Skip to content

chore(deps): update embarkstudios/cargo-deny-action action to v2#56

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/embarkstudios-cargo-deny-action-2.x
Open

chore(deps): update embarkstudios/cargo-deny-action action to v2#56
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/embarkstudios-cargo-deny-action-2.x

Conversation

@renovate

@renovate renovate Bot commented Sep 10, 2024

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Type Update Change
EmbarkStudios/cargo-deny-action action major v1v2

Release Notes

EmbarkStudios/cargo-deny-action (EmbarkStudios/cargo-deny-action)

v2.0.20: Release 2.0.20 - cargo-deny 0.19.8

Compare Source

Fixed
  • PR#864 fixed matching of ^ and ~ with on prerelease versions for when checking if a crate is affected by an advisory. As of the time of the PR, this literally affected none of published versions of any crate with an advisory, but this just ensures such a case will be handled in the future.

v2.0.19: Release 2.0.19 - cargo-deny 0.19.7

Compare Source

Changed

v2.0.18: Release 2.0.18 - cargo-deny 0.19.5

Compare Source

Fixed

v2.0.17: Release 2.0.17 - cargo-deny 0.19.2

Compare Source

Fixed

v2.0.16: Release 2.0.16 - cargo-deny 0.19.1

Compare Source

Fixed
  • PR#833 fixed an issue where the maximum advisory database staleness was over 14 years instead of the intended 90 days.
  • PR#839 fixed an issue where unsound advisories would appear for transitive dependencies despite requesting them only for workspace dependencies, resolving #​829.
  • PR#840 resolved #​797 by passing --filter-platform when collecting cargo metadata if only a single target was requested either in the config or via the command line.
  • PR#841 fixed an issue where --frozen would not disable fetching of the advisory DB, resolving #​759.
  • PR#842 and PR#844 updated crates. Notably krates was updated to resolve two issues with crates being pruned from the graph used when running checks. Resolving these two issues may mean that updating cargo-deny may highlight issues that were previously hidden.
    • EmbarkStudios/krates#106 would fail to pull in crates brought in via a feature if that crate had its lib target renamed by the package author.
    • EmbarkStudios/krates#109 would fail to bring in optional dependencies if they were brought in by a weak feature in a crate also brought in by a weak feature.
Changed
  • PR#830 removed gix in favor of shelling out to git. This massively improves build times and eases maintenance as gix bumps minor versions quite frequently. If cargo-deny is used in an environment that for some reason allows internet access but doesn't have git available, the advisory database would need to be updated before calling cargo-deny.
  • PR#838 removed rustsec in favor of manually implemented advisory parsing and checking, with a nightly cron job that checks that the implementation exactly matches rustsec on the official rustsec advisory db.

v2.0.15: Release 2.0.15 - cargo-deny 0.19.0

Compare Source

Changed
  • PR#802 made relative paths passed to --config be resolved relative to the current working directory (rather than the resolved manifest path's directory).
  • PR#825 updated gix, reqwest, and tame-index to newer versions. The reqwest 0.13 changes means it is no longer possible to choose the source of root certificates for gix, so that decision is now left to rustls-platform-verifier. The native-certs feature has thus been removed, and cargo-deny no longer defaults to using webpki-roots.
Fixed
  • PR#802 fixed path handling of paths passed to --config, resolving #​748.
  • PR#819 added locations to all SARIF results since that's mandatory for valid SARIF.
  • PR#821 fixed compilation on an Alpine host.
Added
  • PR#795 added [bans.allow-workspace] to allow workspace crates while denying all external crates.
  • PR#800 added [licenses.include-build] to toggle whether build dependencies are included in the license check.
  • PR#823 added [advisories.unused-ignored-advisory] to disable the warning when an advisory is ignored but not encountered in the crate graph.
  • PR#826 added [advisories.unsound] to determine which crates can show unsound advisories, similarly to the unmaintained field. Defaults to workspace crates, ignoring unsound advisories for transitive dependencies, resolving #​824.

v2.0.14: Release 2.0.14 - cargo-deny 0.18.6

Compare Source

0.18.5

Changed
  • PR#789 changed it so that release binaries are now built with LTO.
  • PR#790 and PR#794 updated various crates.
Added
  • PR#790 added SARIF as an output format, usable via --format sarif. The current output for this format is experimental and may change in future updates.

