All notable changes to this project will be documented in this file.
The format is based on Keep a Changelog, and this project adheres to Semantic Versioning.
Unreleased - ReleaseDate
- PR#721 updated
rust-version
to 1.81.0 to accurately reflect the minimum rust version required to compile, resolving #720. - PR#722 updated the SPDX license list to 3.25.0.
0.16.2 - 2024-11-15
- PR#703 resolved #696 by no longer emitting errors when failing to deserialize deprecated fields, and removed some lingering documentation that wasn't removed in PR#611.
- PR#719 updated to
krates
-> 0.17.5, fixing an issue wherecargo-deny
could panic due to incorrectly resolving features for different versions of the same crate referenced by a single crate. - PR#719 resolved #706 by removing a warning issued when users use ignored scheme modifiers for source urls.
- PR#719 resolved #718 by updating the book with missing arguments.
- PR#715 resolved #714 by adding support for Edition 2024. Thanks @kpcyrd!
- PR#710 resolved #708 by allowing for unpublished workspace crates to be excluded from the dependency graph that checks are run against, either via the
--exclude-unpublished
CLI argument or thegraph.exclude-unpublished
config field. Thanks @Tastaturtaste!
0.16.1 - 2024-08-05
- PR#691 fixed an issue where workspace dependencies that used the current dir '.' path component would incorrectly trigger the
unused-workspace-dependency
lint.
0.16.0 - 2024-08-02
- PR#681 finished the deprecation introduced in PR#611, making the usage of the deprecated fields into errors.
The following fields have all been removed in favor of denying all advisories by default. To ignore an advisory the ignore
field can be used as before.
vulnerability
- Vulnerability advisories are nowdeny
by defaultunmaintained
- Unmaintained advisories are nowdeny
by defaultunsound
- Unsound advisories are nowdeny
by defaultnotice
- Notice advisories are nowdeny
by defaultseverity-threshold
- The severity of vulnerabilities is now irrelevant
The following fields have all been removed in favor of denying all licenses that are not explicitly allowed via either allow
or exceptions
.
unlicensed
- Crates whose license(s) cannot be confidently determined are now always errors. Theclarify
field can be used to help cargo-deny determine the license.allow-osi-fsf-free
- The OSI/FSF Free attributes are now irrelevant, only whether it is explicitly allowed.copyleft
- The copyleft attribute is now irrelevant, only whether it is explicitly allowed.default
- The default is nowdeny
.deny
- All licenses are now denied by default, this field added nothing.
- PR#685 follows up on PR#673, moving the fields that were added to their own separate
bans.workspace-dependencies
section. This is an unannounced breaking change but is fairly minor and 0.15.0 was never released on github actions so the amount of people affected by this will be (hopefully) small. This also makes the workspace duplicate detection off by default since the field is optional, but makes it so that if not specified workspace duplicates are nowdeny
instead ofwarn
.
- PR#685 resolved #682 by adding the
include-path-dependencies
field, allowing path dependencies to be ignored if it isfalse
.
0.15.1 - 2024-07-26
- PR#681 fixed #680 by always stripping
.git
from urls when matching sources to resolved nodes as they are allowed, but (generally) have no semantic meaning and are stripped by cargo when emitting metadata.
0.15.0 - 2024-07-25
- PR#673 added linting of
[workspace.dependencies]
, resolving #436 and #525.- Added lint
workspace-duplicates
, which allows checking for missing usage ofworkspace = true
for direct workspace dependencies that are used more than once in the workspace. - Added lint
unused-workspace-dependencies
, which allows checking for dependencies declared in[workspace.dependencies]
that aren't actually used.
- Added lint
- PR#673 changed how span information for workspace dependencies worked, which meant improvements were made to the output for the
bans.wildcards
lint. Previously fake cargo manifests were created that weren't even necessarily valid toml files, however now the actual cargo manifests are used, meaning that the lint will now point to the correct file and line location of the dependency declaration that uses a wildcard. - PR#675 changed the utf-8 characters used in rendering diagnostics, inspired by rust-lang/rust#126597.
- PR#676 updated notably
gix
-> 0.64 (and tame-index).
0.14.24 - 2024-05-24
- PR#663 updated some crates, notably
gix
-> 0.63 (and tame-index).
0.14.23 - 2024-05-03
- PR#659 adding publishing of
aarch64-unknown-linux-musl
binaries.
