search

EmbarkStudios / cargo-deny

❌ Cargo plugin for linting your dependencies 🦀
http://embark.rs
Apache License 2.0
1.71k stars 83 forks source link

Add justification/comment fields for [bans] to be shown on warning/error #578

Closed CinchBlue closed 7 months ago

CinchBlue commented 10 months ago

Is your feature request related to a problem? Please describe. When denying usage of a crate, it is often useful to give a justification for the ban (and how to workaround it or redirect usage to more suitable crates).

Describe the solution you'd like Add a comment or justification field to item entries under ban.deny. Print this as a part of a warning/error.

Describe alternatives you've considered You could add it as a comment, but it's better if it's in the tool.

Additional context

repi commented 10 months ago

agree this would be good to have, we've talked about it a long time ago about having a reason field on all bans. we really should implement it wouldn't be hard.

all of our bans do have a comment today so would be a way to encode that and as you say give a clear reason/justification/recommendation directly on failures.

    # denied crates
    { name = "openssl" }, # we use rustls instead
    { name = "openssl-sys" }, # we use rustls instead
    { name = "RustyXml" }, # we don't want to use any XML and some of these are 4 year old dependencies
    { name = "serde-xml-rs" }, # we don't want to use any XML and some of these are 4 year old dependencies
    { name = "color-backtrace" }, # color-backtrace is nice but brings in too many dependencies and that are often outdated, so not worth it for us.
    { name = "typetag" }, # disallow these crates that rely on static initialization order which we've had issues with
    { name = "inventory" }, # disallow these crates that rely on static initialization order which we've had issues with
    { name = "ctor" }, # disallow these crates that rely on static initialization order which we've had issues with
    { name = "bzip2" }, # disallow C dependency, we just Rust native versions instead
    { name = "smart-default", wrappers = [
        "minidump-common",
    ] }, # smart-default should not be used
    { name = "actix-web" }, # repeatedly unsound, too many dependencies, and not needed for our use cases
    { name = "bzip2-sys" }, # disallow C dependency, we just Rust native versions instead
    { name = "nfd" }, # unmaintined, we use `rfd` instead
    { name = "nfd2" }, # we use `rfd` instead
    { name = "msgbox" }, # we use `rfd` instead
    { name = "backtrace-sys" }, # disallow C dependency, use gimli Rust crate instead
    { name = "keyring" }, # too many and too old dependencies
    { name = "secret-service" }, # too many and too old dependencies
    { name = "wasmtime-cache" }, # we do our own manual caching