0.18.6

Fixed
  • PR#805 updated rustsec to 0.31, resolving #​804.
  • PR#810 resolved #​809 by printing the crate name and version when its manifest does not contain a license expression.
Added
  • PR#807 added the unused-license-exception option to configure the lint level, resolving #​806.
Changed

v2.0.13: Release 2.0.13 - cargo-deny 0.18.4

Compare Source

Added
  • PR#779 added the --metadata-path argument to use a cargo metadata JSON file instead of calling cargo metadata, resolving #​777.
  • PR#782 added sources.unused-allow-source to allow configuration of the lint level when a source is allowed but not used by any crate in the graph, closing #​781.
Changed
  • PR#786 changed the license check output. / is no longer corrected to OR, and if the license expression is found in the package's manifest, that span is used in diagnostic messages instead of the synthesized manifest.
Fixed
  • PR#786 resolved #​784 by updating spdx to a new version that forces all GNU licenses to be exactly equal when comparing license expressions to licensee expressions, which is incredibly pedantic, but means the license comparison is entirely in the hands of the user so that I no longer have to deal with GNU licenses.

v2.0.12: Release 2.0.12 - cargo-deny 0.18.3

Compare Source

Changed
  • PR#773 changed cargo-deny's duplicate detection to automatically ignore versions whose only dependent is another version of the same crate.

v2.0.11

Compare Source

[0.18.2] - 2025-03-10

Added
  • PR#753 resolved #​752 by adding back the advisories.unmaintained config option. See the docs for how it can be used. The default matches the current behavior, which is to error on any unmaintained advisory, but adding unmaintained = "workspace" to the [advisories] table will mean unmaintained advisories will only error if the crate is a direct dependency of your workspace.

[0.18.1] - 2025-02-27

Fixed

v2.0.10

Compare Source

  • PR#96 resolved #​94 by switching to the directory the manifest path is located in and doing rustup toolchain install if rustup show failed due to any reason

v2.0.9: Release 2.0.9 - cargo-deny 0.18.0

Compare Source

  • d8395c1 removed the rustup update.

v2.0.8

Compare Source

  • PR#93 pins to a hash instead of tag, avoiding future breakage from eg. rustup changes.

v2.0.7: Release 2.0.7 - cargo-deny 0.18.0

Compare Source

  • PR#92 fixed an issue introduced by the latest rustup release.

v2.0.6: Release 2.0.6 - cargo-deny 0.18.0

Compare Source

Changed
  • PR#746 changed the directory naming of advisory databases, again, so the name uses the last path component and a different, but also stable, hashing algorithm. Eg. the default https://github.com/rustsec/advisory-db will now be placed in $CARGO_HOME/advisory-dbs/advisory-db-3157b0e258782691.
  • PR#746 changed the MSRV to 1.85.0 and uses edition 2024.
Fixed
  • PR#746 fixes an issue when using cargo 1.85.0 where source urls were not being properly assigned to crates.io due to the constant being used no longer matching the new path used in cargo 1.85.0 causing eg. workspace dependency checks to fail.

v2.0.5: Release 2.0.5 - cargo-deny 0.17.0

Compare Source

Changed
  • PR#745 updated tame-index to 0.18.0 so that cargo 1.85.0 is transparently supported along with older cargo versions.
  • PR#745 now uses the same stable hashing as cargo 1.85.0 for the advisory databases, which changes their path, but will notably now be the same across all host platforms.