0.14.22 - 2024-04-23
- PR#653 updated
jobserver
-> 0.1.30 - PR#656 updated
gix
-> 0.62.0,reqwest
-> 0.12.4,tame-index
-> 0.11.0
0.14.21 - 2024-04-12
- PR#643 resolved #629 by making the hosted git (github, gitlab, bitbucket) org/user name comparison case-insensitive. Thanks @pmnlla!
- PR#649 fixed an issue where depending on the same crate multiple times by using different
cfg()/triple
targets could cause features to be resolved incorrectly and thus crates to be not pulled into the graph used for checking.
0.14.20 - 2024-03-23
- PR#642 resolved #641 by pinning
gix-transport
(and its unique dependencies) to 0.41.2 as a workaround forcargo install
not using the lockfile. See this issue for more information.
0.14.19 - 2024-03-21
- PR#639 updated tame-index to avoid an error if you don't used
--locked
.
0.14.18 - 2024-03-21
0.14.17 - 2024-03-17
- PR#631 improved the diagnostic for when the yank check fails due to some issue with retrieving or reading the index information.
- PR#633 updated
gix
-> 0.60.
0.14.16 - 2024-03-06
- PR#626 resolved #625 by explicitly checking that a license identified as Pixar was actually (probably) the Pixar license, instead of a normal Apache-2.0 license.
0.14.15 - 2024-02-28
- PR#618 added metadata notes to diagnostics when a license is rejected, as well as removing span information for accepted licenses unless the log level is
info
or higher to make the diagnostic clearer by default.
0.14.14 - 2024-02-26
0.14.13 - 2024-02-24
- PR#615 fixed an issue introduced in PR#605 where the various
bans
diagnostic codes could not have their lint level changed via the CLI. It also introduced thedeprecated
diagnostic code.
0.14.12 - 2024-02-23
- PR#605 did a major refactor of configuration, both how it is deserialized and changing (hopefully improving) many options.
- PR#605 moved
targets
,exclude
,all-features
,features
,no-default-features
, andexclude
into the[graph]
table. - PR#605 moved
feature-depth
into the[output]
table.
- PR#613 added support for basic shell expansion to
advisories.db-path
, which expands support beyond just~
to include environment variable expansion.
- PR#601 resolved #600 by outputting the correct spans when a license was both allowed and denied.
- PR#605 resolved #264 be replacing
toml
andserde
withtoml-span
. - PR#605 resolved #539 by simplifying the very common
name = "<crate_name>", version = "<requirements>"
used to target specific crates into either a plain package spec string or the simplercrate = "<package spec>"
. - PR#605 resolved #578 by adding a
reason = "<reason>"
field to many fields within the configuration that are provided in diagnostics.[bans.deny]
also has an additionaluse-instead = "<url/crate_name>"
. PR#610 did this for theadvisories.ignore
field. - PR#605 resolved #579 by allowing yanked crates to be ignored by specifying a PackageSpec in the
[advisories.ignore]
array.
- PR#606 and PR#611 together deprecated several fields listed below. See PR#611 for how to change your config to opt-in to the new behavior that will become the default when the deprecated fields are removed in a future minor version.
[advisories]
vulnerability
unmaintained
unsound
notice
severity-threshold
[licenses]
unlicensed
allow-osi-fsf-free
copyleft
default
deny
0.14.11 - 2024-02-05
0.14.10 - 2024-01-24
0.14.9 - 2024-01-24
0.14.8 - 2024-01-22
0.14.7 - 2024-01-22
0.14.6 - 2024-01-21
- PR#590 updated
krates
to fix an issue with crates that directly have a dependency on 2 or more versions of the same crate.
- PR#590 resolved #405 by emitting warnings when a
wrapper
crate for a banned crate does not have a dependency on that crate.
- PR#591 updated
gix
andtame-index
.
0.14.5 - 2024-01-20
- PR#588 resolved an issue introduced in 0.14.4 where features that reference dev-only dependencies in non-workspace crates would cause a panic.
0.14.4 - 2024-01-19
0.14.3 - 2023-09-29
- PR#566 updated
tame-index
to obtain support OS file locking, resolving #537. This change means that cargo-deny should not encounter issues such as those described here since we no longer usegix::lock
locking advisory databases, and makes reading the crates.io index safer by respecting the lock used by cargo itself.
