All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
gix-transport
(and its unique dependencies) to 0.41.2 as a workaround for cargo install
not using the lockfile. See this issue for more information.--locked
.gix
-> 0.60.info
or higher to make the diagnostic clearer by default.bans
diagnostic codes could not have their lint level changed via the CLI. It also introduced the deprecated
diagnostic code.targets
, exclude
, all-features
, features
, no-default-features
, and exclude
into the [graph]
table.feature-depth
into the [output]
table.advisories.db-path
, which expands support beyond just ~
to include environment variable expansion.toml
and serde
with toml-span
.name = "<crate_name>", version = "<requirements>"
used to target specific crates into either a plain package spec string or the simpler crate = "<package spec>"
.reason = "<reason>"
field to many fields within the configuration that are provided in diagnostics. [bans.deny]
also has an additional use-instead = "<url/crate_name>"
. PR#610 did this for the advisories.ignore
field.[advisories.ignore]
array.[advisories]
vulnerability
unmaintained
unsound
notice
severity-threshold
[licenses]
unlicensed
allow-osi-fsf-free
copyleft
default
deny
krates
to fix an issue with crates that directly have a dependency on 2 or more versions of the same crate.wrapper
crate for a banned crate does not have a dependency on that crate.gix
and tame-index
.tame-index
to obtain support OS file locking, resolving #537. This change means that cargo-deny should not encounter issues such as those described here since we no longer use gix::lock
locking advisory databases, and makes reading the crates.io index safer by respecting the lock used by cargo itself.bans.build
configuration option, opting in to checking for file extensions, native executables, and interpreted scripts. This resolved #43.dev-dependencies
are handled. By default, crates that are only used as dev-dependencies (ie, there are no normal nor build dependency edges linking them to other crates) will no longer be considered when checking for multiple-versions
violations. This can be re-enabled via the bans.multiple-versions-include-dev
config field. Additionally, licenses are no longer checked for dev-dependencies
, but can be re-enabled via licenses.include-dev
the config field. dev-dependencies
can also be completely disabled altogether, but this applies to all checks, including advisories
and sources
, so is not enabled by default. This behavior can be enabled by using the exclude-dev
field, or the --exclude-dev
command line flag. This change resolved #322, #329, #413 and #497.native-certs
feature flag that can enable the OS native certificate store.bans.allow-build-scripts
to bans.build.allow-build-scripts
. bans.allow-build-scripts
is still supported, but emits a warning.tame-index 0.2.5
which fixed this issueadvisories
, but no other, check fails.git2
and openssl
. This was done by transitioning from git2
-> gix
for all git operations, both directly in this crate, as well as replacing crates-index
with tame-index
.1.65.0
-> 1.70.0
cargo update -p <crate_name>
)" when an advisory is detected for a crate. Thanks @Victor-N-Suadicani!git2
to gix
.osi
and fsf
options to licenses.allow-osi-fsf-free
. Thanks @zkxs!gix
's file-based locking to ensure that only one process has mutable access to an advisory database repo at a time.standalone
. This is due to cargo still being in transition from git2
-> gix
and having no way to compiled without OpenSSL. Once cargo is a better state with regards to this we can add back that feature.atty
(unmaintained) with is-terminal
. Thanks @tottoto!deny-multiple-versions
field to bans.deny
entries, allowing specific crates to deny multiple versions while allowing/warning on them more generally. Thanks @leops!.cargo
. Thanks @DJMcNab!clap
, cargo
, and git2
SECURITY.md
for more details.allow-wildcard-paths
, fixing #488 by allowing wildcards to be denied, but allowing them for internal, private crates. Thanks @sribich!branch=master
would be incorrectly categorized as not specifying the branch (ie use HEAD of default branch).krates
to 0.12.5 to fix an issue where features present (and enabled) for a crate could be remove if the index entry for the crate didn't contain that feature. The features are now merged to (hopefully) more accurately reflect the features that are "truly" available according to both the index and the actual crate manifest on disk.krates
to 0.12.4, which fixes an issue where cycles in a crate's feature set would result in an infinite loop.krates
to 0.12.3, which addresses an issue where a crate's feature set can differ between the version in the registry, and same version on disk.skip-tree
entries weren't properly ignoring all of their transitive dependencies, resolving #469.-A, --allow
, -D, --deny
and -W, --warn
options to the check
subcommand. This allows one to override the severity level of both specific diagnostics, eg. -D unmaintained