v2.0.4: Release 2.0.4 - cargo-deny 0.16.3

Compare Source

  • Update base image to rust 1.83.0 so that version 4 lockfiles are supported with no config changes

v2.0.3: Release 2.0.3 - cargo-deny 0.16.3

Compare Source

Changed
  • PR#721 updated rust-version to 1.81.0 to accurately reflect the minimum rust version required to compile, resolving #​720.
  • PR#722 updated the SPDX license list to 3.25.0.
Fixed
  • PR#726 resolved #​725 by adding the unnecessary-skip diagnostic, emitted when there is a skip configured for a crate that only has one version in the graph.

v2.0.2: Release 2.0.2 - cargo-deny 0.16.2

Compare Source

Fixed
  • PR#703 resolved #​696 by no longer emitting errors when failing to deserialize deprecated fields, and removed some lingering documentation that wasn't removed in PR#611.
  • PR#719 updated to krates -> 0.17.5, fixing an issue where cargo-deny could panic due to incorrectly resolving features for different versions of the same crate referenced by a single crate.
  • PR#719 resolved #​706 by removing a warning issued when users use ignored scheme modifiers for source urls.
  • PR#719 resolved #​718 by updating the book with missing arguments.
Added
  • PR#715 resolved #​714 by adding support for Edition 2024. Thanks @​kpcyrd!
  • PR#710 resolved #​708 by allowing for unpublished workspace crates to be excluded from the dependency graph that checks are run against, either via the --exclude-unpublished CLI argument or the graph.exclude-unpublished config field. Thanks @​Tastaturtaste!
Changed
  • PR#711 updated goblin -> 0.9.2
  • PR#713 updated various crates, notably rustsec -> 0.30.

v2.0.1: Release 2.0.1 - cargo-deny 0.16.1

Compare Source

Fixed
  • PR#691 fixed an issue where workspace dependencies that used the current dir '.' path component would incorrectly trigger the unused-workspace-dependency lint.

v2.0.0: Release 2.0.0 - cargo-deny 0.16.0

Compare Source

Action

Added
Changed
  • This release includes breaking changes in cargo-deny, so this release begins the v2 tag, using v1 will be stable but not follow future cargo-deny releases.

cargo-deny

Removed
  • PR#681 finished the deprecation introduced in PR#611, making the usage of the deprecated fields into errors.
[advisories]

The following fields have all been removed in favor of denying all advisories by default. To ignore an advisory the ignore field can be used as before.

  • vulnerability - Vulnerability advisories are now deny by default
  • unmaintained - Unmaintained advisories are now deny by default
  • unsound - Unsound advisories are now deny by default
  • notice - Notice advisories are now deny by default
  • severity-threshold - The severity of vulnerabilities is now irrelevant
[licenses]

The following fields have all been removed in favor of denying all licenses that are not explicitly allowed via either allow or exceptions.

  • unlicensed - Crates whose license(s) cannot be confidently determined are now always errors. The clarify field can be used to help cargo-deny determine the license.
  • allow-osi-fsf-free - The OSI/FSF Free attributes are now irrelevant, only whether it is explicitly allowed.
  • copyleft - The copyleft attribute is now irrelevant, only whether it is explicitly allowed.
  • default - The default is now deny.
  • deny - All licenses are now denied by default, this field added nothing.
Changed
  • PR#685 follows up on PR#673, moving the fields that were added to their own separate bans.workspace-dependencies section. This is an unannounced breaking change but is fairly minor and 0.15.0 was never released on github actions so the amount of people affected by this will be (hopefully) small. This also makes the workspace duplicate detection off by default since the field is optional, but makes it so that if not specified workspace duplicates are now deny instead of warn.
Fixed
  • PR#685 resolved #​682 by adding the include-path-dependencies field, allowing path dependencies to be ignored if it is false.

v2

Compare Source


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/embarkstudios-cargo-deny-action-2.x branch from 94dfce7 to 32bce5d Compare July 28, 2025 13:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants