mozilla / cargo-vet

supply-chain security for Rust
Apache License 2.0
665 stars 46 forks source link

Consider pruning publisher entries even if `prune_imports` is disabled when a new publisher entry is being added for a crate #620

Closed mystor closed 3 months ago

mystor commented 3 months ago

In order to avoid unnecessary changes to files such as imports.lock cargo-vet makes some effort to avoid removing entries from the file unless requested. The main way this happens in normal operation is when cargo vet certify is used to add a new audit for a crate, which can lead to other exemptions, imports, etc. for the crate to be removed.

Unfortunately this pattern doesn't work super well for crates with wildcard audits or trusted entries. For these crates, generally adding a dependency does not require the user running any command other than cargo vet, which does not prune unused entries, which means that the previous publisher entries are left behind and not cleaned up.

We could consider automatically pruning publisher entries for crates even when prune_imports is disabled so long as a new publisher entry is being added for that crate. This still avoids unnecessary updates, but means we can automatically clean up publisher entries when new entries are being added anyway.

We could also consider doing this for other forms of imports such as normal and wildcard audits, though removing those from imports.lock due to them becoming unnecessary is less frequent during normal dependency updates.