 - cargo-deny 0.14.21

Compare Source

Fixed

• PR#643 resolved #​629 by making the hosted git (github, gitlab, bitbucket) org/user name comparison case-insensitive. Thanks @​pmnlla!
• PR#649 fixed an issue where depending on the same crate multiple times by using different cfg()/triple targets could cause features to be resolved incorrectly and thus crates to be not pulled into the graph used for checking.

[0.14.20] - 2024-03-23

Fixed

• PR#642 resolved #​641 by pinning gix-transport (and its unique dependencies) to 0.41.2 as a workaround for cargo install not using the lockfile. See this issue for more information.

v1.6.2: Release 1.6.2 - cargo-deny 0.14.19

Compare Source

Changed

• PR#639 updated tame-index to avoid an error if you don't used --locked.

[0.14.18] - 2024-03-21

Fixed

• PR#638 resolved #​636 by updating krates.

[0.14.17] - 2024-03-17

Changed

• PR#631 improved the diagnostic for when the yank check fails due to some issue with retrieving or reading the index information.
• PR#633 updated gix -> 0.60.

v1.6.1

Compare Source

Fixed

• PR#626 resolved #​625 by explicitly checking that a license identified as Pixar was actually (probably) the Pixar license, instead of a normal Apache-2.0 license.

v1.6.0

Compare Source

action changes

• Color output is now always enabled so that colors show up in the action output.

0.14.15

Added

• PR#618 added metadata notes to diagnostics when a license is rejected, as well as removing span information for accepted licenses unless the log level is info or higher to make the diagnostic clearer by default.

0.14.14

Fixed

• PR#617 resolved #​576 by updating the SPDX license list to 3.23.

0.14.13

Fixed

• PR#615 fixed an issue introduced in PR#605 where the various bans diagnostic codes could not have their lint level changed via the CLI. It also introduced the deprecated diagnostic code.

0.14.12

Changed

• PR#605 did a major refactor of configuration, both how it is deserialized and changing (hopefully improving) many options.
• PR#605 moved targets, exclude, all-features, features, no-default-features, and exclude into the [graph] table.
• PR#605 moved feature-depth into the [output] table.

Added

• PR#613 added support for basic shell expansion to advisories.db-path, which expands support beyond just ~ to include environment variable expansion.

Fixed

• PR#601 resolved #​600 by outputting the correct spans when a license was both allowed and denied.
• PR#605 resolved #​264 be replacing toml and serde with toml-span.
• PR#605 resolved #​539 by simplifying the very common name = "<crate_name>", version = "<requirements>" used to target specific crates into either a plain package spec string or the simpler crate = "<package spec>".
• PR#605 resolved #​578 by adding a reason = "<reason>" field to many fields within the configuration that are provided in diagnostics. [bans.deny] also has an additional use-instead = "<url/crate_name>". PR#610 did this for the advisories.ignore field.
• PR#605 resolved #​579 by allowing yanked crates to be ignored by specifying a PackageSpec in the [advisories.ignore] array.

Deprecated

• PR#606 and PR#611 together deprecated several fields listed below. See PR#611 for how to change your config to opt-in to the new behavior that will become the default when the deprecated fields are removed in a future minor version.
  • [advisories]
    • vulnerability
    • unmaintained
    • unsound
    • notice
    • severity-threshold
  • [licenses]
    • unlicensed
    • allow-osi-fsf-free
    • copyleft
    • default
    • deny

v1.5.15: Release 1.5.15 - cargo-deny 0.14.11

Compare Source

Fixed

• Resolved #​71 that was introduced in the previous release.

v1.5.14: Release 1.5.14 - cargo-deny 0.14.11

Compare Source

Added

• Added the manifest-path key as a shorthand for doing arguments: --manifest-path <path>

v1.5.13: Release 1.5.13 - cargo-deny 0.14.11

Compare Source

Fixed

• PR#599 resolved #​488 by treating git and path sources differently. Thanks @​kpreid!

v1.5.12: Release 1.5.12 - cargo-deny 0.14.10

Compare Source

Fixed

• PR#596 updated krates again to pull in krates#77.

v1.5.11: Release 1.5.11 - cargo-deny 0.14.9

Compare Source

Fixed

• PR#594 updated krates again to pull in krates#75.

v1.5.10: Release 1.5.10 - cargo-deny 0.14.8

Compare Source

Fixed

• PR#592 updated krates again to pull in krates#73.

v1.5.9: Release 1.5.9 - cargo-deny 0.14.7

Compare Source

Fixed

• PR#591 updated krates again to pull in krates#71.

v1.5.8: Release 1.5.8 - cargo-deny 0.14.6

Compare Source

Fixed

• PR#590 updated krates to fix an issue with crates that directly have a dependency on 2 or more versions of the same crate.

Added

• PR#590 resolved #​405 by emitting warnings when a wrapper crate for a banned crate does not have a dependency on that crate.

