mozilla / cargo-vet

supply-chain security for Rust
Apache License 2.0
665 stars 46 forks source link

Always prune imports when importing new audits for a crate #621

Closed mystor closed 3 months ago

mystor commented 3 months ago

Currently we only prune imports when doing an explicit prune or when certifying a new audit for the crate. This patch updates the behaviour to also prune imports whenever we are otherwise also adding new imports for the given crate.

This gives us an opportunity to automatically prune old publisher entries when updating a dependency with a trusted entry or wildcard audit, which otherwise wouldn't happen until cargo vet prune is explicitly called.

This pruning happens after resolution, so existing imports will still be preferred, and cargo vet prune may still perform additional cleanup. Exemptions, git audits, and unpublished entries aren't impacted.

Fixes #620