0.14.2 - 2023-09-04
- PR#545 added the ability to specify additional license exceptions via additional configuration files.
- PR#549 added the
bans.build
configuration option, opting in to checking for file extensions, native executables, and interpreted scripts. This resolved #43.
- PR#557 introduced changes to how
dev-dependencies
are handled. By default, crates that are only used as dev-dependencies (ie, there are no normal nor build dependency edges linking them to other crates) will no longer be considered when checking formultiple-versions
violations. This can be re-enabled via thebans.multiple-versions-include-dev
config field. Additionally, licenses are no longer checked fordev-dependencies
, but can be re-enabled vialicenses.include-dev
the config field.dev-dependencies
can also be completely disabled altogether, but this applies to all checks, includingadvisories
andsources
, so is not enabled by default. This behavior can be enabled by using theexclude-dev
field, or the--exclude-dev
command line flag. This change resolved #322, #329, #413 and #497.
- PR#549 fixed #548 by correctly locating cargo registry indices from an git ssh url.
- PR#549 fixed #552 by correctly handling signal interrupts and removing the advisory-dbs lock file.
- PR#549 fixed #553 by adding the
native-certs
feature flag that can enable the OS native certificate store.
- PR#549 moved
bans.allow-build-scripts
tobans.build.allow-build-scripts
.bans.allow-build-scripts
is still supported, but emits a warning.
0.14.1 - 2023-08-02
- PR#544 updated dependencies, notably
tame-index 0.2.5
which fixed this issue
- PR#538 resolved #483 by emitting exit codes as a bitset of the individual checks that failed, allowing scripts to handle checks separately from a single run. This could affect users who check exactly for the exit code being 1, as that will now only be emitted if the
advisories
, but no other, check fails.
0.14.0 - 2023-07-28
- PR#520 resolved #522 by completely removing all dependencies upon
git2
andopenssl
. This was done by transitioning fromgit2
->gix
for all git operations, both directly in this crate, as well as replacingcrates-index
withtame-index
. - PR#520 bumped the MSRV from
1.65.0
->1.70.0
- PR#523 added "(try
cargo update -p <crate_name>
)" when an advisory is detected for a crate. Thanks @Victor-N-Suadicani!
- PR#520 resolved #361 by printing output when a fetch is being performed to clarify what is taking time.
- PR#520 (possibly) resolved #435 by switching all git operations from
git2
togix
. - PR#520 resolved #439 by using minimal refspecs for cloning and fetching all remote git repositories (indices or advisory databases) where only the remote HEAD is needed to update the local repository, regardless of the default remote branch pointed to by HEAD.
- PR#520 resolved #446 by ensuring (and testing) that crates from non-registry sources are not checked for advisories, eg. in the case that a local crate is named and versioned the same as a crate from crates.io that has an advisory that affects it.
- PR#520 resolved #515 by always opening the correct registry index based upon the environment.
- PR#531 resolved #210 by adding
osi
andfsf
options tolicenses.allow-osi-fsf-free
. Thanks @zkxs! - PR#533 resolved #521 and #524 by allowing clarifications to add files that are used to verify the license information is up to date, rather than needing to match one of the license files that was discovered.
- PR#534 resolved #479 by improving how advisory databases are cloned and/or fetched, notably each database now uses
gix
's file-based locking to ensure that only one process has mutable access to an advisory database repo at a time.
- PR#520 removed all features, notably
standalone
. This is due to cargo still being in transition fromgit2
->gix
and having no way to compiled without OpenSSL. Once cargo is a better state with regards to this we can add back that feature.
0.13.9 - 2023-04-12
- PR#506 replaced
atty
(unmaintained) withis-terminal
. Thanks @tottoto! - PR#511 resolved #494, #507, and #510 by fixing up how and when urls are normalized.
- PR#512 resolved #509 by fixing casing of the root configuration keys.
- PR#513 resolved #508 by correctly using the crates.io sparse index when checking for yanked crates if specified by the user, as well as falling back to the regular git index if the sparse index is not present.
0.13.8 - 2023-04-06
- PR#504 (though really PR#365) resolved #350 by adding the
deny-multiple-versions
field tobans.deny
entries, allowing specific crates to deny multiple versions while allowing/warning on them more generally. Thanks @leops! - PR#493 resolved #437 by also looking for deny configuration files in
.cargo
. Thanks @DJMcNab! - PR#502 resolved #500 by adding initial support for sparse indices.
- PR#503 resolved #498 by falling back to more lax parsing of the SPDX expression of crate if fails to parse according to the stricter but more correct rules.
0.13.7 - 2023-01-11
- PR#491 resolved #490 by building libgit2 from vendored sources instead of relying on potentially outdated packages.
0.13.6 - 2023-01-11
- PR#489 updated dependencies, notably
clap
,cargo
, andgit2
- PR#485 added this project and repository to our Security Bug Bounty Program and has Private vulnerability reporting enabled. See
SECURITY.md
for more details. - PR#487 added
allow-wildcard-paths
, fixing #488 by allowing wildcards to be denied, but allowing them for internal, private crates. Thanks @sribich!
- PR#489 fixed an issue where git sources where
branch=master
would be incorrectly categorized as not specifying the branch (ie use HEAD of default branch).
0.13.5 - 2022-11-08
- PR#481 bumped
krates
to 0.12.5 to fix an issue where features present (and enabled) for a crate could be remove if the index entry for the crate didn't contain that feature. The features are now merged to (hopefully) more accurately reflect the features that are "truly" available according to both the index and the actual crate manifest on disk. - PR#481 fixed an issue where gathering licenses from files would fail if any license file could not have its license determined, even if one or more license files could be successfully identified. This now no longer fails, and the license files that fail to be identified are now shown as additional labels in any diagnostic that is shown for that crate's licenses.
0.13.4 - 2022-11-03
0.13.3 - 2022-11-02
- PR#475 updated
krates
to 0.12.4, which fixes an issue where cycles in a crate's feature set would result in an infinite loop.
0.13.2 - 2022-11-01
- PR#473 updated
krates
to 0.12.3, which addresses an issue where a crate's feature set can differ between the version in the registry, and same version on disk.
0.13.1 - 2022-10-28
- PR#471 fixed a bug where optional dependencies could be pruned if the feature that enabled it was named differently from the crate.
- PR#471 resolved an issue where
skip-tree
entries weren't properly ignoring all of their transitive dependencies, resolving #469.
0.13.0 - 2022-10-26
- PR#434 together with PR#461 resolved #206 and #226 by adding support for checking the feature sets enabled for crates. See the docs for configuration options. Thanks @Stupremee!
- PR#464 added the
-A, --allow
,-D, --deny
and-W, --warn
options to thecheck
subcommand. This allows one to override the severity level of both specific diagnostics, eg.-D unmaintained
would fail if there was an unmaintained dependency, even ifadvisories.unmaintained
wasallow
orwarn
. One can also change an entire severity itself, the typical case being-D warnings
to upgrade all warnings to errors. Resolved #454. - PR#466 added the
all-features
,no-default-features
,features
, andfeature-depth
configuration options, allowing configuration of features so that one doesn't need to always specify them via the command line.
- PR#447 add more details to the diagnostic reported when a
bans.skip
crate was not located in the graph. Thanks @daviddrysdale! - PR#464 changed all error codes from the previous rustc style eg.
B001
style to more clippy style descriptive names, eg.banned
, resolving #61.
- PR#465 fixed an issue where inclusion graphs would not be printed in diagnostics if the same crate had an earlier associated diagnostic, even if that diagnostic was not printed due to the log level.
- PR#464 fixed #455 by removing code. The best kind of fix.
0.12.2 - 2022-08-05
- PR#431 resolved #19 by adding support for an allow list for build scripts, allowing a project to opt in (or deny completely) build scripts on a case by case basis rather than blanket allowing all build scripts. See the
bans.allow-build-scripts
config option for more details. Thanks @Stupremee!
- PR#430 fixed an issue where local/git crates could be flagged as "yanked" if they shared a name and version with a crates.io crate that was yanked from the registry, resolving #441 before it was even opened. Thanks @khuey!
- PR#440 fixed #438 by ensuring git cli output was piped properly rather than polluting the output of cargo-deny itself.
- PR#443 fixed #442 by removing the signature check on the HEAD commit an advisory databases. This check didn't add meaningful security and could cause spurious failures if an unsigned commit was pushed to an advisory database.
0.12.1 - 2022-05-19
- PR#426 fixed an oversight in PR#422, fully resolving #412 by allowing both
https
andssh
URLs for advisory databases. Thanks @jbg!
- PR#427 updated dependencies.
