Release 0.14.8

Fixed

• PR#592 updated krates again to pull in krates#73.

Release 0.14.7

Fixed

• PR#591 updated krates again to pull in krates#71.

Release 0.14.6

Fixed

• PR#590 updated krates to fix an issue with crates that directly have a dependency on 2 or more versions of the same crate.

Added

• PR#590 resolved #405 by emitting warnings when a wrapper crate for a banned crate does not have a dependency on that crate.

Changed

• PR#591 updated gix and tame-index.

Release 0.14.5

Fixed

• PR#588 resolved an issue introduced in [0.14.4] where features that reference dev-only dependencies in non-workspace crates would cause a panic.

Release 0.14.4

Fixed

• PR#586 resolved 2 issues with crate graph creation, see krates#60 and krates#64 for more details.

Release 0.14.3

Fixed

• PR#566 updated tame-index to obtain support OS file locking, resolving #537. This change means that cargo-deny should not encounter issues such as those described here since we no longer use gix::lock locking advisory databases, and makes reading the crates.io index safer by respecting the lock used by cargo itself.

Release 0.14.2

Added

• PR#545 added the ability to specify additional license exceptions via additional configuration files.
• PR#549 added the bans.build configuration option, opting in to checking for file extensions, native executables, and interpreted scripts. This resolved #43.

Changed

• PR#557 introduced changes to how dev-dependencies are handled. By default, crates that are only used as dev-dependencies (ie, there are no normal nor build dependency edges linking them to other crates) will no longer be considered when checking for multiple-versions violations. This can be re-enabled via the bans.multiple-versions-include-dev config field. Additionally, licenses are no longer checked for dev-dependencies, but can be re-enabled via licenses.include-dev the config field. dev-dependencies can also be completely disabled altogether, but this applies to all checks, including advisories and sources, so is not enabled by default. This behavior can be enabled by using the exclude-dev field, or the --exclude-dev command line flag. This change resolved #322, #329, #413 and #497.

Fixed

• PR#549 fixed #548 by correctly locating cargo registry indices from an git ssh url.
• PR#549 fixed #552 by correctly handling signal interrupts and removing the advisory-dbs lock file.
• PR#549 fixed #553 by adding the native-certs feature flag that can enable the OS native certificate store.

Deprecated

• PR#549 moved bans.allow-build-scripts to bans.build.allow-build-scripts. bans.allow-build-scripts is still supported, but emits a warning.

Release 0.14.1

Fixed

• PR#544 updated dependencies, notably tame-index 0.2.5 which fixed this issue

Changed

• PR#538 resolved #483 by emitting exit codes as a bitset of the individual checks that failed, allowing scripts to handle checks separately from a single run. This could affect users who check exactly for the exit code being 1, as that will now only be emitted if the advisories, but no other, check fails.

Release 0.14.0

Changed

• PR#520 resolved #522 by completely removing all dependencies upon git2 and openssl. This was done by transitioning from git2 -> gix for all git operations, both directly in this crate, as well as replacing crates-index with tame-index.
• PR#520 bumped the MSRV from 1.65.0 -> 1.70.0
• PR#523 added "(try cargo update -p <crate_name>)" when an advisory is detected for a crate. Thanks @Victor-N-Suadicani!

Fixed

• PR#520 resolved #361 by printing output when a fetch is being performed to clarify what is taking time.
• PR#520 (possibly) resolved #435 by switching all git operations from git2 to gix.
• PR#520 resolved #439 by using minimal refspecs for cloning and fetching all remote git repositories (indices or advisory databases) where only the remote HEAD is needed to update the local repository, regardless of the default remote branch pointed to by HEAD.
• PR#520 resolved #446 by ensuring (and testing) that crates from non-registry sources are not checked for advisories, eg. in the case that a local crate is named and versioned the same as a crate from crates.io that has an advisory that affects it.
• PR#520 resolved #515 by always opening the correct registry index based upon the environment.
• PR#531 resolved #210 by adding osi and fsf options to licenses.allow-osi-fsf-free. Thanks @zkxs!
• PR#533 resolved #521 and #524 by allowing clarifications to add files that are used to verify the license information is up to date, rather than needing to match one of the license files that was discovered.
• PR#534 resolved #479 by improving how advisory databases are cloned and/or fetched, notably each database now uses gix's file-based locking to ensure that only one process has mutable access to an advisory database repo at a time.

Removed

• PR#520 removed all features, notably standalone. This is due to cargo still being in transition from git2 -> gix and having no way to compiled without OpenSSL. Once cargo is a better state with regards to this we can add back that feature.

Release 0.13.9

Fixed

• PR#506 replaced atty (unmaintained) with is-terminal. Thanks @tottoto!
• PR#511 resolved #494, #507, and #510 by fixing up how and when urls are normalized.
• PR#512 resolved #509 by fixing casing of the root configuration keys.
• PR#513 resolved #508 by correctly using the crates.io sparse index when checking for yanked crates if specified by the user, as well as falling back to the regular git index if the sparse index is not present.