Bug: Broken on `cargo install` without `--locked`

[VorpalBlade]

Describe the bug

   Compiling cargo-deny v0.14.18
error[E0308]: arguments to this function are incorrect
   --> /home/arvid/.cargo/registry/src/index.crates.io-6f17d22bba15001f/cargo-deny-0.14.18/src/advisories/helpers/db.rs:259:30
    |
259 |         let remote_head_id = tame_index::utils::git::write_fetch_head(&repo, &outcome, &remote)
    |                              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -----  --------  ------- expected `tame_index::external::gix::Remote<'_>`, found `gix::Remote<'_>`
    |                                                                       |      |
    |                                                                       |      expected `Outcome`, found `gix::remote::fetch::Outcome`
    |                                                                       expected `&Repository`, found `&CommitAutoRollback<'_>`
    |
    = note: expected reference `&tame_index::external::gix::Repository`
               found reference `&gix::config::CommitAutoRollback<'_>`
    = note: `gix::remote::fetch::Outcome` and `Outcome` have similar names, but are actually distinct types
note: `gix::remote::fetch::Outcome` is defined in crate `gix`
   --> /home/arvid/.cargo/registry/src/index.crates.io-6f17d22bba15001f/gix-0.61.0/src/remote/connection/fetch/mod.rs:72:1
    |
72  | pub struct Outcome {
    | ^^^^^^^^^^^^^^^^^^
note: `Outcome` is defined in crate `gix`
   --> /home/arvid/.cargo/registry/src/index.crates.io-6f17d22bba15001f/gix-0.58.0/src/remote/connection/fetch/mod.rs:72:1
    |
72  | pub struct Outcome {
    | ^^^^^^^^^^^^^^^^^^
    = note: perhaps two different versions of crate `gix` are being used?
    = note: `gix::Remote<'_>` and `tame_index::external::gix::Remote<'_>` have similar names, but are actually distinct types
note: `gix::Remote<'_>` is defined in crate `gix`
   --> /home/arvid/.cargo/registry/src/index.crates.io-6f17d22bba15001f/gix-0.61.0/src/types.rs:200:1
    |
200 | pub struct Remote<'repo> {
    | ^^^^^^^^^^^^^^^^^^^^^^^^
note: `tame_index::external::gix::Remote<'_>` is defined in crate `gix`
   --> /home/arvid/.cargo/registry/src/index.crates.io-6f17d22bba15001f/gix-0.58.0/src/types.rs:200:1
    |
200 | pub struct Remote<'repo> {
    | ^^^^^^^^^^^^^^^^^^^^^^^^
    = note: perhaps two different versions of crate `gix` are being used?
note: function defined here
   --> /home/arvid/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tame-index-0.9.7/src/utils/git.rs:27:8
    |
27  | pub fn write_fetch_head(
    |        ^^^^^^^^^^^^^^^^

error[E0308]: arguments to this function are incorrect
   --> /home/arvid/.cargo/registry/src/index.crates.io-6f17d22bba15001f/cargo-deny-0.14.18/src/advisories/helpers/db.rs:444:9
    |
444 |         tame_index::utils::git::write_fetch_head(
    |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
445 |             &repo,
    |             ----- expected `tame_index::external::gix::Repository`, found `gix::Repository`
446 |             &fetch_outcome,
    |             -------------- expected `Outcome`, found `gix::remote::fetch::Outcome`
447 |             &repo.find_remote("origin").unwrap(),
    |             ------------------------------------ expected `tame_index::external::gix::Remote<'_>`, found `gix::Remote<'_>`
    |
    = note: `gix::Repository` and `tame_index::external::gix::Repository` have similar names, but are actually distinct types
note: `gix::Repository` is defined in crate `gix`
   --> /home/arvid/.cargo/registry/src/index.crates.io-6f17d22bba15001f/gix-0.61.0/src/types.rs:144:1
    |
144 | pub struct Repository {
    | ^^^^^^^^^^^^^^^^^^^^^
note: `tame_index::external::gix::Repository` is defined in crate `gix`
   --> /home/arvid/.cargo/registry/src/index.crates.io-6f17d22bba15001f/gix-0.58.0/src/types.rs:144:1
    |
144 | pub struct Repository {
    | ^^^^^^^^^^^^^^^^^^^^^
    = note: perhaps two different versions of crate `gix` are being used?
    = note: `gix::remote::fetch::Outcome` and `Outcome` have similar names, but are actually distinct types
note: `gix::remote::fetch::Outcome` is defined in crate `gix`
   --> /home/arvid/.cargo/registry/src/index.crates.io-6f17d22bba15001f/gix-0.61.0/src/remote/connection/fetch/mod.rs:72:1
    |
72  | pub struct Outcome {
    | ^^^^^^^^^^^^^^^^^^
note: `Outcome` is defined in crate `gix`
   --> /home/arvid/.cargo/registry/src/index.crates.io-6f17d22bba15001f/gix-0.58.0/src/remote/connection/fetch/mod.rs:72:1
    |
72  | pub struct Outcome {
    | ^^^^^^^^^^^^^^^^^^
    = note: perhaps two different versions of crate `gix` are being used?
    = note: `gix::Remote<'_>` and `tame_index::external::gix::Remote<'_>` have similar names, but are actually distinct types
note: `gix::Remote<'_>` is defined in crate `gix`
   --> /home/arvid/.cargo/registry/src/index.crates.io-6f17d22bba15001f/gix-0.61.0/src/types.rs:200:1
    |
200 | pub struct Remote<'repo> {
    | ^^^^^^^^^^^^^^^^^^^^^^^^
note: `tame_index::external::gix::Remote<'_>` is defined in crate `gix`
   --> /home/arvid/.cargo/registry/src/index.crates.io-6f17d22bba15001f/gix-0.58.0/src/types.rs:200:1
    |
200 | pub struct Remote<'repo> {
    | ^^^^^^^^^^^^^^^^^^^^^^^^
    = note: perhaps two different versions of crate `gix` are being used?
note: function defined here
   --> /home/arvid/.cargo/registry/src/index.crates.io-6f17d22bba15001f/tame-index-0.9.7/src/utils/git.rs:27:8
    |
27  | pub fn write_fetch_head(
    |        ^^^^^^^^^^^^^^^^

For more information about this error, try `rustc --explain E0308`.
error: could not compile `cargo-deny` (lib) due to 2 previous errors
error: failed to compile `cargo-deny v0.14.18`, intermediate artifacts can be found at `/tmp/cargo-installAGr5x6`.
To reuse those artifacts with a future compilation, set the environment variable `CARGO_TARGET_DIR` to that path.

Someone probably broke semver, so the bug should be reported upstream.

To reproduce

cargo install cargo-deny

cargo-deny version

0.14.18

What OS were you running cargo-deny on?

Linux

Additional context

I was upgrading from 0.14.16 to 0.14.18. Normally I don't use --locked in order to get any security patches.

[VorpalBlade]

Actually I'm not sure this is a semver issues. It appears related to https://github.com/EmbarkStudios/tame-index but in the broken version it is building 0.9.7 but with --locked it is building a newer version 0.9.9. I find this very confusing.

EDIT: Oh I see what is going on, you are depending on a yanked version. That should be a simple fix then, just update to 0.10.0.