would fail if there was an unmaintained dependency, even if advisories.unmaintained
was allow
or warn
. One can also change an entire severity itself, the typical case being -D warnings
to upgrade all warnings to errors. Resolved #454.all-features
, no-default-features
, features
, and feature-depth
configuration options, allowing configuration of features so that one doesn't need to always specify them via the command line.bans.skip
crate was not located in the graph. Thanks @daviddrysdale!B001
style to more clippy style descriptive names, eg. banned
, resolving #61.bans.allow-build-scripts
config option for more details. Thanks @Stupremee!https
and ssh
URLs for advisory databases. Thanks @jbg!fix
subcommand. This functionality was far too complicated for far too little benefit.git
CLI. Thanks @danielhaap83!git2
, as well as removing the usage of rustsec
's git
feature so that we now use git2 v0.14
, resolving a crash issue in new libgit2
versions available in eg. rolling release distros such as Arch. This should also make it easier to update and improve git related functionality since more of it is inside cargo-deny itself now.regex
to fix RUSTSEC-2022-0013.CARGO_TERM_COLOR
environment variable. Thanks @svenstaro!licenses.exceptions
] additive to the global allow list. Thanks @senden9![licenses.ignore-sources]
to ignore license checking for crates sourced from 1 or more specified registries. Thanks @ShellWowza!.deny.toml
in addition to deny.toml
if a config file is not specified.*
.[bans.skip-tree]
.askalono
which got rid of the failure
dependency, which was pulling in a lot of additional crates that are now gone.sources
check was executed against a crate that didn't use any crates from crates.io, and the config file was shorter than the crates.io URL.sources.private
field to blanket allow git repositories sourced from a particular url.--frozen
, --locked
, and --offline
flags to determine whether network access is allowed, and whether the Cargo.lock
file can be created and/or modified.licenses.unused-allowed-license
field to control whether the L006 - license was not encountered diagnostic. Thanks @thomcc!semver
to 1.0.3
.krates
, which in turn uses an updated cargo_metadata
which uses camino
for utf-8 paths. Rather than support both vanilla Path/Buf and Utf8Path/Buf, cargo-deny now just uses Utf8Path/Buf, which means that non-utf-8 paths for things like your Cargo.toml manifest or license paths will no longer function. This is a breaking change, that can be reverted if it is disruptive for users, but the assumption is that cargo-deny is operating on normal checkouts of rust repositories that are overwhelmingly going to be utf-8 compatible paths.master
branch to main
for https://github.com/rustsec/advisory-dbcargo
and rustsec
.1.46.0
due to bump of smol_str
/rustsec
.spdx
.--locked
flag in all cargo install
instructions, to avoid the default (broken) behavior as shown in #331.bitvec
and funty
.cargo
.--exclude
CLI option. Thanks @luser!rustsec
, crossbeam
*, and cargo
.deny.template.toml
to use db-urls
instead of db-url
.wrappers
field to [bans.deny]
entries, which allows the banned crate to be used only if it is a direct dependency of one of the wrapper crates. Thanks @Stupremee!advisory
check. Thanks @Stupremee!cargo
crate directly via the standalone
feature. This allows cargo-deny
to be used without cargo being installed, but it still requires rustc to be available. Thanks @Stupremee!fix
subcommand, which was added to bring cargo-deny
to feature parity with cargo-audit
so that it can take over for cargo-audit
as the official frontend for the the RustSec Advisory Database.advisories.db-url
has been deprecated in favor of advisories.db-urls
since multiple databases are now supported.advisories.db-path
is now no longer the directory into which the advisory database is cloned into, but rather a root directory where each unique database is placed in a canonicalized directory similar to how .cargo/registry/index
directories work.smol_str
) forced the usage of the latest Rust stable version (1.46) which was unintended. We now state the MSRV in the README and check for it in CI so that changing the MSRV is a conscious decision.github.com
, gitlab.com
, or bitbucket.org
organizations.bans.wildcards
check to lint for version requirements of "*"
, which can happen when using local or patched crates that aren't published to a registry. Thanks @khodzha!cargo_metadata
.--format <human|json>
option. All diagnostic and log messages from the check
subcommand respect this flag.--all-features
, --features
, and --no-default-features
flags to specify the exact features to have enabled when gathering the crates in your dependency graph to actually run checks against. This is a BREAKING CHANGE as previously crates were gathered with --all-features
.--color
option for the list
subcommand has been moved to the top level arguments.--context
option , which was deprecated in 0.6.3
, has been removed.--color <auto|always|never>
option, if stderr is not a TTY or never
