EmbarkStudios
diff --git a/‎CHANGELOG.md‎
Lines changed: 3 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎Cargo.lock‎
Lines changed: 8 additions & 8 deletions b/‎Cargo.lock‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎Cargo.toml‎
Lines changed: 4 additions & 4 deletions b/‎Cargo.toml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎deny.toml‎
Lines changed: 1 addition & 2 deletions b/‎deny.toml‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎src/bans.rs‎
Lines changed: 24 additions & 0 deletions b/‎src/bans.rs‎
Lines changed: 24 additions & 0 deletions
diff --git a/‎tests/bans.rs‎
Lines changed: 1 addition & 1 deletion b/‎tests/bans.rs‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎tests/snapshots/bans__deny_multiple_versions_for_specific_krates.snap‎
Lines changed: 1 addition & 1 deletion b/‎tests/snapshots/bans__deny_multiple_versions_for_specific_krates.snap‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎tests/snapshots/bans__deterministic_duplicate_ordering.snap‎
Lines changed: 56 additions & 2 deletions b/‎tests/snapshots/bans__deterministic_duplicate_ordering.snap‎
Lines changed: 56 additions & 2 deletions
diff --git a/‎tests/snapshots/bans__duplicate_graphs.snap‎
Lines changed: 15 additions & 0 deletions b/‎tests/snapshots/bans__duplicate_graphs.snap‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎tests/snapshots/bans__ignores_dev.snap‎
Lines changed: 56 additions & 2 deletions b/‎tests/snapshots/bans__ignores_dev.snap‎
Lines changed: 56 additions & 2 deletions
@@ -8,6 +8,9 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 <!-- next-header -->
 ## [Unreleased] - ReleaseDate
+### Changed
+- [PR#773](https://github.com/EmbarkStudios/cargo-deny/pull/773) changed cargo-deny's duplicate detection to automatically ignore versions whose only dependent is another version of the same crate.
+
 ## [0.18.2] - 2025-03-10
 ### Added
 - [PR#753](https://github.com/EmbarkStudios/cargo-deny/pull/753) resolved [#752](https://github.com/EmbarkStudios/cargo-deny/issues/752) by adding back the `advisories.unmaintained` config option. See the [docs](https://embarkstudios.github.io/cargo-deny/checks/advisories/cfg.html#the-unmaintained-field-optional) for how it can be used. The default matches the current behavior, which is to error on any `unmaintained` advisory, but adding `unmaintained = "workspace"` to the `[advisories]` table will mean unmaintained advisories will only error if the crate is a direct dependency of your workspace.
 
@@ -65,7 +65,7 @@ fern = "0.7"
 # Glob matching
 globset = "0.4"
 # Native executable detection
-goblin = { version = "0.9", default-features = false, features = [
+goblin = { version = "0.10", default-features = false, features = [
   "elf32",
   "elf64",
   "mach32",
@@ -105,7 +105,7 @@ spdx = "0.10"
 # Lazy
 strum = { version = "0.27", features = ["derive"] }
 # Index retrieval and querying
-tame-index = { version = "0.21", default-features = false, features = [
+tame-index = { version = "0.22", default-features = false, features = [
   "git",
   "local",
   "sparse",
@@ -118,7 +118,7 @@ time = { version = "0.3", default-features = false, features = [
 # Deserialization of configuration files and crate manifests
 toml-span = { version = "0.5", features = ["reporting"] }
 # Small fast hash crate
-twox-hash = { version = "2.0", default-features = false, features = ["xxhash32"] }
+twox-hash = { version = "2.1", default-features = false, features = ["xxhash32"] }
 # Url parsing/manipulation
 url = "2.5"
 # Directory traversal
@@ -140,7 +140,7 @@ features = [
 fs_extra = "1.3"
 # Snapshot testing
 insta = { version = "1.43", features = ["json"] }
-tame-index = { version = "0.21", features = ["local-builder"] }
+tame-index = { version = "0.22", features = ["local-builder"] }
 time = { version = "0.3", features = ["serde"] }
 toml-span = { version = "0.5", features = ["serde"] }
 # We use this for creating fake crate directories for crawling license files on disk
 
@@ -30,11 +30,10 @@ skip = [
     { crate = "[email protected]", reason = "gix uses this old version" },
     { crate = "[email protected]", reason = "reqwest -> system-configuration uses this old version" },
     { crate = "[email protected]", reason = "ring uses this old version" },
-    { crate = "[email protected]", reason = "semver trick" },
 ]
 skip-tree = [
     { crate = "[email protected]", reason = "a foundational crate for many that bumps far too frequently to ever have a shared version" },
-    { crate = "[email protected]", reason = "gix depends on both the 1.0 and 2.0 versions" },
+    { crate = "[email protected]", reason = "rustsec depends 1.0, patched, but not released https://github.com/rustsec/rustsec/commit/9b97c0fc155752c8298a5b5406eb175765ceac93" },
 ]
 
