Duplicate dependencies (which adds compilation time and code bloat)
Copy-left licenses, such as GPL
cargo-deny requires a Cargo.lock file. It doesn't have to be checked in, but by checking it in we explicitly say "there is a combination of crate version we can use that produces no duplicate dependencies, no copy-left licenses, and no security advisories". With an implicit Cargo.lock (not checked in) we would get the latest version of all crates at the time that the CI is run, which mean the CI can fail spuriously if a dependency is updated to a new version that, for instance, pulls in a duplicated dependency.
This PR does add some maintenance burden, and I understand if that isn't exactly appealing. However, the use of cargo-deny is a promise to users that this crate is a nice citizen in the rust eco-system, that cares about avoiding duplicate dependencies etc.
cargo deny
protects against:cargo-deny
requires aCargo.lock
file. It doesn't have to be checked in, but by checking it in we explicitly say "there is a combination of crate version we can use that produces no duplicate dependencies, no copy-left licenses, and no security advisories". With an implicitCargo.lock
(not checked in) we would get the latest version of all crates at the time that the CI is run, which mean the CI can fail spuriously if a dependency is updated to a new version that, for instance, pulls in a duplicated dependency.This PR does add some maintenance burden, and I understand if that isn't exactly appealing. However, the use of
cargo-deny
is a promise to users that this crate is a nice citizen in the rust eco-system, that cares about avoiding duplicate dependencies etc.