Release 0.14.0

Changed

• PR#520 resolved #522 by completely removing all dependencies upon git2 and openssl. This was done by transitioning from git2 -> gix for all git operations, both directly in this crate, as well as replacing crates-index with tame-index.
• PR#520 bumped the MSRV from 1.65.0 -> 1.70.0
• PR#523 added "(try cargo update -p <crate_name>)" when an advisory is detected for a crate. Thanks @Victor-N-Suadicani!

Fixed

• PR#520 resolved #361 by printing output when a fetch is being performed to clarify what is taking time.
• PR#520 (possibly) resolved #435 by switching all git operations from git2 to gix.
• PR#520 resolved #439 by using minimal refspecs for cloning and fetching all remote git repositories (indices or advisory databases) where only the remote HEAD is needed to update the local repository, regardless of the default remote branch pointed to by HEAD.
• PR#520 resolved #446 by ensuring (and testing) that crates from non-registry sources are not checked for advisories, eg. in the case that a local crate is named and versioned the same as a crate from crates.io that has an advisory that affects it.
• PR#520 resolved #515 by always opening the correct registry index based upon the environment.
• PR#531 resolved #210 by adding osi and fsf options to licenses.allow-osi-fsf-free. Thanks @zkxs!
• PR#533 resolved #521 and #524 by allowing clarifications to add files that are used to verify the license information is up to date, rather than needing to match one of the license files that was discovered.
• PR#534 resolved #479 by improving how advisory databases are cloned and/or fetched, notably each database now uses gix's file-based locking to ensure that only one process has mutable access to an advisory database repo at a time.

Removed

• PR#520 removed all features, notably standalone. This is due to cargo still being in transition from git2 -> gix and having no way to compiled without OpenSSL. Once cargo is a better state with regards to this we can add back that feature.

Release 0.13.9

Fixed

• PR#506 replaced atty (unmaintained) with is-terminal. Thanks @tottoto!
• PR#511 resolved #494, #507, and #510 by fixing up how and when urls are normalized.
• PR#512 resolved #509 by fixing casing of the root configuration keys.
• PR#513 resolved #508 by correctly using the crates.io sparse index when checking for yanked crates if specified by the user, as well as falling back to the regular git index if the sparse index is not present.

Release 0.13.8

Added

• PR#504 (though really PR#365) resolved #350 by adding the deny-multiple-versions field to bans.deny entries, allowing specific crates to deny multiple versions while allowing/warning on them more generally. Thanks @leops!
• PR#493 resolved #437 by also looking for deny configuration files in .cargo. Thanks @DJMcNab!
• PR#502 resolved #500 by adding initial support for sparse indices.

Fixed

• PR#503 resolved #498 by falling back to more lax parsing of the SPDX expression of crate if fails to parse according to the stricter but more correct rules.

Release 0.13.7

Fixed

• PR#491 resolved #490 by building libgit2 from vendored sources instead of relying on potentially outdated packages.

Release 0.13.6

Changed

• PR#489 updated dependencies, notably clap, cargo, and git2

Added

• PR#485 added this project and repository to our Security Bug Bounty Program and has Private vulnerability reporting enabled. See SECURITY.md for more details.
• PR#487 added allow-wildcard-paths, fixing #488 by allowing wildcards to be denied, but allowing them for internal, private crates. Thanks @sribich!

Fixed

• PR#489 fixed an issue where git sources where branch=master would be incorrectly categorized as not specifying the branch (ie use HEAD of default branch).

Release 0.13.5

Fixed

• PR#481 bumped krates to 0.12.5 to fix an issue where features present (and enabled) for a crate could be remove if the index entry for the crate didn't contain that feature. The features are now merged to (hopefully) more accurately reflect the features that are "truly" available according to both the index and the actual crate manifest on disk.
• PR#481 fixed an issue where gathering licenses from files would fail if any license file could not have its license determined, even if one or more license files could be successfully identified. This now no longer fails, and the license files that fail to be identified are now shown as additional labels in any diagnostic that is shown for that crate's licenses.

Release 0.13.4

Fixed

• PR#477 resolved #476 by replacing bad test code with the correct code.

Release 0.13.3

Fixed

• PR#475 updated krates to 0.12.4, which fixes an issue where cycles in a crate's feature set would result in an infinite loop.

Release 0.13.2

Fixed

• PR#473 updated krates to 0.12.3, which addresses an issue where a crate's feature set can differ between the version in the registry, and same version on disk.

Release 0.13.1

Fixed

• PR#471 fixed a bug where optional dependencies could be pruned if the feature that enabled it was named differently from the crate.
• PR#471 resolved an issue where skip-tree entries weren't properly ignoring all of their transitive dependencies, resolving #469.