Skip to content

Releases: EmbarkStudios/cargo-deny-action

Release 1.5.4 - cargo-deny 0.14.0

28 Jul 17:24
Compare
Choose a tag to compare

Updated the cargo version to 1.71.0 which should give significant improvements to run times due to using the crates.io sparse index instead of the old git index.

Release 1.5.3 - cargo-deny 0.14.0

28 Jul 17:13
Compare
Choose a tag to compare

Changed

  • PR#520 resolved #522 by completely removing all dependencies upon git2 and openssl. This was done by transitioning from git2 -> gix for all git operations, both directly in this crate, as well as replacing crates-index with tame-index.
  • PR#520 bumped the MSRV from 1.65.0 -> 1.70.0
  • PR#523 added "(try cargo update -p <crate_name>)" when an advisory is detected for a crate. Thanks @Victor-N-Suadicani!

Fixed

  • PR#520 resolved #361 by printing output when a fetch is being performed to clarify what is taking time.
  • PR#520 (possibly) resolved #435 by switching all git operations from git2 to gix.
  • PR#520 resolved #439 by using minimal refspecs for cloning and fetching all remote git repositories (indices or advisory databases) where only the remote HEAD is needed to update the local repository, regardless of the default remote branch pointed to by HEAD.
  • PR#520 resolved #446 by ensuring (and testing) that crates from non-registry sources are not checked for advisories, eg. in the case that a local crate is named and versioned the same as a crate from crates.io that has an advisory that affects it.
  • PR#520 resolved #515 by always opening the correct registry index based upon the environment.
  • PR#531 resolved #210 by adding osi and fsf options to licenses.allow-osi-fsf-free. Thanks @zkxs!
  • PR#533 resolved #521 and #524 by allowing clarifications to add files that are used to verify the license information is up to date, rather than needing to match one of the license files that was discovered.
  • PR#534 resolved #479 by improving how advisory databases are cloned and/or fetched, notably each database now uses gix's file-based locking to ensure that only one process has mutable access to an advisory database repo at a time.

Removed

  • PR#520 removed all features, notably standalone. This is due to cargo still being in transition from git2 -> gix and having no way to compiled without OpenSSL. Once cargo is a better state with regards to this we can add back that feature.

Release 1.5.2 - cargo-deny 0.13.9

12 Apr 14:56
Compare
Choose a tag to compare

Fixed

  • PR#506 replaced atty (unmaintained) with is-terminal. Thanks @tottoto!
  • PR#511 resolved #494, #507, and #510 by fixing up how and when urls are normalized.
  • PR#512 resolved #509 by fixing casing of the root configuration keys.
  • PR#513 resolved #508 by correctly using the crates.io sparse index when checking for yanked crates if specified by the user, as well as falling back to the regular git index if the sparse index is not present.

Release 1.5.1 - cargo-deny 0.13.8

06 Apr 15:30
Compare
Choose a tag to compare

Added

  • PR#504 (though really PR#365) resolved #350 by adding the deny-multiple-versions field to bans.deny entries, allowing specific crates to deny multiple versions while allowing/warning on them more generally. Thanks @leops!
  • PR#493 resolved #437 by also looking for deny configuration files in .cargo. Thanks @DJMcNab!
  • PR#502 resolved #500 by adding initial support for sparse indices.

Fixed

  • PR#503 resolved #498 by falling back to more lax parsing of the SPDX expression of crate if fails to parse according to the stricter but more correct rules.

Release 1.5.0 - cargo-deny 0.13.7

25 Mar 09:15
Compare
Choose a tag to compare

Update from cargo-deny 0.13.5 to 0.13.7, apparently I missed two releases, that's embarrassing.

0.13.7

Fixed

  • PR#491 resolved #490 by building libgit2 from vendored sources instead of relying on potentially outdated packages.

0.13.6

Changed

  • PR#489 updated dependencies, notably clap, cargo, and git2

Added

  • PR#485 added this project and repository to our Security Bug Bounty Program and has Private vulnerability reporting enabled. See SECURITY.md for more details.
  • PR#487 added allow-wildcard-paths, fixing #488 by allowing wildcards to be denied, but allowing them for internal, private crates. Thanks @sribich!

Fixed

  • PR#489 fixed an issue where git sources where branch=master would be incorrectly categorized as not specifying the branch (ie use HEAD of default branch).

Release 1.4.0 - cargo-deny 0.13.5

17 Nov 15:06
Compare
Choose a tag to compare

Changed

  • Updated to cargo-deny 0.13.5

v1.3.2 - cargo-deny 0.12.1

19 Jul 13:00
7257a18
Compare
Choose a tag to compare

Added

  • PR#54 resolved #53 by adding the credentials parameter for passing in a private access token to allow cargo to fetch private github repositories. Thanks @danielhaap83!

v1.3.1 - cargo-deny 0.12.1

20 May 07:17
Compare
Choose a tag to compare

Fixed

  • PR#426 fixed an oversight in PR#422, fully resolving #412 by allowing both https and ssh URLs for advisory databases. Thanks @jbg!

Changed

  • PR#427 updated dependencies.

v1.3.0 - cargo-deny 0.12.0

18 May 05:49
Compare
Choose a tag to compare

Removed

  • PR#423 removed the fix subcommand. This functionality was far too complicated for far too little benefit.

Fixed

  • PR#420 resolved #388 by adding the ability to fetch advisory databases via the git CLI. Thanks @danielhaap83!
  • PR#422 fixed #380 and #410 by updating a few transitive dependencies that use git2, as well as removing the usage of rustsec's git feature so that we now use git2 v0.14, resolving a crash issue in new libgit2 versions available in eg. rolling release distros such as Arch. This should also make it easier to update and improve git related functionality since more of it is inside cargo-deny itself now.
  • PR#424 really fixed (there's even a test now!) #384 by adding each version's reverse dependency graph in the ascending order.

v1.2.17 - cargo-deny 0.11.4

10 May 06:28
Compare
Choose a tag to compare

Changed

  • PR#51 updated the image to use Rust 1.60.0 by default. Thanks @MarcoIeni!