Release 0.13.8

Added

• PR#504 (though really PR#365) resolved #350 by adding the deny-multiple-versions field to bans.deny entries, allowing specific crates to deny multiple versions while allowing/warning on them more generally. Thanks @leops!
• PR#493 resolved #437 by also looking for deny configuration files in .cargo. Thanks @DJMcNab!
• PR#502 resolved #500 by adding initial support for sparse indices.

Fixed

• PR#503 resolved #498 by falling back to more lax parsing of the SPDX expression of crate if fails to parse according to the stricter but more correct rules.

Release 0.13.7

Fixed

• PR#491 resolved #490 by building libgit2 from vendored sources instead of relying on potentially outdated packages.

Release 0.13.6

Changed

• PR#489 updated dependencies, notably clap, cargo, and git2

Added

• PR#485 added this project and repository to our Security Bug Bounty Program and has Private vulnerability reporting enabled. See SECURITY.md for more details.
• PR#487 added allow-wildcard-paths, fixing #488 by allowing wildcards to be denied, but allowing them for internal, private crates. Thanks @sribich!

Fixed

• PR#489 fixed an issue where git sources where branch=master would be incorrectly categorized as not specifying the branch (ie use HEAD of default branch).

Release 0.13.5

Fixed

• PR#481 bumped krates to 0.12.5 to fix an issue where features present (and enabled) for a crate could be remove if the index entry for the crate didn't contain that feature. The features are now merged to (hopefully) more accurately reflect the features that are "truly" available according to both the index and the actual crate manifest on disk.
• PR#481 fixed an issue where gathering licenses from files would fail if any license file could not have its license determined, even if one or more license files could be successfully identified. This now no longer fails, and the license files that fail to be identified are now shown as additional labels in any diagnostic that is shown for that crate's licenses.

Release 0.13.4

Fixed

• PR#477 resolved #476 by replacing bad test code with the correct code.

Release 0.13.3

Fixed

• PR#475 updated krates to 0.12.4, which fixes an issue where cycles in a crate's feature set would result in an infinite loop.

Release 0.13.2

Fixed

• PR#473 updated krates to 0.12.3, which addresses an issue where a crate's feature set can differ between the version in the registry, and same version on disk.

Release 0.13.1

Fixed

• PR#471 fixed a bug where optional dependencies could be pruned if the feature that enabled it was named differently from the crate.
• PR#471 resolved an issue where skip-tree entries weren't properly ignoring all of their transitive dependencies, resolving #469.

Release 0.13.0

Added

• PR#434 together with PR#461 resolved #206 and #226 by adding support for checking the feature sets enabled for crates. See the docs for configuration options. Thanks @Stupremee!
• PR#464 added the -A, --allow, -D, --deny and -W, --warn options to the check subcommand. This allows one to override the severity level of both specific diagnostics, eg. -D unmaintained would fail if there was an unmaintained dependency, even if advisories.unmaintained was allow or warn. One can also change an entire severity itself, the typical case being -D warnings to upgrade all warnings to errors. Resolved #454.
• PR#466 added the all-features, no-default-features, features, and feature-depth configuration options, allowing configuration of features so that one doesn't need to always specify them via the command line.

Changed

• PR#447 add more details to the diagnostic reported when a bans.skip crate was not located in the graph. Thanks @daviddrysdale!
• PR#464 changed all error codes from the previous rustc style eg. B001 style to more clippy style descriptive names, eg. banned, resolving #61.

Fixed

• PR#465 fixed an issue where inclusion graphs would not be printed in diagnostics if the same crate had an earlier associated diagnostic, even if that diagnostic was not printed due to the log level.
• PR#464 fixed #455 by removing code. The best kind of fix.

Release 0.12.2

Added

• PR#431 resolved #19 by adding support for an allow list for build scripts, allowing a project to opt in (or deny completely) build scripts on a case by case basis rather than blanket allowing all build scripts. See the bans.allow-build-scripts config option for more details. Thanks @Stupremee!

Fixed

• PR#430 fixed an issue where local/git crates could be flagged as "yanked" if they shared a name and version with a crates.io crate that was yanked from the registry, resolving #441 before it was even opened. Thanks @khuey!
• PR#440 fixed #438 by ensuring git cli output was piped properly rather than polluting the output of cargo-deny itself.
• PR#443 fixed #442 by removing the signature check on the HEAD commit an advisory databases. This check didn't add meaningful security and could cause spurious failures if an unsigned commit was pushed to an advisory database.

Changed

• PR#431 updated clap to 3.2. Thanks @epage!