0.12.0 - 2022-05-17
- PR#423 removed the
fix
subcommand. This functionality was far too complicated for far too little benefit.
- PR#420 resolved #388 by adding the ability to fetch advisory databases via the
git
CLI. Thanks @danielhaap83! - PR#422 fixed #380 and #410 by updating a few transitive dependencies that use
git2
, as well as removing the usage ofrustsec
'sgit
feature so that we now usegit2 v0.14
, resolving a crash issue in newlibgit2
versions available in eg. rolling release distros such as Arch. This should also make it easier to update and improve git related functionality since more of it is inside cargo-deny itself now. - PR#424 really fixed (there's even a test now!) #384 by adding each version's reverse dependency graph in the ascending order.
0.11.4 - 2022-04-11
- PR#414 resolved #384 by always sorting crates with the same name by their version so they are always deterministically sorted. Thanks @Veykril!
- PR#418 fixed an issue where duplicate crate versions would not be detected if the crate was sorted last in the crate graph.
- PR#415 updated dependencies, notably
regex
to fix RUSTSEC-2022-0013.
0.11.3 - 2022-02-14
0.11.2 - 2022-02-07
- PR#403 added support for the
CARGO_TERM_COLOR
environment variable. Thanks @svenstaro! - PR#404 updated dependencies.
- PR#398 resolved #135 by making [
licenses.exceptions
] additive to the global allow list. Thanks @senden9! - PR#404 resolved #401 by trimming quotes from spans before serializing them as JSON.
- PR#404 resolved #402 by updating crossbeam-utils to a non-yanked version.
0.11.1 - 2022-01-28
- PR#391 resolved #344 by adding
[licenses.ignore-sources]
to ignore license checking for crates sourced from 1 or more specified registries. Thanks @ShellWowza! - PR#396 resolved #366 by also looking for
.deny.toml
in addition todeny.toml
if a config file is not specified.
- PR#392 updated all dependencies.
- PR#393 resolved #371 by changing the default for version requirements specified in config files to accept all versions, rather than using the almost-but-not-quite default of
*
. - PR#394 resolved #147 by ignore all private crates, not only the ones in the workspace.
- PR#395 resolved #375 by fixing a potential infinite loop when using
[bans.skip-tree]
.
0.11.0 - 2021-12-06
- PR#382 updated dependencies and bumped the Minimum Stable Rust Version to 1.56.1.
0.10.3 - 2021-11-22
- PR#379 updated
askalono
which got rid of thefailure
dependency, which was pulling in a lot of additional crates that are now gone.
- PR#379 fixed #378 which was an edge case where the
sources
check was executed against a crate that didn't use any crates from crates.io, and the config file was shorter than the crates.io URL.
0.10.2 - 2021-11-21
- PR#377 updated dependencies.
0.10.1 - 2021-11-10
- PR#347 resolved #372 by correcting a slight mistake that resulted in an incorrect hash making cargo-deny unable to lookup index or crate information from the local file system.
0.10.0 - 2021-10-29
- PR#353 resolved #351 by adding the
sources.private
field to blanket allow git repositories sourced from a particular url. - PR#359 resolved #341 and #357 by adding support for the
--frozen
,--locked
, and--offline
flags to determine whether network access is allowed, and whether theCargo.lock
file can be created and/or modified. - PR#368 added the
licenses.unused-allowed-license
field to control whether the L006 - license was not encountered diagnostic. Thanks @thomcc!
- PR#358 bumped the Minimum Stable Rust Version to 1.53.0.
- PR#358 bumped various dependencies, notably
semver
to1.0.3
.
0.9.1 - 2021-03-26
- Updated dependencies
0.9.0 - 2021-03-11
- Updated
krates
, which in turn uses an updatedcargo_metadata
which usescamino
for utf-8 paths. Rather than support both vanilla Path/Buf and Utf8Path/Buf, cargo-deny now just uses Utf8Path/Buf, which means that non-utf-8 paths for things like your Cargo.toml manifest or license paths will no longer function. This is a breaking change, that can be reverted if it is disruptive for users, but the assumption is that cargo-deny is operating on normal checkouts of rust repositories that are overwhelmingly going to be utf-8 compatible paths.