is passed, no colors will be present in the output stream.check
subcommand unless the --log-level
is off
. If the --log-level
is info
or higher, a summary of the state, errors, warnings, and notes for each check are outputted on their own line instead.-s | --show-stats
flag to the check
subcommand, which will print out the more detailed summary, regardless of the --log-level
.cfg-expr
, which should allow for filtering of crates for most custom targets that aren't built-in to rustc.fetch
subcommand that can be used to fetch external data, currently the crates.io index and the configured advisory database--manifest-path
option to specify the Cargo.toml you want to use as the context for the operation to fit with how other cargo subcommands work. Takes precedence over the (deprecated) --context
.--workspace
flag to give the user a workaround in cases where a manifest is both a package and a workspace.--exclude
option to allow users to explicitly remove packages from the final crate graph.Cargo.toml
(unless explicitly specified).--context
has been deprecated in favor of --manifest-path
, to align cargo-deny more with all other cargo subcommands[licenses.default]
field, which allows you to configure how to handle licenses that don't match any other predicatelist
subcommand to also use the normal configuration used by the check
subcommand. Only the targets
field is used, to determine which crates have their licenses listed.[advisories.yanked]
field in PR#114 for linting yanked crates.sources
check and configuration, which allows linting of crate sourceskrates
, which allows us to easily filter out dependencies that don't match a target specified by the user via the targets
config value.[advisories.db-path]
configuration variable.[licenses.exceptions]
, which lets you allow 1 or more licenses only for a particular crate. Thanks for reporting @iliana!--manifest-path
and working directory were set when executing cargo-metadata
, causing it to fail if a executed in a subdirectory.advisories
check and configuration section for checking crates against an advisory database to detect security vulnerabilities, unmaintained crates, and crates with security notices[bans.skip-tree]
[metadata]
section in Cargo.lock
is now gone in nightly to improve merging, the previous reporting mechanism that required this section has been reworked.check
subcommand now takes multiple values eg cargo deny check bans advisories
cargo deny check
or cargo deny check all
will now run the additional advisories
check[licenses]
or [bans]
section then running that check would have done nothing. Now if any section (including [advisories]
) is not specified, the default configuration will be used.check ban
has been deprecated in favor of check bans
check license
has been deprecated in favor of check licenses
init
subcommand to generate a cargo-deny template file with guiding comments. Thanks @foresterre!license-file
was not being turned into an absolute path like the normal license file scanning, causing a crash. Thanks @foresterre!failure
with anyhow
[licenses.copyleft]
config, which can be used to determine what happens when a copyleft license is encountered.[bans.skip-tree]
config, which can be used to skip entire subtrees of a dependency graph when considering duplicatesskip
ped crate--hide-inclusion-graphs
flag on the check
subcommand.licenses.allow-osi-fsf-free
key, which can be used to specify blanket allowance of licenses based on whether they are OSI Approved or FSF/Free Libre. It defaults to neither
.slog
, which is great for structured logging of high volume output, but wasn't really appropriate for a user facing tool. Some normal log output still exists, but almost all output is now done with the excellent codespan crate to give more user-friendly output.kebab-case
instead of snake_case
allow = [ "Apache-2.0 WITH LLVM-exception" ]
will not also allow Apache-2.0
without the exception.+
is now properly supported, eg. Apache-2.0+
will now match Apache-2.0
or a hypothetical Apache-3.0
in the future.list
subcommand now treats licenses with exceptions as unique licenses.bans.multiple-versions
is either deny
or warn
, duplicates are printed out, including their particular inclusion graphs, in addition to optionally writing a dotgraph to a file on disk for more thorough inspection.license
licenses.clarify
AND
only if all detected LICENSE files can be scored with confidencelicenses.deny
and licenses.allow
meant that every license would be accepted. Now each license has to be explicitly approved, either by listing them in licenses.allow
or licenses.allow-osi-fsf-free
.licenses.ignore
key from the configuration, as this was confusing to users. Supplanted by licenses.clarify
.licenses.skip
key from the configuration, supplanted by licenses.clarify
.licenses.unknown
key from the configuration, if a license cannot be inferred from a file, the path, score, and hash are now shown to the user as additional info for why a crate is considered "unlicensed".rand
bans.deny