Release 2.0.0 - cargo-deny 0.16.0
Action
Added
Changed
- This release includes breaking changes in cargo-deny, so this release begins the
v2
tag, usingv1
will be stable but not follow futurecargo-deny
releases.
cargo-deny
Removed
- PR#681 finished the deprecation introduced in PR#611, making the usage of the deprecated fields into errors.
[advisories]
The following fields have all been removed in favor of denying all advisories by default. To ignore an advisory the ignore
field can be used as before.
vulnerability
- Vulnerability advisories are nowdeny
by defaultunmaintained
- Unmaintained advisories are nowdeny
by defaultunsound
- Unsound advisories are nowdeny
by defaultnotice
- Notice advisories are nowdeny
by defaultseverity-threshold
- The severity of vulnerabilities is now irrelevant
[licenses]
The following fields have all been removed in favor of denying all licenses that are not explicitly allowed via either allow
or exceptions
.
unlicensed
- Crates whose license(s) cannot be confidently determined are now always errors. Theclarify
field can be used to help cargo-deny determine the license.allow-osi-fsf-free
- The OSI/FSF Free attributes are now irrelevant, only whether it is explicitly allowed.copyleft
- The copyleft attribute is now irrelevant, only whether it is explicitly allowed.default
- The default is nowdeny
.deny
- All licenses are now denied by default, this field added nothing.
Changed
- PR#685 follows up on PR#673, moving the fields that were added to their own separate
bans.workspace-dependencies
section. This is an unannounced breaking change but is fairly minor and 0.15.0 was never released on github actions so the amount of people affected by this will be (hopefully) small. This also makes the workspace duplicate detection off by default since the field is optional, but makes it so that if not specified workspace duplicates are nowdeny
instead ofwarn
.