Releases: EmbarkStudios/cargo-deny-action
Releases Β· EmbarkStudios/cargo-deny-action
Release 2.0.19 - cargo-deny 0.19.7
Changed
- PR#860 updated crates, resolving krates#111.
Release 2.0.18 - cargo-deny 0.19.5
Release 2.0.17 - cargo-deny 0.19.2
Fixed
- PR#845 fixed structural issues with SARIF output, resolving #818. Thanks @KyleChamberlin!
Release 2.0.16 - cargo-deny 0.19.1
Fixed
- PR#833 fixed an issue where the maximum advisory database staleness was over 14 years instead of the intended 90 days.
- PR#839 fixed an issue where unsound advisories would appear for transitive dependencies despite requesting them only for workspace dependencies, resolving #829.
- PR#840 resolved #797 by passing
--filter-platformwhen collecting cargo metadata if only a single target was requested either in the config or via the command line. - PR#841 fixed an issue where
--frozenwould not disable fetching of the advisory DB, resolving #759. - PR#842 and PR#844 updated crates. Notably
krateswas updated to resolve two issues with crates being pruned from the graph used when running checks. Resolving these two issues may mean that updating cargo-deny may highlight issues that were previously hidden.- EmbarkStudios/krates#106 would fail to pull in crates brought in via a feature if that crate had its
libtarget renamed by the package author. - EmbarkStudios/krates#109 would fail to bring in optional dependencies if they were brought in by a weak feature in a crate also brought in by a weak feature.
- EmbarkStudios/krates#106 would fail to pull in crates brought in via a feature if that crate had its
Changed
- PR#830 removed
gixin favor of shelling out togit. This massively improves build times and eases maintenance asgixbumps minor versions quite frequently. If cargo-deny is used in an environment that for some reason allows internet access but doesn't havegitavailable, the advisory database would need to be updated before calling cargo-deny. - PR#838 removed
rustsecin favor of manually implemented advisory parsing and checking, with a nightly cron job that checks that the implementation exactly matches rustsec on the official rustsec advisory db.
Release 2.0.15 - cargo-deny 0.19.0
Changed
- PR#802 made relative paths passed to
--configbe resolved relative to the current working directory (rather than the resolved manifest path's directory). - PR#825 updated
gix,reqwest, andtame-indexto newer versions. Thereqwest0.13 changes means it is no longer possible to choose the source of root certificates forgix, so that decision is now left torustls-platform-verifier. Thenative-certsfeature has thus been removed, andcargo-denyno longer defaults to usingwebpki-roots.
Fixed
- PR#802 fixed path handling of paths passed to
--config, resolving #748. - PR#819 added locations to all SARIF results since that's mandatory for valid SARIF.
- PR#821 fixed compilation on an Alpine host.
Added
- PR#795 added
[bans.allow-workspace]to allow workspace crates while denying all external crates. - PR#800 added
[licenses.include-build]to toggle whether build dependencies are included in the license check. - PR#823 added
[advisories.unused-ignored-advisory]to disable the warning when an advisory is ignored but not encountered in the crate graph. - PR#826 added
[advisories.unsound]to determine which crates can showunsoundadvisories, similarly to theunmaintainedfield. Defaults toworkspacecrates, ignoringunsoundadvisories for transitive dependencies, resolving #824.
Release 2.0.14 - cargo-deny 0.18.6
0.18.5
Changed
- PR#789 changed it so that release binaries are now built with LTO.
- PR#790 and PR#794 updated various crates.
Added
- PR#790 added SARIF as an output format, usable via
--format sarif. The current output for this format is experimental and may change in future updates.
0.18.6
Fixed
- PR#805 updated
rustsecto 0.31, resolving #804. - PR#810 resolved #809 by printing the crate name and version when its manifest does not contain a
licenseexpression.
Added
Changed
- PR#808 updated
gixto 0.75.
Release 2.0.13 - cargo-deny 0.18.4
Added
- PR#779 added the
--metadata-pathargument to use a cargo metadata JSON file instead of calling cargo metadata, resolving #777. - PR#782 added
sources.unused-allow-sourceto allow configuration of the lint level when a source is allowed but not used by any crate in the graph, closing #781.
Changed
- PR#786 changed the license check output.
/is no longer corrected toOR, and if the license expression is found in the package's manifest, that span is used in diagnostic messages instead of the synthesized manifest.
Fixed
- PR#786 resolved #784 by updating
spdxto a new version that forces all GNU licenses to be exactly equal when comparing license expressions to licensee expressions, which is incredibly pedantic, but means the license comparison is entirely in the hands of the user so that I no longer have to deal with GNU licenses.
Release 2.0.12 - cargo-deny 0.18.3
Changed
- PR#773 changed cargo-deny's duplicate detection to automatically ignore versions whose only dependent is another version of the same crate.
v2.0.11
[0.18.2] - 2025-03-10
Added
- PR#753 resolved #752 by adding back the
advisories.unmaintainedconfig option. See the docs for how it can be used. The default matches the current behavior, which is to error on anyunmaintainedadvisory, but addingunmaintained = "workspace"to the[advisories]table will mean unmaintained advisories will only error if the crate is a direct dependency of your workspace.
[0.18.1] - 2025-02-27
Fixed
- PR#749 updated
kratesto pull in the fix for EmbarkStudios/krates#100.