In our private repository we have more than a 100 duplicate dependencies, and deduplicating them is painful. It is also painful to maintain the deny.toml file with all the bans.skip and bans.skip_tree entries manually.
In fact, even though the bans.skip_tree is intended as a "wildcard skip", but this one hides too many things, and naive developers sometimes put the skip config under skip_tree by mistake therefore making things ever worse.
I developed a nushell script that automates the management of deny.toml by generating the skip configuration and automates running the granular cargo update command to try updating the dependencies within the compatible ranges to avoid duplicates.
I wrote some docs in our private notion knowledgebase, but published it to the public under this link.
I think the nushell script I developed there could already be used by anyone to automate the maintenance of the deny.toml file, and it could also be used as a good POC for rewriting this implementation in Rust and including it into cargo-deny.
Generate the bans.skip configuration automatically
cargo deny has enough information to be able to generate the bans.skip list automatically. There could be a command in cargo deny that does the same thing as deny.nu skips command in the script shared above.
However, cargo-deny could benefit from toml_edit Rust crate to make the modifications in deny.toml without requiring the user to copy and paste the TOML output from the terminal.
Run cargo update with all the parent packages of the duplicate dependency
If you run deny.nu dedup it will run the cargo update command, but it will take care to pass -p parameters with the package names that comprise the parent crates for the duplicate. This way you can granularly update the dependency tree.
In our private repository we have more than a 100 duplicate dependencies, and deduplicating them is painful. It is also painful to maintain the
deny.tomlfile with all thebans.skipandbans.skip_treeentries manually.In fact, even though the
bans.skip_treeis intended as a "wildcard skip", but this one hides too many things, and naive developers sometimes put the skip config underskip_treeby mistake therefore making things ever worse.I developed a nushell script that automates the management of
deny.tomlby generating theskipconfiguration and automates running the granularcargo updatecommand to try updating the dependencies within the compatible ranges to avoid duplicates.I wrote some docs in our private notion knowledgebase, but published it to the public under this link.
I think the nushell script I developed there could already be used by anyone to automate the maintenance of the
deny.tomlfile, and it could also be used as a good POC for rewriting this implementation in Rust and including it intocargo-deny.Generate the
bans.skipconfiguration automaticallycargo denyhas enough information to be able to generate thebans.skiplist automatically. There could be a command in cargo deny that does the same thing asdeny.nu skipscommand in the script shared above.However,
cargo-denycould benefit fromtoml_editRust crate to make the modifications indeny.tomlwithout requiring the user to copy and paste the TOML output from the terminal.More info in the post
Run
cargo updatewith all the parent packages of the duplicate dependencyIf you run
deny.nu dedupit will run thecargo updatecommand, but it will take care to pass-pparameters with the package names that comprise the parent crates for the duplicate. This way you can granularly update the dependency tree.More info in the post