Changed

• PR#591 updated gix and tame-index.

v1.5.7: Release 1.5.7 - cargo-deny 0.14.5

Compare Source

Fixed

• PR#588 resolved an issue introduced in [0.14.4] where features that reference dev-only dependencies in non-workspace crates would cause a panic.

v1.5.6: Release 1.5.6 - cargo-deny 0.14.4

Compare Source

Fixed

• PR#586 resolved 2 issues with crate graph creation, see krates#60 and krates#64 for more details.

v1.5.5: Release 1.5.5 - cargo-deny 0.14.2

Compare Source

Added

• PR#545 added the ability to specify additional license exceptions via additional configuration files.
• PR#549 added the bans.build configuration option, opting in to checking for file extensions, native executables, and interpreted scripts. This resolved #​43.

Changed

• PR#557 introduced changes to how dev-dependencies are handled. By default, crates that are only used as dev-dependencies (ie, there are no normal nor build dependency edges linking them to other crates) will no longer be considered when checking for multiple-versions violations. This can be re-enabled via the bans.multiple-versions-include-dev config field. Additionally, licenses are no longer checked for dev-dependencies, but can be re-enabled via licenses.include-dev the config field. dev-dependencies can also be completely disabled altogether, but this applies to all checks, including advisories and sources, so is not enabled by default. This behavior can be enabled by using the exclude-dev field, or the --exclude-dev command line flag. This change resolved #​322, #​329, #​413 and #​497.

Fixed

• PR#549 fixed #​548 by correctly locating cargo registry indices from an git ssh url.
• PR#549 fixed #​552 by correctly handling signal interrupts and removing the advisory-dbs lock file.
• PR#549 fixed #​553 by adding the native-certs feature flag that can enable the OS native certificate store.

Deprecated

• PR#549 moved bans.allow-build-scripts to bans.build.allow-build-scripts. bans.allow-build-scripts is still supported, but emits a warning.

v1.5.4: Release 1.5.4 - cargo-deny 0.14.0

Compare Source

Updated the cargo version to 1.71.0 which should give significant improvements to run times due to using the crates.io sparse index instead of the old git index.

v1.5.3: Release 1.5.3 - cargo-deny 0.14.0

Compare Source

Changed

• PR#520 resolved #​522 by completely removing all dependencies upon git2 and openssl. This was done by transitioning from git2 -> gix for all git operations, both directly in this crate, as well as replacing crates-index with tame-index.
• PR#520 bumped the MSRV from 1.65.0 -> 1.70.0
• PR#523 added "(try cargo update -p <crate_name>)" when an advisory is detected for a crate. Thanks @​Victor-N-Suadicani!

Fixed

• PR#520 resolved #​361 by printing output when a fetch is being performed to clarify what is taking time.
• PR#520 (possibly) resolved #​435 by switching all git operations from git2 to gix.
• PR#520 resolved #​439 by using minimal refspecs for cloning and fetching all remote git repositories (indices or advisory databases) where only the remote HEAD is needed to update the local repository, regardless of the default remote branch pointed to by HEAD.
• PR#520 resolved #​446 by ensuring (and testing) that crates from non-registry sources are not checked for advisories, eg. in the case that a local crate is named and versioned the same as a crate from crates.io that has an advisory that affects it.
• PR#520 resolved #​515 by always opening the correct registry index based upon the environment.
• PR#531 resolved #​210 by adding osi and fsf options to licenses.allow-osi-fsf-free. Thanks @​zkxs!
• PR#533 resolved #​521 and #​524 by allowing clarifications to add files that are used to verify the license information is up to date, rather than needing to match one of the license files that was discovered.
• PR#534 resolved #​479 by improving how advisory databases are cloned and/or fetched, notably each database now uses gix's file-based locking to ensure that only one process has mutable access to an advisory database repo at a time.

Removed

• PR#520 removed all features, notably standalone. This is due to cargo still being in transition from git2 -> gix and having no way to compiled without OpenSSL. Once cargo is a better state with regards to this we can add back that feature.

v1.5.2: Release 1.5.2 - cargo-deny 0.13.9

Compare Source

Fixed

• PR#506 replaced atty (unmaintained) with is-terminal. Thanks @​tottoto!
• PR#511 resolved #​494, #​507, and #​510 by fixing up how and when urls are normalized.
• PR#512 resolved #​509 by fixing casing of the root configuration keys.
• PR#513 resolved #​508 by correctly using the crates.io sparse index when checking for yanked crates if specified by the user, as well as falling back to the regular git index if the sparse index is not present.

v1.5.1: Release 1.5.1 - cargo-deny 0.13.8

Compare Source

Added

• PR#504 (though really PR#365) resolved #​350 by adding the deny-multiple-versions field to bans.deny entries, allowing specific crates to deny multiple versions while allowing/warning on them more generally. Thanks @​leops!
• PR#493 resolved #​437 by also looking for deny configuration files in .cargo. Thanks @​DJMcNab!
• PR#502 resolved #​500 by adding initial support for sparse indices.