0.8.9 - 2021-03-08
- Updated rustsec crate to address fetch failures due to the renaming of the
master
branch tomain
for https://github.com/rustsec/advisory-db
0.8.8 - 2021-02-25
- Updated dependencies, notably
cargo
andrustsec
. - Increase MSRV to
1.46.0
due to bump ofsmol_str
/rustsec
. - Updated SPDX license list supported from 3.8 to 3.11 due to update of
spdx
. - Add use of the
--locked
flag in allcargo install
instructions, to avoid the default (broken) behavior as shown in #331.
0.8.7 - 2021-02-18
- Resolved #331 by updating
bitvec
andfunty
.
0.8.6 - 2021-02-17
- Updated dependencies, notably
cargo
. - Updated documentation to clarify SPDX identifiers, and how to use custom ones.
0.8.5 - 2020-12-15
- PR#315 resolved #312 by adding support for excluding packages in the deny configuration file, in addition to the existing support for the
--exclude
CLI option. Thanks @luser!
- PR#318 fixed #316 by adding a workaround for crate versions with pre-release identifiers in them that could be erroneously marked as matching advisories in an advisory database. Thanks for reporting this @djc!
0.8.4 - 2020-11-11
- Updated dependencies, notably
rustsec
,crossbeam
*, andcargo
. - Bumped the Minimum Stable Rust Version to 1.44.1.
0.8.3 - 2020-11-09
- Fix
deny.template.toml
to usedb-urls
instead ofdb-url
.
0.8.2 - 2020-10-22
- PR#303 fixed #302 by reverting an unintended behavior change in how the default path for advisory databases was resolved.
0.8.1 - 2020-10-21
- PR#297 fixed a couple of diagnostics to have codes.
- PR#296 resolved #288 by improving the information in diagnostics pertaining to advisories. Thanks @tomasfarias!
0.8.0 - 2020-10-20
- PR#238 resolved #225 by adding a
wrappers
field to[bans.deny]
entries, which allows the banned crate to be used only if it is a direct dependency of one of the wrapper crates. Thanks @Stupremee! - PR#244 resolved #69 by adding support for multiple advisory databases, which will all be checked during the
advisory
check. Thanks @Stupremee! - PR#243 resolved #54 by adding support for compiling and using
cargo
crate directly via thestandalone
feature. This allowscargo-deny
to be used without cargo being installed, but it still requires rustc to be available. Thanks @Stupremee! - PR#275 resolved #64 by adding a diagnostic when a user tries to ignore an advisory identifier that doesn't exist in any database.
- PR#262 added the
fix
subcommand, which was added to bringcargo-deny
to feature parity withcargo-audit
so that it can take over forcargo-audit
as the official frontend for the the RustSec Advisory Database.
advisories.db-url
has been deprecated in favor ofadvisories.db-urls
since multiple databases are now supported.advisories.db-path
is now no longer the directory into which the advisory database is cloned into, but rather a root directory where each unique database is placed in a canonicalized directory similar to how.cargo/registry/index
directories work.- PR#274 resolved #115 by normalizing git urls. Thanks @senden9!
- #265 A transitive dependency (
smol_str
) forced the usage of the latest Rust stable version (1.46) which was unintended. We now state the MSRV in the README and check for it in CI so that changing the MSRV is a conscious decision. - PR#287 fixed #286, which could happen if using a git source where the representation differed slightly between the user specified id and the id used for dependencies.
- PR#249 fixed #190 by printing a different diagnostic for when the path specified for a clarification license file could not be found. Thanks @khodzha!
0.7.3 - 2020-08-06
- PR#237 added the ability to allow git sources from entire
github.com
,gitlab.com
, orbitbucket.org
organizations. - PR#237 added the ability to lint the specifiers used for git sources.
0.7.2 - 2020-07-28
- PR#227 Added a new
bans.wildcards
check to lint for version requirements of"*"
, which can happen when using local or patched crates that aren't published to a registry. Thanks @khodzha!
- Fix incompatible crate versions due to
cargo_metadata
.
0.7.1 - 2020-07-21
- Fix issue due to incompatible semver versioning with relation to...the semver crate.
0.7.0 - 2020-06-25
- Resolved #137 by adding a
--format <human|json>
option. All diagnostic and log messages from thecheck
subcommand respect this flag.
- Resolved #216 by adding support for the
--all-features
,--features
, and--no-default-features
flags to specify the exact features to have enabled when gathering the crates in your dependency graph to actually run checks against. This is a BREAKING CHANGE as previously crates were gathered with--all-features
. - The
--color
option for thelist
subcommand has been moved to the top level arguments.