 [sources]
 
@@ -381,6 +381,30 @@ pub fn check(
     );
 
     let report_duplicates = |multi_detector: &mut MultiDetector<'_>, sink: &mut diag::ErrorSink| {
+        if multi_detector.dupes.len() != 1 {
+            // Filter out crates that depend on another version of themselves https://github.com/dtolnay/semver-trick
+            multi_detector.dupes.retain(|(index, _)| {
+                let krate = &ctx.krates[*index];
+
+                // We _could_ just see if this crate's dependencies is another
+                // version of itself, but that means if there are other versions
+                // of the crate then the version that is doing the trick is not
+                // reported, so we do the more expensive check for the direct
+                // dependents
+                let direct = ctx
+                    .krates
+                    .direct_dependents(ctx.krates.nid_for_kid(&krate.id).unwrap());
+
+                let res = !direct.iter().all(|dir| dir.krate.name == krate.name);
+
+                if !res {
+                    log::debug!("ignoring duplicate crate '{krate}', its only dependents was another version of itself");
+                }
+
+                res
+            });
+        }
+
         let skipped = multi_detector
             .dupes
             .iter()
 
@@ -194,7 +194,7 @@ fn ignores_dev() {
         r#"
 multiple-versions = 'deny'
 skip = [
-    { name = 'block-buffer', version = "=0.7.3" },
+    "block-buffer@0.7.3"
 ]
 "#,
     );
 
@@ -369,7 +369,7 @@ expression: diags
       "labels": [
         {
           "column": 1,
-          "line": 50,
+          "line": 51,
           "message": "lock entries",
           "span": "generic-array 0.12.4 registry+https://github.com/rust-lang/crates.io-index\ngeneric-array 0.14.5 registry+https://github.com/rust-lang/crates.io-index"
         }
 