Fixed

• PR#503 resolved #​498 by falling back to more lax parsing of the SPDX expression of crate if fails to parse according to the stricter but more correct rules.

v1.5.0: Release 1.5.0 - cargo-deny 0.13.7

Compare Source

Update from cargo-deny 0.13.5 to 0.13.7, apparently I missed two releases, that's embarrassing.

0.13.7

Fixed

• PR#491 resolved #​490 by building libgit2 from vendored sources instead of relying on potentially outdated packages.

0.13.6

Changed

• PR#489 updated dependencies, notably clap, cargo, and git2

Added

• PR#485 added this project and repository to our Security Bug Bounty Program and has Private vulnerability reporting enabled. See SECURITY.md for more details.
• PR#487 added allow-wildcard-paths, fixing #​488 by allowing wildcards to be denied, but allowing them for internal, private crates. Thanks @​sribich!

Fixed

• PR#489 fixed an issue where git sources where branch=master would be incorrectly categorized as not specifying the branch (ie use HEAD of default branch).

v1.4.0: Release 1.4.0 - cargo-deny 0.13.5

Compare Source

Changed

• Updated to cargo-deny 0.13.5

v1.3.2: - cargo-deny 0.12.1

Compare Source

Added

• PR#54 resolved #​53 by adding the credentials parameter for passing in a private access token to allow cargo to fetch private github repositories. Thanks @​danielhaap83!

v1.3.1: - cargo-deny 0.12.1

Compare Source

Fixed

• PR#426 fixed an oversight in PR#422, fully resolving #​412 by allowing both https and ssh URLs for advisory databases. Thanks @​jbg!

Changed

• PR#427 updated dependencies.

v1.3.0: - cargo-deny 0.12.0

Compare Source

Removed

• PR#423 removed the fix subcommand. This functionality was far too complicated for far too little benefit.

Fixed

• PR#420 resolved #​388 by adding the ability to fetch advisory databases via the git CLI. Thanks @​danielhaap83!
• PR#422 fixed #​380 and #​410 by updating a few transitive dependencies that use git2, as well as removing the usage of rustsec's git feature so that we now use git2 v0.14, resolving a crash issue in new libgit2 versions available in eg. rolling release distros such as Arch. This should also make it easier to update and improve git related functionality since more of it is inside cargo-deny itself now.
• PR#424 really fixed (there's even a test now!) #​384 by adding each version's reverse dependency graph in the ascending order.

v1.2.17: - cargo-deny 0.11.4

Compare Source

Changed

• PR#51 updated the image to use Rust 1.60.0 by default. Thanks @​MarcoIeni!

v1.2.16: - cargo-deny 0.11.4

Compare Source

Added

• PR#49 added the command-arguments option to the action. Thanks @​ryo33!

v1.2.15: - cargo-deny 0.11.3

Compare Source

Fixed

• Accidentally change how arguments were forwarded to cargo-deny which broken more complicated invocations

v1.2.14: - cargo-deny 0.11.3

Compare Source

Added

• Added git to the image, resolving #​40

v1.2.13: - cargo-deny 0.11.3

Compare Source

Changed

• Added the rust-version github actions variable, allowing you to specify a specific cargo version to use when running cargo-deny, including nightly, or other unstable versions.

v1.2.12: - cargo-deny 0.11.3

Compare Source

Fixed

• PR#407 resolved #​406 by always checking license exceptions first.

v1.2.11

Compare Source

v1.2.10: - cargo-deny 0.11.1

Compare Source

Added

• PR#391 resolved #​344 by adding [licenses.ignore-sources] to ignore license checking for crates sourced from 1 or more specified registries. Thanks @​ShellWowza!
• PR#396 resolved #​366 by also looking for .deny.toml in addition to deny.toml if a config file is not specified.

Changed

• PR#392 updated all dependencies.

Fixed

• PR#393 resolved #​371 by changing the default for version requirements specified in config files to accept all versions, rather than using the almost-but-not-quite default of *.
• PR#394 resolved #​147 by ignore all private crates, not only the ones in the workspace.
• PR#395 resolved #​375 by fixing a potential infinite loop when using [bans.skip-tree].

v1.2.9: - cargo-deny 0.11.0

Compare Source

Fixed image to use proper tag.

v1.2.8: - cargo-deny 0.11.0

Compare Source

Updated the cargo version in the image to 1.57.0 to allow for the use of custom profiles.

v1.2.7: v1.2.6 - cargo-deny 0.11.0

Compare Source

[0.11.0] - 2021-12-06

Changed

• PR#382 updated dependencies and bumped the Minimum Stable Rust Version to 1.56.1.

[0.10.3] - 2021-11-22

Changed

• PR#379 updated askalono which got rid of the failure dependency, which was pulling in a lot of additional crates that are now gone.

✂ Note

PR body was truncated to here.