Releases: EmbarkStudios/cargo-deny-action
Releases · EmbarkStudios/cargo-deny-action
Release 1.5.4 - cargo-deny 0.14.0
Updated the cargo version to 1.71.0 which should give significant improvements to run times due to using the crates.io sparse index instead of the old git index.
Release 1.5.3 - cargo-deny 0.14.0
Changed
- PR#520 resolved #522 by completely removing all dependencies upon
git2
andopenssl
. This was done by transitioning fromgit2
->gix
for all git operations, both directly in this crate, as well as replacingcrates-index
withtame-index
. - PR#520 bumped the MSRV from
1.65.0
->1.70.0
- PR#523 added "(try
cargo update -p <crate_name>
)" when an advisory is detected for a crate. Thanks @Victor-N-Suadicani!
Fixed
- PR#520 resolved #361 by printing output when a fetch is being performed to clarify what is taking time.
- PR#520 (possibly) resolved #435 by switching all git operations from
git2
togix
. - PR#520 resolved #439 by using minimal refspecs for cloning and fetching all remote git repositories (indices or advisory databases) where only the remote HEAD is needed to update the local repository, regardless of the default remote branch pointed to by HEAD.
- PR#520 resolved #446 by ensuring (and testing) that crates from non-registry sources are not checked for advisories, eg. in the case that a local crate is named and versioned the same as a crate from crates.io that has an advisory that affects it.
- PR#520 resolved #515 by always opening the correct registry index based upon the environment.
- PR#531 resolved #210 by adding
osi
andfsf
options tolicenses.allow-osi-fsf-free
. Thanks @zkxs! - PR#533 resolved #521 and #524 by allowing clarifications to add files that are used to verify the license information is up to date, rather than needing to match one of the license files that was discovered.
- PR#534 resolved #479 by improving how advisory databases are cloned and/or fetched, notably each database now uses
gix
's file-based locking to ensure that only one process has mutable access to an advisory database repo at a time.
Removed
- PR#520 removed all features, notably
standalone
. This is due to cargo still being in transition fromgit2
->gix
and having no way to compiled without OpenSSL. Once cargo is a better state with regards to this we can add back that feature.
Release 1.5.2 - cargo-deny 0.13.9
Fixed
- PR#506 replaced
atty
(unmaintained) withis-terminal
. Thanks @tottoto! - PR#511 resolved #494, #507, and #510 by fixing up how and when urls are normalized.
- PR#512 resolved #509 by fixing casing of the root configuration keys.
- PR#513 resolved #508 by correctly using the crates.io sparse index when checking for yanked crates if specified by the user, as well as falling back to the regular git index if the sparse index is not present.
Release 1.5.1 - cargo-deny 0.13.8
Added
- PR#504 (though really PR#365) resolved #350 by adding the
deny-multiple-versions
field tobans.deny
entries, allowing specific crates to deny multiple versions while allowing/warning on them more generally. Thanks @leops! - PR#493 resolved #437 by also looking for deny configuration files in
.cargo
. Thanks @DJMcNab! - PR#502 resolved #500 by adding initial support for sparse indices.
Fixed
Release 1.5.0 - cargo-deny 0.13.7
Update from cargo-deny 0.13.5 to 0.13.7, apparently I missed two releases, that's embarrassing.
0.13.7
Fixed
- PR#491 resolved #490 by building libgit2 from vendored sources instead of relying on potentially outdated packages.
0.13.6
Changed
- PR#489 updated dependencies, notably
clap
,cargo
, andgit2
Added
- PR#485 added this project and repository to our Security Bug Bounty Program and has Private vulnerability reporting enabled. See
SECURITY.md
for more details. - PR#487 added
allow-wildcard-paths
, fixing #488 by allowing wildcards to be denied, but allowing them for internal, private crates. Thanks @sribich!
Fixed
- PR#489 fixed an issue where git sources where
branch=master
would be incorrectly categorized as not specifying the branch (ie use HEAD of default branch).
Release 1.4.0 - cargo-deny 0.13.5
Changed
- Updated to cargo-deny 0.13.5
v1.3.2 - cargo-deny 0.12.1
Added
- PR#54 resolved #53 by adding the
credentials
parameter for passing in a private access token to allow cargo to fetch private github repositories. Thanks @danielhaap83!
v1.3.1 - cargo-deny 0.12.1
v1.3.0 - cargo-deny 0.12.0
Removed
- PR#423 removed the
fix
subcommand. This functionality was far too complicated for far too little benefit.
Fixed
- PR#420 resolved #388 by adding the ability to fetch advisory databases via the
git
CLI. Thanks @danielhaap83! - PR#422 fixed #380 and #410 by updating a few transitive dependencies that use
git2
, as well as removing the usage ofrustsec
'sgit
feature so that we now usegit2 v0.14
, resolving a crash issue in newlibgit2
versions available in eg. rolling release distros such as Arch. This should also make it easier to update and improve git related functionality since more of it is inside cargo-deny itself now. - PR#424 really fixed (there's even a test now!) #384 by adding each version's reverse dependency graph in the ascending order.
v1.2.17 - cargo-deny 0.11.4
Changed
- PR#51 updated the image to use Rust 1.60.0 by default. Thanks @MarcoIeni!