@@ -315,7 +315,7 @@ expression: diags
       "labels": [
         {
           "column": 1,
-          "line": 31,
+          "line": 32,
           "message": "lock entries",
           "span": "digest 0.8.1 registry+https://github.com/rust-lang/crates.io-index\ndigest 0.10.3 registry+https://github.com/rust-lang/crates.io-index"
         }
@@ -526,7 +526,7 @@ expression: diags
       "labels": [
         {
           "column": 1,
-          "line": 50,
+          "line": 51,
           "message": "lock entries",
           "span": "generic-array 0.12.4 registry+https://github.com/rust-lang/crates.io-index\ngeneric-array 0.14.5 registry+https://github.com/rust-lang/crates.io-index"
         }
@@ -535,5 +535,59 @@ expression: diags
       "severity": "error"
     },
     "type": "diagnostic"
+  },
+  {
+    "fields": {
+      "code": "duplicate",
+      "graphs": [
+        {
+          "Krate": {
+            "name": "webpki-roots",
+            "version": "0.25.4"
+          },
+          "parents": [
+            {
+              "Krate": {
+                "name": "minreq",
+                "version": "2.13.4"
+              },
+              "parents": [
+                {
+                  "Krate": {
+                    "name": "duplicates",
+                    "version": "0.1.0"
+                  }
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "Krate": {
+            "name": "webpki-roots",
+            "version": "0.26.11"
+          },
+          "parents": [
+            {
+              "Krate": {
+                "name": "duplicates",
+                "version": "0.1.0"
+              }
+            }
+          ]
+        }
+      ],
+      "labels": [
+        {
+          "column": 1,
+          "line": 140,
+          "message": "lock entries",
+          "span": "webpki-roots 0.25.4 registry+https://github.com/rust-lang/crates.io-index\nwebpki-roots 0.26.11 registry+https://github.com/rust-lang/crates.io-index"
+        }
+      ],
+      "message": "found 2 duplicate entries for crate 'webpki-roots'",
+      "severity": "error"
+    },
+    "type": "diagnostic"
   }
 ]
@@ -141,4 +141,19 @@ expression: dup_graphs.lock()
         }
     }
     ,
+    digraph {
+        0 [label="0.25.4", shape=box, style=rounded, color=red]
+        1 [label="0.26.11", shape=box, style=rounded, color=red]
+        2 [label="duplicates 0.1.0", shape=box, style=rounded]
+        3 [label="minreq 2.13.4", shape=box, style=rounded]
+        2 -> 1 [color=red]
+        3 -> 0 [color=blue]
+        2 -> 3 [color=blue]
+        subgraph cluster_0 {
+            {rank=same 0 1 }
+            style="rounded,filled";
+            label="webpki-roots"
+        }
+    }
+    ,
 ]
@@ -3,16 +3,70 @@ source: tests/bans.rs
 expression: diags
 ---
 [
+  {
+    "fields": {
+      "code": "duplicate",
+      "graphs": [
+        {
+          "Krate": {
+            "name": "webpki-roots",
+            "version": "0.25.4"
+          },
+          "parents": [
+            {
+              "Krate": {
+                "name": "minreq",
+                "version": "2.13.4"
+              },
+              "parents": [
+                {
+                  "Krate": {
+                    "name": "duplicates",
+                    "version": "0.1.0"
+                  }
+                }
+              ]
+            }
+          ]
+        },
+        {
+          "Krate": {
+            "name": "webpki-roots",
+            "version": "0.26.11"
+          },
+          "parents": [
+            {
+              "Krate": {
+                "name": "duplicates",
+                "version": "0.1.0"
+              }
+            }
+          ]
+        }
+      ],
+      "labels": [
+        {
+          "column": 1,
+          "line": 140,
+          "message": "lock entries",
+          "span": "webpki-roots 0.25.4 registry+https://github.com/rust-lang/crates.io-index\nwebpki-roots 0.26.11 registry+https://github.com/rust-lang/crates.io-index"
+        }
+      ],
+      "message": "found 2 duplicate entries for crate 'webpki-roots'",
+      "severity": "error"
+    },
+    "type": "diagnostic"
+  },
   {
     "fields": {
       "code": "unmatched-skip",
       "graphs": [],
       "labels": [
         {
-          "column": 15,
+          "column": 6,
           "line": 4,
           "message": "unmatched skip configuration",
-          "span": "block-buffer"
+          "span": "block-buffer@0.7.3"
         }
       ],
       "message": "skipped crate 'block-buffer = =0.7.3' was not encountered",
Original file line number	Diff line number	Diff line change
`@@ -30,11 +30,10 @@ skip = [`
`30`	`30`	`{ crate = "[email protected]", reason = "gix uses this old version" },`
`31`	`31`	`{ crate = "[email protected]", reason = "reqwest -> system-configuration uses this old version" },`
`32`	`32`	`{ crate = "[email protected]", reason = "ring uses this old version" },`
`33`		`- { crate = "[email protected]", reason = "semver trick" },`
`34`	`33`	`]`
`35`	`34`	`skip-tree = [`
`36`	`35`	`{ crate = "[email protected]", reason = "a foundational crate for many that bumps far too frequently to ever have a shared version" },`
`37`		`- { crate = "[email protected]", reason = "gix depends on both the 1.0 and 2.0 versions" },`
	`36`	`+ { crate = "[email protected]", reason = "rustsec depends 1.0, patched, but not released https://github.com/rustsec/rustsec/commit/9b97c0fc155752c8298a5b5406eb175765ceac93" },`
`38`	`37`	`]`
`39`	`38`
`40`	`39`	`[sources]`
Original file line number	Diff line number	Diff line change
`@@ -194,7 +194,7 @@ fn ignores_dev() {`
`194`	`194`	`r#"`
`195`	`195`	`multiple-versions = 'deny'`
`196`	`196`	`skip = [`
`197`		`- { name = 'block-buffer', version = "=0.7.3" },`
	`197`	`+ "block-buffer@0.7.3"`
`198`	`198`	`]`
`199`	`199`	`"#,`
`200`	`200`	`);`
Original file line number	Diff line number	Diff line change
`@@ -369,7 +369,7 @@ expression: diags`
`369`	`369`	`"labels": [`
`370`	`370`	`{`
`371`	`371`	`"column": 1,`
`372`		`- "line": 50,`
	`372`	`+ "line": 51,`
`373`	`373`	`"message": "lock entries",`
`374`	`374`	`"span": "generic-array 0.12.4 registry+https://github.com/rust-lang/crates.io-index\ngeneric-array 0.14.5 registry+https://github.com/rust-lang/crates.io-index"`
`375`	`375`	`}`
Original file line number	Diff line number	Diff line change
`@@ -141,4 +141,19 @@ expression: dup_graphs.lock()`
`141`	`141`	`}`
`142`	`142`	`}`
`143`	`143`	`,`
	`144`	`+ digraph {`
	`145`	`+ 0 [label="0.25.4", shape=box, style=rounded, color=red]`
	`146`	`+ 1 [label="0.26.11", shape=box, style=rounded, color=red]`
	`147`	`+ 2 [label="duplicates 0.1.0", shape=box, style=rounded]`
	`148`	`+ 3 [label="minreq 2.13.4", shape=box, style=rounded]`
	`149`	`+ 2 -> 1 [color=red]`
	`150`	`+ 3 -> 0 [color=blue]`
	`151`	`+ 2 -> 3 [color=blue]`
	`152`	`+ subgraph cluster_0 {`
	`153`	`+ {rank=same 0 1 }`
	`154`	`+ style="rounded,filled";`
	`155`	`+ label="webpki-roots"`
	`156`	`+ }`
	`157`	`+ }`
	`158`	`+ ,`
`144`	`159`	`]`