Skip to content

Release 2.0.0 - cargo-deny 0.16.0

Compare
Choose a tag to compare
@Jake-Shadle Jake-Shadle released this 02 Aug 12:36
· 7 commits to main since this release

Action

Added

Changed

  • This release includes breaking changes in cargo-deny, so this release begins the v2 tag, using v1 will be stable but not follow future cargo-deny releases.

cargo-deny

Removed

  • PR#681 finished the deprecation introduced in PR#611, making the usage of the deprecated fields into errors.

[advisories]

The following fields have all been removed in favor of denying all advisories by default. To ignore an advisory the ignore field can be used as before.

  • vulnerability - Vulnerability advisories are now deny by default
  • unmaintained - Unmaintained advisories are now deny by default
  • unsound - Unsound advisories are now deny by default
  • notice - Notice advisories are now deny by default
  • severity-threshold - The severity of vulnerabilities is now irrelevant

[licenses]

The following fields have all been removed in favor of denying all licenses that are not explicitly allowed via either allow or exceptions.

  • unlicensed - Crates whose license(s) cannot be confidently determined are now always errors. The clarify field can be used to help cargo-deny determine the license.
  • allow-osi-fsf-free - The OSI/FSF Free attributes are now irrelevant, only whether it is explicitly allowed.
  • copyleft - The copyleft attribute is now irrelevant, only whether it is explicitly allowed.
  • default - The default is now deny.
  • deny - All licenses are now denied by default, this field added nothing.

Changed

  • PR#685 follows up on PR#673, moving the fields that were added to their own separate bans.workspace-dependencies section. This is an unannounced breaking change but is fairly minor and 0.15.0 was never released on github actions so the amount of people affected by this will be (hopefully) small. This also makes the workspace duplicate detection off by default since the field is optional, but makes it so that if not specified workspace duplicates are now deny instead of warn.

Fixed

  • PR#685 resolved #682 by adding the include-path-dependencies field, allowing path dependencies to be ignored if it is false.