This PR completely refactors the deny configuration, notably:
toml-span
toml-span is now used for parsing toml files (currently only deny.toml, but eventually cargo manifests as well), replacing toml. This was done so that span information is always available for keys and values if we want to use it, as well as just reducing external dependencies and build times, as serde is no longer used.
PackageSpec
Specifying a package spec via the name + version combo occurs in many locations in the config, but this has verbose in both the simple case, where you just want to specify a crate name (eg. [bans.deny]), as well as needing an entire extra key if you do want to specify the version requirement.
In addition, it was not possible to specify just a string previously due to toml + serde making us decide between supporting plain strings for package specs, and span information.
In all cases (and a few new ones) where the package name + version could be used, now a simple string can be used instead, or, if you want/need to supply additional values as a table, the crate key can be used instead which follows a simple format as a single string, instead of the separate name/version keys. name and version are still supported, but are deprecated and will be removed in a future release.
Many items can now be tagged with a reason = "<reason>" and/or use-instead = "<crate_name>/<url>" to add explanatory/helpful messages that are surfaced with diagnostic messages. This was added to fix #578 instead of the typical fallback of relying on toml comments that might not be part of the diagnostic span.
[advisories.ignore]
Yanked crates can now be ignored by specifying a crate spec + optional reason as a string or table, while still supporting advisory ids.
Root table improved
The targets, all-features, features, no-default-features, exclude, and exclude-dev keys have been moved to the new graph table, as they all affect the dependency graph that cargo-deny performs checks against. The feature-depth key has been moved to the output table. The old locations are still respected, but are deprecated. Note also that targets can now just take a string instead of triple = <target_triple>.
This PR completely refactors the deny configuration, notably:
toml-spantoml-spanis now used for parsing toml files (currently only deny.toml, but eventually cargo manifests as well), replacingtoml. This was done so that span information is always available for keys and values if we want to use it, as well as just reducing external dependencies and build times, as serde is no longer used.PackageSpecSpecifying a package spec via the name + version combo occurs in many locations in the config, but this has verbose in both the simple case, where you just want to specify a crate name (eg.
[bans.deny]), as well as needing an entire extra key if you do want to specify the version requirement.In addition, it was not possible to specify just a string previously due to toml + serde making us decide between supporting plain strings for package specs, and span information.
In all cases (and a few new ones) where the package name + version could be used, now a simple string can be used instead, or, if you want/need to supply additional values as a table, the
cratekey can be used instead which follows a simple format as a single string, instead of the separate name/version keys.nameandversionare still supported, but are deprecated and will be removed in a future release.Format
The string format of
PackageSpecis quite simple:<crate_name>=*<crate_name>@<semver>==<semver><crate_name>:<semver_requirements>=<semver_requirements>Add
reason,use-insteadMany items can now be tagged with a
reason = "<reason>"and/oruse-instead = "<crate_name>/<url>"to add explanatory/helpful messages that are surfaced with diagnostic messages. This was added to fix #578 instead of the typical fallback of relying on toml comments that might not be part of the diagnostic span.[advisories.ignore]Yanked crates can now be ignored by specifying a crate spec + optional reason as a string or table, while still supporting advisory ids.
Root table improved
The
targets,all-features,features,no-default-features,exclude, andexclude-devkeys have been moved to the newgraphtable, as they all affect the dependency graph that cargo-deny performs checks against. Thefeature-depthkey has been moved to theoutputtable. The old locations are still respected, but are deprecated. Note also thattargetscan now just take a string instead oftriple = <target_triple>.Resolves: #264 Resolves: #539 Resolves: #578 Resolves: #579