Releases: EmbarkStudios/cargo-deny-action
Releases · EmbarkStudios/cargo-deny-action
Release 1.5.6 - cargo-deny 0.14.4
Release 1.5.5 - cargo-deny 0.14.2
Added
- PR#545 added the ability to specify additional license exceptions via additional configuration files.
- PR#549 added the
bans.buildconfiguration option, opting in to checking for file extensions, native executables, and interpreted scripts. This resolved #43.
Changed
- PR#557 introduced changes to how
dev-dependenciesare handled. By default, crates that are only used as dev-dependencies (ie, there are no normal nor build dependency edges linking them to other crates) will no longer be considered when checking formultiple-versionsviolations. This can be re-enabled via thebans.multiple-versions-include-devconfig field. Additionally, licenses are no longer checked fordev-dependencies, but can be re-enabled vialicenses.include-devthe config field.dev-dependenciescan also be completely disabled altogether, but this applies to all checks, includingadvisoriesandsources, so is not enabled by default. This behavior can be enabled by using theexclude-devfield, or the--exclude-devcommand line flag. This change resolved #322, #329, #413 and #497.
Fixed
- PR#549 fixed #548 by correctly locating cargo registry indices from an git ssh url.
- PR#549 fixed #552 by correctly handling signal interrupts and removing the advisory-dbs lock file.
- PR#549 fixed #553 by adding the
native-certsfeature flag that can enable the OS native certificate store.
Deprecated
- PR#549 moved
bans.allow-build-scriptstobans.build.allow-build-scripts.bans.allow-build-scriptsis still supported, but emits a warning.
Release 1.5.4 - cargo-deny 0.14.0
Updated the cargo version to 1.71.0 which should give significant improvements to run times due to using the crates.io sparse index instead of the old git index.
Release 1.5.3 - cargo-deny 0.14.0
Changed
- PR#520 resolved #522 by completely removing all dependencies upon
git2andopenssl. This was done by transitioning fromgit2->gixfor all git operations, both directly in this crate, as well as replacingcrates-indexwithtame-index. - PR#520 bumped the MSRV from
1.65.0->1.70.0 - PR#523 added "(try
cargo update -p <crate_name>)" when an advisory is detected for a crate. Thanks @Victor-N-Suadicani!
Fixed
- PR#520 resolved #361 by printing output when a fetch is being performed to clarify what is taking time.
- PR#520 (possibly) resolved #435 by switching all git operations from
git2togix. - PR#520 resolved #439 by using minimal refspecs for cloning and fetching all remote git repositories (indices or advisory databases) where only the remote HEAD is needed to update the local repository, regardless of the default remote branch pointed to by HEAD.
- PR#520 resolved #446 by ensuring (and testing) that crates from non-registry sources are not checked for advisories, eg. in the case that a local crate is named and versioned the same as a crate from crates.io that has an advisory that affects it.
- PR#520 resolved #515 by always opening the correct registry index based upon the environment.
- PR#531 resolved #210 by adding
osiandfsfoptions tolicenses.allow-osi-fsf-free. Thanks @zkxs! - PR#533 resolved #521 and #524 by allowing clarifications to add files that are used to verify the license information is up to date, rather than needing to match one of the license files that was discovered.
- PR#534 resolved #479 by improving how advisory databases are cloned and/or fetched, notably each database now uses
gix's file-based locking to ensure that only one process has mutable access to an advisory database repo at a time.
Removed
- PR#520 removed all features, notably
standalone. This is due to cargo still being in transition fromgit2->gixand having no way to compiled without OpenSSL. Once cargo is a better state with regards to this we can add back that feature.
Release 1.5.2 - cargo-deny 0.13.9
Fixed
- PR#506 replaced
atty(unmaintained) withis-terminal. Thanks @tottoto! - PR#511 resolved #494, #507, and #510 by fixing up how and when urls are normalized.
- PR#512 resolved #509 by fixing casing of the root configuration keys.
- PR#513 resolved #508 by correctly using the crates.io sparse index when checking for yanked crates if specified by the user, as well as falling back to the regular git index if the sparse index is not present.
Release 1.5.1 - cargo-deny 0.13.8
Added
- PR#504 (though really PR#365) resolved #350 by adding the
deny-multiple-versionsfield tobans.denyentries, allowing specific crates to deny multiple versions while allowing/warning on them more generally. Thanks @leops! - PR#493 resolved #437 by also looking for deny configuration files in
.cargo. Thanks @DJMcNab! - PR#502 resolved #500 by adding initial support for sparse indices.
Fixed
Release 1.5.0 - cargo-deny 0.13.7
Update from cargo-deny 0.13.5 to 0.13.7, apparently I missed two releases, that's embarrassing.
0.13.7
Fixed
- PR#491 resolved #490 by building libgit2 from vendored sources instead of relying on potentially outdated packages.
0.13.6
Changed
- PR#489 updated dependencies, notably
clap,cargo, andgit2
Added
- PR#485 added this project and repository to our Security Bug Bounty Program and has Private vulnerability reporting enabled. See
SECURITY.mdfor more details. - PR#487 added
allow-wildcard-paths, fixing #488 by allowing wildcards to be denied, but allowing them for internal, private crates. Thanks @sribich!
Fixed
- PR#489 fixed an issue where git sources where
branch=masterwould be incorrectly categorized as not specifying the branch (ie use HEAD of default branch).
Release 1.4.0 - cargo-deny 0.13.5
Changed
- Updated to cargo-deny 0.13.5
v1.3.2 - cargo-deny 0.12.1
Added
- PR#54 resolved #53 by adding the
credentialsparameter for passing in a private access token to allow cargo to fetch private github repositories. Thanks @danielhaap83!
Contributors
danielhaap83