Fixes #488, making it possible to ban wildcards without also banning git-only dependencies.
This may not be a perfect fit for some use cases — arguably git dependencies are less implicitly-versioned than path dependencies since path dependencies are typically always the same revision of the same repo, but git dependencies might be cargo updated to totally different code. But I can't think of an alternative that's equal-or-better in correctness short of introducing even more configuration.
(I suspect that the whole idea of counting path-only or git-only deps as wildcard versions ever is wrong, because the Cargo documentation says that “…the version key always implies that the package is available in a registry. version, git, and path keys are considered separate locations for resolving the dependency” — which implies that a dep withoutversion is different from a dep with a wildcard version. However, figuring out Cargo's behavior there and how cargo-deny should treat it feels like a rabbit hole I don't want to go down just to fix #488. I left a TODO comment suggesting further consideration.)
Fixes #488, making it possible to ban wildcards without also banning git-only dependencies.
This may not be a perfect fit for some use cases — arguably
git
dependencies are less implicitly-versioned thanpath
dependencies sincepath
dependencies are typically always the same revision of the same repo, butgit
dependencies might becargo update
d to totally different code. But I can't think of an alternative that's equal-or-better in correctness short of introducing even more configuration.(I suspect that the whole idea of counting path-only or git-only deps as wildcard versions ever is wrong, because the Cargo documentation says that “…the version key always implies that the package is available in a registry. version, git, and path keys are considered separate locations for resolving the dependency” — which implies that a dep without
version
is different from a dep with a wildcard version. However, figuring out Cargo's behavior there and how cargo-deny should treat it feels like a rabbit hole I don't want to go down just to fix #488. I left a TODO comment suggesting further consideration.)