In order to avoid unnecessary changes to files such as imports.lock cargo-vet makes some effort to avoid removing entries from the file unless requested. The main way this happens in normal operation is when cargo vet certify is used to add a new audit for a crate, which can lead to other exemptions, imports, etc. for the crate to be removed.
Unfortunately this pattern doesn't work super well for crates with wildcard audits or trusted entries. For these crates, generally adding a dependency does not require the user running any command other than cargo vet, which does not prune unused entries, which means that the previous publisher entries are left behind and not cleaned up.
We could consider automatically pruning publisher entries for crates even when prune_imports is disabled so long as a new publisher entry is being added for that crate. This still avoids unnecessary updates, but means we can automatically clean up publisher entries when new entries are being added anyway.
We could also consider doing this for other forms of imports such as normal and wildcard audits, though removing those from imports.lock due to them becoming unnecessary is less frequent during normal dependency updates.
In order to avoid unnecessary changes to files such as
imports.lock
cargo-vet makes some effort to avoid removing entries from the file unless requested. The main way this happens in normal operation is whencargo vet certify
is used to add a new audit for a crate, which can lead to other exemptions, imports, etc. for the crate to be removed.Unfortunately this pattern doesn't work super well for crates with wildcard audits or trusted entries. For these crates, generally adding a dependency does not require the user running any command other than
cargo vet
, which does not prune unused entries, which means that the previouspublisher
entries are left behind and not cleaned up.We could consider automatically pruning
publisher
entries for crates even whenprune_imports
is disabled so long as a new publisher entry is being added for that crate. This still avoids unnecessary updates, but means we can automatically clean up publisher entries when new entries are being added anyway.We could also consider doing this for other forms of imports such as normal and wildcard audits, though removing those from
imports.lock
due to them becoming unnecessary is less frequent during normal dependency updates.