- The
--context
option , which was deprecated in0.6.3
, has been removed.
- Resolved #211 by adding a top-level
--color <auto|always|never>
option, if stderr is not a TTY ornever
is passed, no colors will be present in the output stream.
0.6.8 - 2020-06-06
- A one line summary of the state of each check is now output at the very end of the
check
subcommand unless the--log-level
isoff
. If the--log-level
isinfo
or higher, a summary of the state, errors, warnings, and notes for each check are outputted on their own line instead. - Added the
-s | --show-stats
flag to thecheck
subcommand, which will print out the more detailed summary, regardless of the--log-level
.
- Updated crates.
- Updated
cfg-expr
, which should allow for filtering of crates for most custom targets that aren't built-in to rustc.
0.6.7 - 2020-05-01
- PR#183 resolved an infinite loop issue which could be caused by cyclic dependencies in a crate graph. Thanks @Veetaha!
0.6.6 - 2020-02-25
- Updated crates. Mainly to force a new version because the Windows release messed up. Yay!
0.6.5 - 2020-02-25
- Added a
fetch
subcommand that can be used to fetch external data, currently the crates.io index and the configured advisory database
- Upgraded to rustsec 0.18.0, which slightly reworks how yanked crate detection is done
0.6.4 - 2020-02-08
- Resolved #131 by removing an unnecessary path canonicalization
0.6.3 - 2020-02-05
- Added the
--manifest-path
option to specify the Cargo.toml you want to use as the context for the operation to fit with how other cargo subcommands work. Takes precedence over the (deprecated)--context
. - Added the
--workspace
flag to give the user a workaround in cases where a manifest is both a package and a workspace. - Added the
--exclude
option to allow users to explicitly remove packages from the final crate graph.
- The configuration used for the command is recursively searched for in parent directories starting in the same directory as the
Cargo.toml
(unless explicitly specified). - The target list used when evaluating cfg expressions for dependencies has been updated to the list of targets supported by 1.41.0. This will give undesired behavior if you happen to use a target triple that has been removed from 1.41.0 that is available in the Rust version you have.
- Resolved #122 by pruning the packages that are checked against the advisory database to the same set used by all other checks
--context
has been deprecated in favor of--manifest-path
, to align cargo-deny more with all other cargo subcommands
0.6.2 - 2020-01-25
- Resolved #116 by adding the
[licenses.default]
field, which allows you to configure how to handle licenses that don't match any other predicate - Resolved #117 by allowing the
list
subcommand to also use the normal configuration used by thecheck
subcommand. Only thetargets
field is used, to determine which crates have their licenses listed.
0.6.1 - 2020-01-24
- Added
[advisories.yanked]
field in PR#114 for linting yanked crates.
0.6.0 - 2020-01-20
- Added the
sources
check and configuration, which allows linting of crate sources - Resolved #63 by adding a dependency on
krates
, which allows us to easily filter out dependencies that don't match a target specified by the user via thetargets
config value. - Resolved #75, a warning is now printed for license exceptions and allowed licenses, if they aren't encountered when checking crate license information.
- Resolved #50, private workspace members (anything that is not published publicly) can now be ignored during the license check.
- Resolved #85 by changing the max column width from 120 to 80 and reformatting some of the help text for the CLI.
- Resolved #109 by only printing a single diagnostic message for each set of duplicate versions
- Fixed #96 by allowing expansion of '~' rooted paths for the
[advisories.db-path]
configuration variable.
0.5.2 - 2019-12-20
- Resolved #53 by adding
[licenses.exceptions]
, which lets you allow 1 or more licenses only for a particular crate. Thanks for reporting @iliana!
0.5.1 - 2019-12-19
- Fixed issue where both
--manifest-path
and working directory were set when executingcargo-metadata
, causing it to fail if a executed in a subdirectory.
0.5.0 - 2019-12-18
- Added the
advisories
check and configuration section for checking crates against an advisory database to detect security vulnerabilities, unmaintained crates, and crates with security notices - A warning will now be emitted if a crate that isn't in the graph is specified in
[bans.skip-tree]
- PR#58 Fixed #55 to handle license requirements for GPL, AGPL, LGPL, and GFDL better. Thank for reporting @pikajude!
- PR#62 Fixed #56, the
[metadata]
section inCargo.lock
is now gone in nightly to improve merging, the previous reporting mechanism that required this section has been reworked.
