Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prepare release #536

Merged
merged 3 commits into from
Jul 28, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,26 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

<!-- next-header -->
## [Unreleased] - ReleaseDate
### Changed
- [PR#520] resolved [#522](https://github.com/EmbarkStudios/cargo-deny/issues/522) by completely removing all dependencies upon `git2` and `openssl`. This was done by transitioning from `git2` -> `gix` for all git operations, both directly in this crate, as well as replacing [`crates-index`](https://github.com/frewsxcv/rust-crates-index) with [`tame-index`](https://github.com/EmbarkStudios/tame-index).
- [PR#520] bumped the MSRV from `1.65.0` -> `1.70.0`
- [PR#523](https://github.com/EmbarkStudios/cargo-deny/pull/523) added "(try `cargo update -p <crate_name>`)" when an advisory is detected for a crate. Thanks [@Victor-N-Suadicani](https://github.com/Victor-N-Suadicani)!

### Fixed
- [PR#520] resolved [#361](https://github.com/EmbarkStudios/cargo-deny/issues/361) by printing output when a fetch is being performed to clarify what is taking time.
- [PR#520] (possibly) resolved [#435](https://github.com/EmbarkStudios/cargo-deny/issues/435) by switching all git operations from `git2` to `gix`.
- [PR#520] resolved [#439](https://github.com/EmbarkStudios/cargo-deny/issues/439) by using minimal refspecs for cloning and fetching all remote git repositories (indices or advisory databases) where only the remote HEAD is needed to update the local repository, regardless of the default remote branch pointed to by HEAD.
- [PR#520] resolved [#446](https://github.com/EmbarkStudios/cargo-deny/issues/446) by ensuring (and testing) that crates from non-registry sources are not checked for advisories, eg. in the case that a local crate is named and versioned the same as a crate from crates.io that has an advisory that affects it.
- [PR#520] resolved [#515](https://github.com/EmbarkStudios/cargo-deny/issues/515) by always opening the correct registry index based upon the environment.
- [PR#531](https://github.com/EmbarkStudios/cargo-deny/pull/531) resolved [#210](https://github.com/EmbarkStudios/cargo-deny/issues/210) by adding `osi` and `fsf` options to `licenses.allow-osi-fsf-free`. Thanks [@zkxs](https://github.com/zkxs)!
- [PR#533](https://github.com/EmbarkStudios/cargo-deny/pull/533) resolved [#521](https://github.com/EmbarkStudios/cargo-deny/issues/521) and [#524](https://github.com/EmbarkStudios/cargo-deny/issues/524) by allowing clarifications to add files that are used to verify the license information is up to date, rather than needing to match one of the license files that was discovered.
- [PR#534](https://github.com/EmbarkStudios/cargo-deny/pull/534) resolved [#479](https://github.com/EmbarkStudios/cargo-deny/issues/479) by improving how advisory databases are cloned and/or fetched, notably each database now uses `gix`'s [file-based locking](https://docs.rs/gix-lock/7.0.2/gix_lock/struct.Marker.html#method.acquire_to_hold_resource) to ensure that only one process has mutable access to an advisory database repo at a time.

### Removed
- [PR#520] removed all features, notably `standalone`. This is due to cargo still being in transition from `git2` -> `gix` and having no way to compiled _without_ OpenSSL. Once cargo is a better state with regards to this we can add back that feature.

[PR#520]: https://github.com/EmbarkStudios/cargo-deny/pull/520

## [0.13.9] - 2023-04-12
### Fixed
- [PR#506](https://github.com/EmbarkStudios/cargo-deny/pull/506) replaced `atty` (unmaintained) with `is-terminal`. Thanks [@tottoto](https://github.com/tottoto)!
Expand Down
4 changes: 2 additions & 2 deletions docs/src/checks/advisories/cfg.md
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,7 @@ The threshold for security vulnerabilities to be turned into notes instead of wa

### The `git-fetch-with-cli` field (optional)

Similar to cargo's [net.git-fetch-with-cli](https://doc.rust-lang.org/cargo/reference/config.html#netgit-fetch-with-cli), this field allows you to opt-in to fetching advisory databases with the git CLI rather than using `git2`, for example if you are using SSH authentication.
Similar to cargo's [net.git-fetch-with-cli](https://doc.rust-lang.org/cargo/reference/config.html#netgit-fetch-with-cli), this field allows you to opt-in to fetching advisory databases with the git CLI rather than using `gix`.

* `false` (default) - Fetches advisory databases via `git2`
* `false` (default) - Fetches advisory databases via `gix`
* `true` - Fetches advisory databases using `git`. Git must be installed and in `PATH`.
3 changes: 1 addition & 2 deletions src/advisories/helpers/db.rs
Original file line number Diff line number Diff line change
Expand Up @@ -387,7 +387,7 @@ fn fetch_via_gix(url: &Url, db_path: &Path) -> anyhow::Result<()> {
url
);

// Ensure the parent directory chain is created, git2 won't do it for us
// Ensure the parent directory chain is created, gix might? do it for us
{
let parent = db_path
.parent()
Expand Down Expand Up @@ -443,7 +443,6 @@ fn fetch_via_gix(url: &Url, db_path: &Path) -> anyhow::Result<()> {
.ok()
.map(|repo| repo.to_thread_local())
.filter(|repo| {
// The `cargo` standard registry clone has no configured origin (when created with `git2`).
repo.find_remote("origin").map_or(false, |remote| {
remote
.url(DIR)
Expand Down
20 changes: 0 additions & 20 deletions supply-chain/config.toml
Original file line number Diff line number Diff line change
Expand Up @@ -136,10 +136,6 @@ criteria = "safe-to-deploy"
version = "0.2.2"
criteria = "safe-to-deploy"

[[exemptions.crates-index]]
version = "0.19.7"
criteria = "safe-to-deploy"

[[exemptions.crates-io]]
version = "0.35.1"
criteria = "safe-to-deploy"
Expand Down Expand Up @@ -252,14 +248,6 @@ criteria = "safe-to-deploy"
version = "0.2.6"
criteria = "safe-to-deploy"

[[exemptions.git2]]
version = "0.16.0"
criteria = "safe-to-deploy"

[[exemptions.git2-curl]]
version = "0.17.0"
criteria = "safe-to-deploy"

[[exemptions.group]]
version = "0.12.0"
criteria = "safe-to-deploy"
Expand Down Expand Up @@ -324,14 +312,6 @@ criteria = "safe-to-deploy"
version = "0.2.140"
criteria = "safe-to-deploy"

[[exemptions.libgit2-sys]]
version = "0.14.1+1.5.0"
criteria = "safe-to-deploy"

[[exemptions.libssh2-sys]]
version = "0.2.23"
criteria = "safe-to-deploy"

[[exemptions.memoffset]]
version = "0.6.5"
criteria = "safe-to-deploy"
Expand Down