- The
check
subcommand now takes multiple values egcargo deny check bans advisories
- Specifying either
cargo deny check
orcargo deny check all
will now run the additionaladvisories
check - Previously, if you hadn't specified the
[licenses]
or[bans]
section then running that check would have done nothing. Now if any section (including[advisories]
) is not specified, the default configuration will be used.
check ban
has been deprecated in favor ofcheck bans
check license
has been deprecated in favor ofcheck licenses
0.4.2 - 2019-12-02
- PR#48 Added an
init
subcommand to generate a cargo-deny template file with guiding comments. Thanks @foresterre!
0.4.1 - 2019-11-28
- PR#46 Fixed issue where
license-file
was not being turned into an absolute path like the normal license file scanning, causing a crash. Thanks @foresterre! - Fixed an out of bounds panic when skipping a crate which wasn't present in the crate graph, that would have been sorted last if it had existed
0.4.0 - 2019-11-07
- Replaced usage of
failure
withanyhow
- Upgraded askalono and spdx to newer versions that both use version 3.7 of the SPDX license list
0.3.0 - 2019-10-30
- Added
[licenses.copyleft]
config, which can be used to determine what happens when a copyleft license is encountered. - Added
[bans.skip-tree]
config, which can be used to skip entire subtrees of a dependency graph when considering duplicates
- Fixed displaying of duplicate errors in the presence of a
skip
ped crate
0.3.0-beta - 2019-10-07
- Output that pertains to a particular crate now outputs the inclusion graph for that crate, similarly to how cargo tree shows the inverse dependency graph. This can be turned off with the
--hide-inclusion-graphs
flag on thecheck
subcommand. - All configuration problems that aren't directly related to actual toml parsing now pretty print the location and cause(s) of the problem so that you can more easily fix the issue.
- Added the ``[licenses.clarify]]` key to the configuration, which allows users to specify the license expression for a crate that will be used as long as the version requirements are met, and the hash of the license file(s) are the same
- Added the
licenses.allow-osi-fsf-free
key, which can be used to specify blanket allowance of licenses based on whether they are OSI Approved or FSF/Free Libre. It defaults toneither
.
- The output of the tool as a whole is dramatically different. Previously, all logging was done via
slog
, which is great for structured logging of high volume output, but wasn't really appropriate for a user facing tool. Some normal log output still exists, but almost all output is now done with the excellent codespan crate to give more user-friendly output. - All configuration keys are now
kebab-case
instead ofsnake_case
- Improved the checking of SPDX license expressions, previously the expression was just lexed and all the requirements that could be understood were required, but now the operators in the expression are actually respected.
- Added proper support for license exceptions, you must now allow or deny licenses including their exception, which treated as a different case than the same license without the exception. eg
allow = [ "Apache-2.0 WITH LLVM-exception" ]
will not also allowApache-2.0
without the exception. - The usage of
+
is now properly supported, eg.Apache-2.0+
will now matchApache-2.0
or a hypotheticalApache-3.0
in the future. - The
list
subcommand now treats licenses with exceptions as unique licenses. - When
bans.multiple-versions
is eitherdeny
orwarn
, duplicates are printed out, including their particular inclusion graphs, in addition to optionally writing a dotgraph to a file on disk for more thorough inspection. - LICENSE(-*)? files are no longer eagerly evaluated, rather the crate's license expression is retrieved via
license
- Matching user override as specified via
licenses.clarify
- Compounding all licenses together via
AND
only if all detected LICENSE files can be scored with confidence
- Previously, just having an empty
licenses.deny
andlicenses.allow
meant that every license would be accepted. Now each license has to be explicitly approved, either by listing them inlicenses.allow
orlicenses.allow-osi-fsf-free
.
- Removed the
licenses.ignore
key from the configuration, as this was confusing to users. Supplanted bylicenses.clarify
. - Removed the
licenses.skip
key from the configuration, supplanted bylicenses.clarify
. - Removed the
licenses.unknown
key from the configuration, if a license cannot be inferred from a file, the path, score, and hash are now shown to the user as additional info for why a crate is considered "unlicensed".
- Removed duplicate version of
rand
- Fixed banning specific crates via
bans.deny
0.2.3 - 2019-07-01
- Fixed up README in published crate
0.2.2 - 2019-06-28
- Added more badges to published crate
0.2.1 - 2019-06-28
- Initial implementation release